Our application uses Microsoft and Google logins via OpenID Connect to authenticate users. We want to identity business/organizational users and their tenants using the claims/tokens emitted by the identity platform or API.
In Microsoft Identity Platform/Azure AD, there is a tid claim that can easily identity the tenant of an account. An Azure AD tenant can have many custom domains, but they will all have the same tenant ID.
What is the equivalent of this for Google business/education accounts (G Suite)? The closest thing I found so far is an hd claim that gets emitted for G Suite accounts which contains the domain name (it's available from the email address itself anyway), but the problem is that a tenant can have multiple domain names, so using the domain name alone won't be accurate.
If it is not available from the OIDC claims/tokens during the sign-in workflow, can we obtain this from an API at least?
hdwill be present only for G Suite / Workspace accounts, it's absence identifies a consumer account.You may be looking for Resource Manager organizations.list and friends.
It may be helpful to think of this question more along the lines of who is the currently signed-in user. User's must first choose a single account to sign into, consent to share their profile, and only then the ID token is shared.
hdis scoped and reflects the currently signed-in account, you could reasonably expect an individual to have multiple accounts: both consumer and workspace. Mentioning this as once you think about multiple organizations and consumer accounts the hierarchy and order of sign-in operations matters. Obtaining a list of domain names, organizations and tenants isn't something an ID token is designed for.