Does Directus validate hd parameter in returned ID token for OAuth2 SSO?

[chrisbartley]

Just wondered whether someone could confirm that Directus does indeed validate the hd (hosted domain) parameter in the returned OAuth2 ID token? From what I can tell, it does, and that's magical and wonderful and yet another reason I freaking love Directus ♥️

More detail: My users all have accounts within a particular Google Workspace. So, they're Google accounts, but with a single, specific domain name in the email address. I added SSO support to my Directus instance, following the instructions for Google OpenID. Added the suggested params from step 7, with values specific to my use case, but also added this extra one so that the hd param gets sent along to streamline the login process:

AUTH_GOOGLE_PARAMS : {hd: 'mydomain.com'}

And that all works great. Go to the app, there's now a Log In with Google button, and clicking it takes me directly to my company's login screen, and logging in bounces me right back to the Directus admin. Amazing 👏

The docs for the hd param warn that you shouldn't "rely on this UI optimization to control who can access your app, as client-side requests can be modified". And so you should validate that the returned ID token has an hd claim that matches. I tested by doing exactly that...manually modifying the request to remove the hd param from the query string, and logged into a Google account that's not part of the company Google Workspace, and, when bounced back to Directus, I saw that Directus gave an error saying that the user was not authorized. Excellent!

So, from all that, it appears the Directus is indeed validating the hd param, as specified in step 5 of Google's docs for validating the ID token, yes?

Thanks!

[chrisbartley]

Bah, sorry. Posted in the wrong place, but I can't seem to delete this one. Reposted as discussion #11948