Skip to content

fix(google): allow "*" wildcard in hostedDomains to accept any hd claim#4821

Open
Shivam-nagar23 wants to merge 1 commit into
dexidp:masterfrom
Shivam-nagar23:fix/google-hosted-domain-wildcard
Open

fix(google): allow "*" wildcard in hostedDomains to accept any hd claim#4821
Shivam-nagar23 wants to merge 1 commit into
dexidp:masterfrom
Shivam-nagar23:fix/google-hosted-domain-wildcard

Conversation

@Shivam-nagar23

Copy link
Copy Markdown

Overview

Allow "*" as a wildcard entry in the Google connector's hostedDomains config so that any non-empty hd claim is accepted. This brings the post-token claim check in line with the existing LoginURL behavior, which already passes hd=* to Google.

What this PR does / why we need it

When hostedDomains: ["*"] is configured, LoginURL correctly sets hd=* on the Google auth URL, which tells Google to restrict the picker to Workspace (hosted) accounts. However the post-token validation in createIdentity did a strict equality check between claims.HostedDomain and each configured entry, so the wildcard never matched a real domain and login failed with:

oidc: unexpected hd claim <domain>

This is a common ask for multi-tenant Workspace deployments where the operator wants to allow any corporate Google account (i.e. block personal @gmail.com) without enumerating every domain.

Changes:

  • Extract the validation loop into a small matchHostedDomain(claim, allowed) helper.
  • Treat a "*" entry as a wildcard that accepts any non-empty hd claim. An empty hd (personal Gmail) is still rejected when * is configured — that's the intent.
  • Add table-driven unit tests covering: exact match, exact match within multiple, no match, wildcard accepting any non-empty hd, wildcard alongside explicit domains, wildcard rejecting empty hd, and empty claim with explicit domains.

Special notes for your reviewer

  • No config-schema change. hostedDomains is already []string; this just makes "*" a meaningful value end-to-end.
  • Backwards compatible: prior to this change, "*" was never a valid hd claim value, so the new branch only fires for operators who explicitly opt in.
  • The existing LoginURL logic already uses "*" as the wildcard when multiple domains are configured (connector/google/google.go line ~180), so this PR makes the two sides of the validation consistent.

Does this PR introduce a user-facing change?

google: allow `"*"` in `hostedDomains` to accept any non-empty `hd` claim.

When the Google connector is configured with hostedDomains: ["*"], the
LoginURL already passes hd=* to Google to require a Workspace account,
but the post-token claim check at createIdentity rejected the login
with "oidc: unexpected hd claim <domain>" because the equality match
in the loop never matched the literal "*" against a real domain.

Extract the validation into a small matchHostedDomain helper and treat
"*" as a wildcard that accepts any non-empty hd claim. This lets
operators require any Workspace domain (i.e. block personal @gmail.com
accounts) without enumerating every domain in config.

Add unit tests covering exact match, wildcard, mixed wildcard +
explicit entries, and the empty-claim case (wildcard does not accept
an empty hd).

Signed-off-by: Shivam-nagar23 <shivam@devtron.ai>
@Shivam-nagar23

Copy link
Copy Markdown
Author

can any of the maintainers look at this please @sagikazarmark @lstoll @vito @fajran @SEJeff @

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant