How can I let users log in to my web app with their Google account, and verify that they logged in from a certain Google Apps domain?
Does the hd parameter to the Google Authorization service ensure that only the selected domain can be used to login?
Or can I get the logged in user's email and verify that it ends with "@domain.com"? This doesn't seem like such a good idea.
After login I also need to access the users' Google Contacts, which according to the documentation requires AuthSub proxy authentication.
Have a look at the OpenID docs others suggested. In brief, you need to redirect the user to a custom login URL based on their domain name - i.e. you need to find out their domain name before you redirect i.e. your hd parameter, which indeed forces login to the specified domain
This is also needed to support SSO for Google Apps domains, where the authentication for the user isn't handled by Google but by a third party service.
Make sure you check the openID provider, not just the email address domain name, once you do get the auth info.
You can use the OpenID endpoints for Google Apps domains as described here: http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains
Depending on your OpenID library, you may/may not be able to use it though. Eg openid4java doesn't support it yet
It seems I can use the OpenID+OAuth Hybrid protocol to both identify the user and get an access token to the data APIs, as described in this blog post.
Edit: updated dead link to live blog post.
See this question for info about how to get the user's email using OpenID. I guess I can then verify that it ends with the correct domain name.