Skip to main content

Google Cloud Identity

Mandaitor integrates with Google Cloud Identity and Google Workspace for organizations in the Google ecosystem, as well as consumer Google accounts.

When to Use Google

  • Startups and SaaS companies using Google Workspace as their corporate directory
  • Consumer-facing applications where users sign in with Google
  • Organizations on Google Cloud Platform

Configuration

curl -X PUT https://api.mandaitor.io/v1/tenants/{tenantId}/identity-providers \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "enabled_providers": ["API_KEY", "COGNITO", "GOOGLE"],
    "google": {
      "client_id": "your-google-client-id.apps.googleusercontent.com",
      "hosted_domain": "company.com"
    }
  }'

The hosted_domain field is optional. When set, only users from that Google Workspace organization can authenticate. Omit it to allow any Google account.

Token Validation

  1. Provider detection: Authorizer detects accounts.google.com issuer
  2. JWKS verification: Signature verified against Google's JWKS (googleapis.com/oauth2/v3/certs)
  3. Claims extraction: sub, email, name, hd (hosted domain), email_verified
  4. Hosted domain check: If configured, hd claim must match
  5. Identity resolution: Mapped to oidc:google:<sub> canonical subject ID

SDK Usage

// User authenticates with Google and gets an ID token
const googleToken = await googleAuth.getIdToken();

// Exchange for a delegation token
const delegation = await mandaitorClient.exchangeToken({
  subject_token: googleToken,
  mandate_id: "mdt_abc123",
});

Google Workspace Integration

For Google Workspace organizations, the hd (hosted domain) claim ensures only users from your organization can create mandates. Combined with Google Workspace's admin console, you can manage which users have access to Mandaitor.