How to restrict Google Sign In to a domain with Expo?


#1

I am using Expo Google Sign in to authorize users inside my app, but in organization I would like to restrict it to only users from a particular domain, for example: @yourcompany.com, how can I do it?


#2

In the past, I believe there was a way to do this by adding a query parameter to your request. But a user can override it by using the gmail domain.

You can find more details here. I haven’t personally tried this solution, so please let me know how it goes.

https://developers.google.com/identity/protocols/OpenIDConnect

If this is important to you, you may have to write your own authentication middleware to intercept authentication requests and whitelist domains.


#3

Thanks for the advice, I sure had some thought about it and I come up with two solutions.

Solution 1 (based on yours):

Use Expo’s AuthSession object (wiith hd (Hosted domain) parameter to make OAuth request, but this take has some sideeffects like you need to make another request to get accessToken and refreshToken via serverAuthCode. It is indeed pure OAuth flow, but you need to make sure to get it yourself.

Solution 2:

Use Expo’s Google object to authorize the user, on success check email (with RexEx) from profile information, if it maches then let user go further, if not throw new Error().


closed #4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.