Comment by nodamage

4 days ago

> And people are telling you that this is not possible with the Google public OAuth API.

Yes I understand, however it is possible to integrate Slack and Google SSO in such a way that it checks that the user belongs to the correct workspace, correct? Either via the SAML integration (https://support.google.com/a/answer/6357481) or an internal Google OAuth integration? The purpose of the public Google OAuth API as opposed to the previous two options is to allow logins from non-workspace or cross-workspace Google accounts, correct?

6 comments

nodamage

SAI_Peregrinus 4 days ago

No, there's no way to check which workspace is in use, just that the domain matches. That's the problem.

nodamage 4 days ago
Only if you use the Google public OAuth integration. If you instead use the SAML integration with Slack as described in the link above you don’t have this problem.
- johnmaguire 4 days ago
  
  Bingo! Now looking back to your original comment, this is what I was trying to clarify:
  > I agree, I don't think this is a problem with Google's Oauth implementation, it's a problem with the service providers who authenticate users via the mere existence of an email address ending in @company.com without checking if the email address actually belongs to an active employee.
  It's a problem with Google's public OAuth implementation when used for private workspace accounts, despite Google's docs stating that this is a valid use. :)
  
  3 replies →