Configuring an Allow-list of Email Domains for OIDC Authentication

Original Slack Thread

Is there a way to configure an allow-list of email domains for the OIDC authentication (google in our case)?

Hi <@U01AFJB5M9C>,

you can pass a regex definition to the OIDC authentication that defines which users should be allow by using the AUTH_OIDC_USER_NAME_CLAIM_REGEX environment variable in the datahub-frontend container.
Does this help you?

Oh, interesting! Based on the description ( # The regex used to parse the DataHub username from the user name claim. Defaults to (.*) (all)) I did not understand to associate this with an allow list.

So you are saying that if I define a regex that matches with my desired domains, the emails that fail to match will not be allowed in?

Yes, we are using the following regex to only allow access for a selected set of people: ((nameA|nameB)\@company\.com)
We use this for our dev environment
You might give it a try and see if you can achieve your desired outcome :slightly_smiling_face:

Awesome, thanks for the tip!

Worked flawlessly! Thanks again!

Glad to hear, you are welcome :slightly_smiling_face: