Developers make use of Google's OpenID Connect to implement authentication easily and can add an optional query parameter to the request to limit access to the email domain.
However, this optional query parameter can be altered or even omitted to bypass the whitelist and could allow anyone to sign in using any email (on the condition that no further restrictions are present, read more)
When you come across a Google Login put in front of a restricted asset, try altering the hd
query parameter to a domain you control (or have access to):
https://accounts.google.com/o/oauth2/v2/auth?
response_type=code&
client_id=1234.apps.googleusercontent.com&
...
hd=company.com
Change it to example.com
:
https://accounts.google.com/o/oauth2/v2/auth?
response_type=code&
client_id=1234.apps.googleusercontent.com&
...
hd=example.com
As Google OpenID Connect documentations specify, do not rely on this parameter to control access as it is solely used for the optimization of the login form:
Don't rely on this UI optimization to control who can access your app, as client-side requests can be modified.
Instead, control access for each service in your Google Admin Console.
Unathorized users can sign in and impose as authorized users and additionally gain access to other services within a Google work group.