Google Internal oAuth Consent Screen with multiple domains

Question

I have an internal oAuth consent screen working for the organisation domain domain.com.

We have add an additional users that have been added to the organisation with their domain domain.ag (.ag is where we are moving to, which is on a different account at the moment).

I can login and do what I need with the .com emails, but when using the .ag emails google is saying they are not part of the organisation.

Is there a way in 2021 to allow for this?

I have seen a questioned asked that is very similar to this where the answers where to add select_profiles to the query, or to make the app public. Making the app public is not an option, and select_profiles is good, but if selecting the .ag email, I still get the same issue.

Is there a way to allow for all users under your organisation, even if they are 'shared' in via the Cloud Console IAM & Admin area?

Answer 1

You will need to create one Auth Client for each domain and subdomain. Also, creating separate secrets for the same auth client will not work.

I could not find this behavior documented.

Answer 2

Since your application is purely internal and has users on multiple domains, whitelist this application by marking it trusted. To mark the app as trusted is using this https://support.google.com/a/answer/7281227