Hosted domain


Hosted domain (hd)

Google OpenID Connect#

The hd (hosted domain) is an OPTIONAL OpenID Connect parameter streamlines the Authentication Request process for G-Suite hosted accounts. By including the DNS Domain of the G-Suite user (for example, mycollege.edu), you can indicate that the account selection UI should be optimized for accounts at that G-Suite DNS Domain. To optimize for G-Suite accounts generally instead of just one DNS Domain, use an asterisk: hd=*.

Hosted domain is also an OPTIONAL id_token Claim that represents the G-Suite DNS Domain which is provided only if the user belongs to a G-Suite Hosted domain.

Hosted domain in an Authentication Request MUST NOT rely on this UI optimization to control who can access your app, as client-side requests can be modified. Be sure to validate that the returned Id_token has an hd claim value that matches what you expect (e.g. mycolledge.edu). Unlike the Authentication Request parameter, the id_token claim is contained within a security token from Google, so the value can be trusted.

More Information#

There might be more information for this subject on one of the following: