Implement HD parameter for Google Socialite Login #2868

New Issue

OVERLORD · 2026-02-05T05:31:40+03:00

OVERLORD commented

2026-02-05 05:31:40 +03:00

Originally created by @LeafedFox on GitHub (Jun 22, 2022).

Describe the feature you'd like

Ability to specify a value for HD parameter for Google Login to restrict users to a Google Workspace organisation, e.g. GOOGLE_HD=example.com in .env

Describe the benefits this would bring to existing BookStack users

Ability to utilise Google login whilst restricting to the internal organisation, without having to resort to setting up SAML

Can the goal of this request already be achieved via other means?

No

Have you searched for an existing open/closed issue?

I have searched for existing issues and none cover my fundemental request

How long have you been using BookStack?

Not using yet, just scoping

Additional context

No response

Originally created by @LeafedFox on GitHub (Jun 22, 2022). ### Describe the feature you'd like Ability to specify a value for HD parameter for Google Login to restrict users to a Google Workspace organisation, e.g. `GOOGLE_HD=example.com` in `.env` ### Describe the benefits this would bring to existing BookStack users Ability to utilise Google login whilst restricting to the internal organisation, without having to resort to setting up SAML ### Can the goal of this request already be achieved via other means? No ### Have you searched for an existing open/closed issue? - [X] I have searched for existing issues and none cover my fundemental request ### How long have you been using BookStack? Not using yet, just scoping ### Additional context _No response_

OVERLORD added the 🔨 Feature Request label 2026-02-05 05:31:40 +03:00

OVERLORD closed this issue

2026-02-05 05:31:42 +03:00

OVERLORD commented

2026-02-05 05:31:45 +03:00

@ssddanbrown commented on GitHub (Jun 22, 2022):

Hi @ItsGageH,

It's not clear what hd parameter this refers to. Google list a hd authentication URI parameter in their OIDC docs, but not their standard OAuth docs which shares an endpoint (although we might be using an older endpoint). This documented parameter is stated to be a UI optimization only, not a way to control/verify workspace. There looks to be a hd param provided in the id token for OIDC but it would require us to go out the way to verify that in our standard non-OIDC OAuth flow here.

without having to resort to setting up SAML

If it's going to be your primary auth method, with all users coming from your Google workspace, it might be worth using SAML or OIDC (If that allows the same control) in the long run for a smoother experience. I am surprised though that google does not offer you control to limit the OAuth app used for social login, to your workspace as required.
As an extra note, if your users are limited to specific domains, you can use the domain restriction option within BookStack itself.

Either way, to be honest I'm hesitant to expand support for additional options or providers for our social auth options.
Through our logical theme system its possible to register custom providers, so you could register a tweaked version of the default google provider if happy to hack around with PHP.

@ssddanbrown commented on GitHub (Jun 22, 2022): Hi @ItsGageH, It's not clear what `hd` parameter this refers to. Google list a `hd` authentication URI parameter [in their OIDC docs](https://developers.google.com/identity/protocols/oauth2/openid-connect?hl=en#hd-param), but not their standard OAuth docs which shares an endpoint (although we might be using an older endpoint). This documented parameter is stated to be a UI optimization only, not a way to control/verify workspace. There looks to be a `hd` param provided in the id token for OIDC but it would require us to go out the way to verify that in our standard non-OIDC OAuth flow here. > without having to resort to setting up SAML If it's going to be your primary auth method, with all users coming from your Google workspace, it might be worth using SAML or OIDC (If that allows the same control) in the long run for a smoother experience. I am surprised though that google does not offer you control to limit the OAuth app used for social login, to your workspace as required. As an extra note, if your users are limited to specific domains, you can use the domain restriction option within BookStack itself. Either way, to be honest I'm hesitant to expand support for additional options or providers for our social auth options. Through our [logical theme system](https://github.com/BookStackApp/BookStack/blob/development/dev/docs/logical-theme-system.md#custom-socialite-service-example) its possible to register custom providers, so you could register a tweaked version of the default google provider if happy to hack around with PHP.

OVERLORD commented

2026-02-05 05:31:48 +03:00

@LeafedFox commented on GitHub (Jun 23, 2022):

Hey @ssddanbrown,

It was more in reference to the Socialite side of things, Socialite::driver for example, can accept a HD param that is passed to Google. I believe it stands for 'Home Domain' or something along those lines. Essentially it instructs Google to restrict users to only those that are in the Workspace of 'example.com' - Laravels docs provide some info here: https://laravel.com/docs/9.x/socialite#optional-parameters

@LeafedFox commented on GitHub (Jun 23, 2022): Hey @ssddanbrown, It was more in reference to the Socialite side of things, Socialite::driver for example, can accept a HD param that is passed to Google. I believe it stands for 'Home Domain' or something along those lines. Essentially it instructs Google to restrict users to only those that are in the Workspace of 'example.com' - Laravels docs provide some info here: https://laravel.com/docs/9.x/socialite#optional-parameters

OVERLORD commented

2026-02-05 05:31:55 +03:00

@ssddanbrown commented on GitHub (Jun 23, 2022):

@ItsGageH As far as I can tell Socialite does not have any built-in handling specifically for a hd parameter.

The example shown in the docs is showing how to apply any required query parameters to the redirect request. This simply then makes use of the hd query parameter as linked above, which alone will not securely limit google to a single workspace. End users could just modify the redirect request to alter the domain to work around any limiting/control this option might providing. It is a UI optimization only.

@ssddanbrown commented on GitHub (Jun 23, 2022): @ItsGageH As far as I can tell Socialite does not have any built-in handling specifically for a `hd` parameter. The example shown in the docs is showing how to apply any required query parameters to the redirect request. This simply then makes use of the `hd` query parameter as linked above, which alone will not securely limit google to a single workspace. End users could just modify the redirect request to alter the domain to work around any limiting/control this option might providing. It is a UI optimization only.

OVERLORD commented

2026-02-05 05:32:01 +03:00

@LeafedFox commented on GitHub (Jun 23, 2022):

@ssddanbrown Thanks for the info. I've taken a look into setting up SAML with Google, but getting stuck on login with Google returning a Error: app_not_configured_for_user - even though all the settings appear to be correct. Is this something you've encountered before? Google doesn't appear to bring any useful results.

@LeafedFox commented on GitHub (Jun 23, 2022): @ssddanbrown Thanks for the info. I've taken a look into setting up SAML with Google, but getting stuck on login with Google returning a Error: app_not_configured_for_user - even though all the settings appear to be correct. Is this something you've encountered before? Google doesn't appear to bring any useful results.

OVERLORD commented

2026-02-05 05:32:10 +03:00

@ssddanbrown commented on GitHub (Jun 23, 2022):

@ItsGageH I've seen a previous report for that here. As per my comment there it's worth checking against google's own documentation for that specific error message.

@ssddanbrown commented on GitHub (Jun 23, 2022): @ItsGageH I've seen a previous [report for that here](https://github.com/BookStackApp/BookStack/issues/3366). As per my comment there it's worth checking against google's own documentation for that specific error message.

OVERLORD commented

2026-02-05 05:32:17 +03:00

@ssddanbrown commented on GitHub (Jun 28, 2022):

Since there's been no follow-up required I'm going to close this. If you need any further help or have further queries just comment, and this can be re-opened if required.

@ssddanbrown commented on GitHub (Jun 28, 2022): Since there's been no follow-up required I'm going to close this. If you need any further help or have further queries just comment, and this can be re-opened if required.

OVERLORD referenced this issue

2026-02-05 10:24:03 +03:00

[PR #2868] [MERGED] Adding Lithuanian language #6079

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2868