Google oauth - Restrict sign-in to a particular google group

Question

Is it possible to restrict login to my web application only the accounts that are in a google group ?

I don't want everyone can just login with their private gmail but only the users who are in my google group.

Answer 1

I've been researching this, there are a few options to achieve this. First, if you are using G Suite on a hosted domain you can provide the hd parameter in the Sign In Oauth request, and set it to your domain. This would not allow anyone with a gmail address not @yourhost.com to authenticate. In that same step, you can request access (authorization) to make calls to the Groups API on behalf of that user (per @jwilleke's response). At that point you can use the token you get back and make a request on your back end for the private group and see if that user is part of it. If they are, let them in, if they aren't, deny access.

I've been searching for other ways to accomplish this however I haven't found a method that allows you to simply provide group authorization by virtue of applying some role to the Oauth client ID you spin up in GCP. The only other thing I can think of that would work is somehow creating your app in a way that allows you to provide it as a scope in your original authentication request. I know you can make your own API's and what not with Cloud Endpoints, however I'm not sure if that will ultimately get you what you want. Service providers like Ping / Okta have this kind of functionality because they can middle-man / provide the interface for the oidc flow.