Comment by johnmaguire
Comment by johnmaguire 2 days ago
>> I think certain service providers might have made the assumption that if a user belongs to a certain domain that also means they belong to a certain workspace, but that is clearly not a valid assumption.
> If you need to validate that the ID token represents a Google Workspace or Cloud organization account, you can check the `hd` claim, which indicates the hosted domain of the user. This must be used when restricting access to a resource to only members of certain domains. The absence of this claim indicates that the account does not belong to a Google hosted domain.
https://developers.google.com/identity/gsi/web/guides/verify...
FWIW, I worked on SSO products for nearly 5 years and am pretty familiar with this space.
Your quote does not actually contradict my original statement, full reply here: https://news.ycombinator.com/item?id=42743263