I'm looking to retrieve an identifier of some description that allows me to see what Google organisation a user is a part of. The purpose of this identifier is to identify when multiple users are part of the same Google organisation.
At the moment here is what I'm doing:
// oauth2 stuff above
const userInfo = await oauth2.userinfo.get({});
const {
data: { email, hd },
} = userInfo;
This returns the domain (hd) but it requires the https://www.googleapis.com/auth/userinfo.profile scope. This scope requests access to all the user's public info including gender, name, profile pic and more.
Is there a better way to do this? Is there a scope that I can use that only asks to access the organisation id in Google or something?
This identifier needs to be unique to the overall Gsuite/Workspace organisation (or, obviously empty/null if it's a gmail account, not a Gsuite/Workspace account).
Thanks in advance!
If you request the scopes openid email, then the hd claim is included in the ID Token and you don't need to call the UserInfo endpoint at all.
And yes, checking the hd claim is the right approach to find out whether a user account is managed by Cloud Identity/Workspace.