Google hosted domain support #974
Conversation
|
Tests fail because of a lint suggestion: |
connector/oidc/oidc.go
Outdated
| @@ -33,6 +33,7 @@ type Config struct { | |||
|
|
|||
| Scopes []string `json:"scopes"` // defaults to "profile" and "email" | |||
|
|
|||
| HostedDomain string `json:"hostedDomain"` | |||
There was a problem hiding this comment.
Please add a comment describing what this field is and highlighting that it is optional
There was a problem hiding this comment.
It might be nice to support an array of domains in the configuration and then match on "at least one" in HandleCallback?
|
Please also add an explanation of the new field here. If possible please do include unit tests in oidc tests. You can refer the ldap or saml tests for reference. |
|
I added a test for |
|
Is there anything I can do to help this get merged? I am really in need of this functionality. |
| if len(c.hostedDomains) > 0 { | ||
| found := false | ||
| for _, domain := range c.hostedDomains { | ||
| if claims.HostedDomain != domain { |
There was a problem hiding this comment.
shouldn't it be if claims.HostedDomain == domain ?
@RoguePanda @rithujohn191
| @@ -33,6 +33,9 @@ type Config struct { | |||
|
|
|||
| Scopes []string `json:"scopes"` // defaults to "profile" and "email" | |||
|
|
|||
| // Optional list of whitelisted domains when using Google | |||
| // If this field is nonempty, only users from a listed domain will be allowed to log in | |||
| HostedDomains []string `json:"hostedDomain"` | |||
There was a problem hiding this comment.
should be json:"hostedDomains" (domains)
| @@ -61,6 +61,7 @@ connectors: | |||
| # clientID: $GOOGLE_CLIENT_ID | |||
| # clientSecret: $GOOGLE_CLIENT_SECRET | |||
| # redirectURI: http://127.0.0.1:5556/dex/callback | |||
| # hostedDomain: $GOOGLE_HOSTED_DOMAIN | |||
There was a problem hiding this comment.
I'm afraid this doesn't match the code. If I understand it correctly, it should be:
hostedDomains:
- $GOOGLE_HOSTED_DOMAIN
Google hosted domain support
See #959 - Google's OIDC implementation supports limiting access to a certain Google Apps / G Suite domain. This lets dex users ensure that only people in their organization can log in, and not just anyone with a Google account.