cloudfront-auth icon indicating copy to clipboard operation
cloudfront-auth copied to clipboard

Published 20 hours ago verified publisher icon Widen

Google Groups authorization does not work for emails from other domains

Open 3sGgpQ8H opened this issue 5 years ago • 1 comments
trafficstars

Google OAuth 2.0 authentication could be used to authenticate Google user from any domain, including Google's own gmail.com. One just need to omit hd=... parameter in OAuth query.

Google group, created in particular domain, may contain emails from arbitrary domains, even not hosted by Google.

However, hasMember method, used by Google Groups authorization code may check group membership only for users of current GSuite domain. This means, that Google Groups authorization is not currently able to authorize @gmail.com accounts and accounts of any Google user from domains other than current GSuite domain.

Alternative solution would be to user list that returns all email in Google group, even those, that don't belong to the users of current GSuite domain or to any Google account.

This alternative solution would be less efficient, so it is worth to support both approaches and use one or another depending on user's email domain.

3sGgpQ8H avatar Nov 28 '19 07:11 3sGgpQ8H

I have a possibly simpler fix which uses the Get Members Google Directory API call instead of hasMembers:

https://github.com/Widen/cloudfront-auth/pull/77

dankelleher avatar Sep 25 '20 04:09 dankelleher