To restrict Google SSO sign-ins to specific email domains using WorkOS, you can implement a domain check after the user has authenticated with Google but before you allow them access to your application. Here's a general approach to achieve this:
-
Set Up Google SSO with WorkOS: Ensure that you have Google SSO set up correctly with WorkOS. This involves configuring your Google OAuth credentials and setting up the necessary routes in your application.
-
Post-Authentication Domain Check: After a user successfully authenticates with Google, you'll receive their email address. You can then check if the email domain is in your list of allowed domains.
-
Implement the Domain Check: Here's a simple example in a Node.js/Express application:
const allowedDomains = ['approveddomain.com', 'anotherapproved.com'];
app.post('/auth/callback', async (req, res) => {
try {
// Assume `getUserInfo` is a function that retrieves user info from WorkOS after authentication
const userInfo = await getUserInfo(req);
const userEmail = userInfo.email;
const userDomain = userEmail.split('@')[1];
if (allowedDomains.includes(userDomain)) {
// Proceed with login
res.send('Login successful');
} else {
// Deny access
res.status(403).send('Access denied: Unauthorized domain');
}
} catch (error) {
console.error('Error during authentication:', error);
res.status(500).send('Internal Server Error');
}
});
-
Security Considerations: Ensure that your domain check is secure and that you handle any potential errors gracefully. It's also a good idea to log unauthorized access attempts for monitoring purposes.
-
Testing: Thoroughly test your implementation to ensure that only users with email addresses from the allowed domains can access your application.
By following these steps, you can effectively restrict Google SSO sign-ins to users from specific email domains using WorkOS.