Repro steps:
- Create a Phabricator instance where auth.email-domains is non-empty and Google SSO is the only authentication provider
- Sign out of all Google accounts
- Sign into a Google account from a domain not listed in auth.email-domains
- Try to log into Phabricator
Actual:
I see a Phabricator error page:
Registration Failed The account you are attempting to register with has an invalid email address ([address]). This Phabricator install only allows registration with specific email addresses: Email address must be [domain]
Expected (what other sites that use Google SSO with a domain restriction seem to do, in my experience):
- If you're signed into multiple accounts, and exactly one matches the domain restriction, Google SSO will automatically use that account without prompting you to select one
- If you're signed into one or more accounts, but none of them match the domain restriction, then Google will show this page:
Whose URL is https://accounts.google.com/AccountChooser?hd=[domain]&continue=[...]<mpl=popup&sarp=1. This page has a convenient "Add account" button that lets me easily sign in with the appropriate account, rather than Phabricator which seems to automatically select the sole logged-in account and just fail immediately.