connector/oidc: fix hosted domain support.

connector/oidc/oidc.go

@@ -35,7 +35,7 @@ type Config struct {
 
 	// Optional list of whitelisted domains when using Google
 	// If this field is nonempty, only users from a listed domain will be allowed to log in
-	HostedDomains []string `json:"hostedDomain"`
+	HostedDomains []string `json:"hostedDomains"`
 }
 
 // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@@ -198,7 +198,7 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
 	if len(c.hostedDomains) > 0 {
 		found := false
 		for _, domain := range c.hostedDomains {
-			if claims.HostedDomain != domain {
+			if claims.HostedDomain == domain {
 				found = true
 				break
 			}

examples/config-dev.yaml

@@ -67,7 +67,8 @@ connectors:
 #     clientID: $GOOGLE_CLIENT_ID
 #     clientSecret: $GOOGLE_CLIENT_SECRET
 #     redirectURI: http://127.0.0.1:5556/dex/callback
-#     hostedDomain: $GOOGLE_HOSTED_DOMAIN
+#     hostedDomains:
+#     - $GOOGLE_HOSTED_DOMAIN
 
 # Let dex keep a list of passwords which can be used to login to dex.
 enablePasswordDB: true