Open nicolasblanco opened 4 years ago
Sorry for the delay on this, but I think this would be great 👍
Hi,
I was taking a look at implementing this and noticed something about the way Omniauth does things. They seem to be using the hd
parameter as a way of validating the allowed domains, even going so far as to allow the parameter to be an array.
As far as I can tell from the google documentation , the hd
parameter is meant to customize the UI for a particular domain and should be a string that is either a single domain or an asterisk (for generic G Suite accounts).
What would you think about allowing another provider option called allowed_hd
that could be one of the following:
Then the hd
value sent back by the token could be validated if this option was specified. If the option is not specified then any domain is allowed.
Hello folks.
In the
README
it's written:If I look at the Ruby Google OAuth2 Omniauth strategy (Ueberauth philosophy is based on Omniauth for people who don't know), we can see that the strategy is validating the
hd
parameter during the callback phase and raising an exception if the domain is invalid: https://github.com/zquestz/omniauth-google-oauth2/blob/master/lib/omniauth/strategies/google_oauth2.rb#L213So my question is: do you think this strategy should also validate the
hd
parameter like the Ruby one? Would you accept a PR which would implement such behaviour?Thanks!