Overview#
Hosted domain (hd)Google OpenID Connect#
The hd (hosted domain) is an OPTIONAL OpenID Connect parameter streamlines the Authentication Request process for G-Suite hosted accounts.By including the DNS Domain of the G-Suite user (for example, mycollege.edu), you can indicate that the Account Chooser UI should be optimized for accounts at that G-Suite DNS Domain.
To optimize for G-Suite accounts generally instead of just one DNS Domain, use an asterisk:
hd=*
Hosted domain is also an OPTIONAL id_token Claim that represents the G-Suite Domain which is provided only if the user belongs to a G-Suite Hosted domain.
Hosted domain in an Authentication Request MUST NOT rely on this UI optimization to control who can access your app, as client-side requests can be modified.
Be sure to validate that the returned Id_token has an hd claim value that matches what you expect (e.g. mycolledge.edu). Unlike the Authentication Request parameter, the id_token claim is contained within a security token from Google, so the value can be trusted.
Be sure to validate that the returned Id_token has an hd claim value that matches what you expect (e.g. mycolledge.edu). Unlike the Authentication Request parameter, the id_token claim is contained within a security token from Google, so the value can be trusted.
More Information#
There might be more information for this subject on one of the following:- [#1] - OpenID Connect
- based on information obtained 2017-07-14-