Google: extended `hd` whitelisting support

[drzraf]

hd parameters allow to limit allowed users to those belonging to one specific GSuite domain (other values like * or unset allow every user). This is done by vendor/league/oauth2-google/src/Provider/Google.php::assertMatchingDomain() which is the last instruction done before Provider::getResourceOwner() returns.

This is not as flexible as possible as it may be desirable to provide whitelisted domains either as a list or a regexp, ... A flexible and future-proof solution would be to simply allow user-provided function to define this behavior (taking OIDC user-data as parameters and returning a boolean about whether user is accepted).

Do you think there could be room, either inBaseProvider.php or GoogleProvider.php for such an improvement?

[rhukster]

Please submit a PR against GoogleProvider for now.

[drzraf]

https://github.com/thephpleague/oauth2-google/pull/76

[drzraf]

Any comment on upstream PR?

[drzraf]

Up. Since upstream considered this to be up to library's consumers, could you please reconsider?

[drzraf]

ping

[rhukster]

Is there a PR to review?

[mahagr]

@drzraf What is the status of this one?

[drzraf]

If you feel that upstream rejection means it'd be adequate to do it within grav-plugin-login-oauth2 and likely to be merged, then I could try to come up with a PR. Please let me know in advance if you've any guidance and/or preferred way to resolve it.

[mahagr]

If it was rejected, we shouldn't add the feature. But that said, if they figured out another method to add it, I'm not against adding the support.

[drzraf]

They didn't reject the feature per-se but the implementation. Still the question is whether this sounds useful to other users.

I manage the GSuite for an organization which have multiple domains and users belonging to these domains. Without a patch I can't offer cross-domain logging (whitelisting more than one domain)