The following is a checklist of steps to take when using Google Sign-In with work accounts for a custom-developed IT application. If you are developing a mobile app, refer to the best practices for mobile as well.
- Include your G Suite domain in your OpenID Connect request so the
Google authentication service will only display accounts in that domain.
This is done using the
hdparameter with the REST endpoint, the
setHostedDomainbuilder method on Android, and the
hostedDomainproperty on iOS.
- When you get an OpenID Connect assertion from Google, double check that
the Google authentication service has confirmed it is an account controlled
by the administrators of that domain name. This check is done server side by
hdfield in the token to verify the domain is what you expected. See Authenticate with a backend server for details.
Optional, but strongly recommended: add the application to the allowlist so that your users will not see a confirmation screen when they sign in. This step, combined with the previous steps, ensures that users of your IT application can automatically sign in. To add your app to the allowlist:
- From your G Suite domain’s Admin console, go to Main menu > Security > API controls.
- In the Domain wide delegation pane, select Manage Domain Wide Delegation.
- Click Add new.
- In the Client ID field, enter the OAuth client ID you registered for
the application. A client ID is normally a string of letters and numbers
- In the API Scopes field, type the following string:
openid,profile,email. If your app needs to request additional scopes to access Google APIs, specify them here as well.
- Click Authorize. The authorization will take effect in about 30 minutes.