24

Me and some guys here are working on an start up. We are currently using Google OpenID API to manage registration and login to our app, but we want to migrate to a easier user registration model. And for this, we need to know if there is a way we can detect if an email (not gmail) is already a Google Account. Is there a way to get this info from the Google Single Sign-on API?

Previous thanks for your help! :)

FernandoEscher
  • 2,940
  • 2
  • 28
  • 27
  • This is a total hack for anyone else looking for a solution related to this. If you try to invite a non-Google email address to a Google service that requires a Google account (either personal gmail or business), you may get an error message saying something like "unknown email address" if it's a non-Google address. You can use that to answer the question posed. – Danger Jan 24 '14 at 20:16
  • Calendly seems to be doing this in production: https://calendly.com/signup – Nolan Amy Feb 09 '19 at 00:22
  • 1
    I used the "total hack" after puzzling over this for some time. Found this thread after, but wanted to make sure that my solution had been noted, and I see that it has. I'll just add my particular solution - which was to try adding the email as a user with GA permissions via the management API. I immediately then remove the user permission. But if I was able to add it, then it's a valid Google account. – Chris Harrington Feb 17 '19 at 03:26

8 Answers8

34

If you're on a Mac, open Terminal and enter $ host {example.com} to determine if their email is hosted by Google.

For example:

$ host yelp.com
yelp.com has address 104.16.57.23
yelp.com has address 104.16.56.23
yelp.com mail is handled by 1 ASPMX.L.GOOGLE.com.
yelp.com mail is handled by 10 ASPMX2.GOOGLEMAIL.com.
yelp.com mail is handled by 10 ASPMX5.GOOGLEMAIL.com.
yelp.com mail is handled by 10 ASPMX3.GOOGLEMAIL.com.
yelp.com mail is handled by 5 ALT2.ASPMX.L.GOOGLE.com.
yelp.com mail is handled by 10 ASPMX4.GOOGLEMAIL.com.
yelp.com mail is handled by 5 ALT1.ASPMX.L.GOOGLE.com.
dbadness
  • 413
  • 4
  • 10
6

This isn't a complete solution, but you can tell if someone is on Google Apps by looking at their domain's MX records. The link in the answer didn't work for me, so that may be a better solution.

Dan
  • 266
  • 4
  • 16
  • the link wont work if you open in a browser .. do a curl call and check for the header status – Rishabh May 15 '13 at 10:34
  • in PHP, use `getmxrr` and match the results against `google`. Example https://gist.github.com/samin/f89c0f9b67ae82200e22 – Samin May 23 '14 at 19:14
4

You cannot do that. I don't think Google could tell you that without user consent.

You could, however, see if the domain is a a Google Apps domain by use this as the Discovery URL: https://www.google.com/accounts/o8/site-xrds?hd=mail.moztw.org

Noted that the admin of the domain might not properly installed OpenID support for the domain. My slide have discussed this in detail: http://www.slideshare.net/timdream/google-apps-account-as-openid

timdream
  • 5,914
  • 5
  • 21
  • 24
  • Thanks for the response. Of course it cannot be done, starting from the point that the OpenID protocol doesn't provide any support for user interaction said it all. Indeed we are already using hosted domains detection. Thanks for the advice! :) – FernandoEscher Nov 25 '10 at 22:56
  • I suggest you don't do this. Just because an e-mail address is under a G-Suite domain doesn't necessarily mean that person has a Google account. There are unfortunately G-Suite domains out there where this is not the case, ie. where some of the e-mail addresses are simply forwarders. – rdb Dec 15 '16 at 13:54
  • @rdb Yeah you are right, the answer only tell if the given domain is a GSuite domain, not the e-mail itself. OpenID is deprecated so I would take a grain of sand of the answer myself. – timdream Dec 22 '16 at 16:00
  • Hi @FernandoEscher, even i have come across similar problem. Can you help me in achieving the solution. I mean how you are using hosted domains detection to solve the problem. – Vali Shah Nov 22 '17 at 04:30
4

You can check the Identity Provider with a google api https://dns.google.com/resolve?name=example.com&type=MX

    public static class IdentityProviderChecker
    {
        public static async Task<string?> GetProviderName(string email)
        {
            var domainName = email.Split('@').Last();
            using var client = new HttpClient();

            var result = await client.GetAsyncResult<DnsResponse>($"https://dns.google.com/resolve?name={domainName}&type=MX");
            return result.Answer.Any(x => x.Data.Contains("google.com", StringComparison.OrdinalIgnoreCase) || x.Data.Contains("googlemail.com", StringComparison.OrdinalIgnoreCase))
                ? "Google"
                : result.Answer.Any(x => x.Data.Contains("outlook.com", StringComparison.OrdinalIgnoreCase))
                    ? "Microsoft"
                    : null;
        }
    }

    public class DnsResponse
    {
        public Answer[] Answer { get; set; } = null!;
    }

    public class Answer
    {
        public string Data { get; set; } = null!;
    }
Thom Kiesewetter
  • 6,703
  • 3
  • 28
  • 41
3

Note that MX records will not always prove that an email address is able to do google SSO/OAUTH.
For example, gene.com (genentech) uses google for all services, but this is their mx response:

nslookup -type=mx gene.com
Server:     127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
gene.com    mail exchanger = 30 ridesmtaext02.roche.com.
gene.com    mail exchanger = 60 mtaalt4.roche.com.
gene.com    mail exchanger = 30 ridesmtaext01.roche.com.
gene.com    mail exchanger = 40 rkamtaext01.roche.com.
gene.com    mail exchanger = 40 rkamtaext02.roche.com.
gene.com    mail exchanger = 40 rmumtaext02.roche.com.
gene.com    mail exchanger = 30 sc1esmtaext02.gene.com.
gene.com    mail exchanger = 30 sc1esmtaext01.gene.com.
gene.com    mail exchanger = 60 mtaalt2.roche.com.
gene.com    mail exchanger = 60 mtaalt3.roche.com.
gene.com    mail exchanger = 40 rmumtaext01.roche.com.
gene.com    mail exchanger = 60 mtaalt1.roche.com.

Authoritative answers can be found from:
froopydoop
  • 85
  • 6
1

I worked out Doug's suggestion and it works. Just make sure that the (effective) user invoking the function has the right to call addViewer. A trick to accomplish this is to make sure the routine is called from a trigger routine, so the owner of the script is the effective user.

function checkIfGoogleAccount(emailAddress) {
  try {
    SpreadsheetApp.getActiveSpreadsheet().addViewer(emailAddress) ;
    SpreadsheetApp.getActiveSpreadsheet().removeViewer(emailAddress) ;
    return true ;
  }
  catch(err) {
    return false ;
  }
}
Lexcel Atmadata
  • 83
  • 4
0

I do this by having a dummy file, to which I add the email address using the addViewer function. I do this in a try...catch. If an error is caught then I set my local flag to say "not a google account". If no error, I then remove them as a viewer of my dummy file and set my flag to say the email address is a legit google account.

Doug
  • 1
0

Came looking for a solution to this and wanted to post an update that while Doug/Lexcel's solution works, the .addViewer() command now automatically sends an email (if the account is Google based) notifying the person that they've been given view access to the file. Since this isn't ideal, I re-wrote the function to use the Drive API to silently insert the permission instead.

function checkIfGoogleAccount(email) {
  let ss = SpreadsheetApp.getActiveSpreadsheet() ;
  let fileId = ss.getId() ;
  try {
    Drive.Permissions.insert( // Silent share - doesn't send an email
      {
        'role': 'reader',
        'type': 'user',
        'value': email
      },
      fileId,
      {
        'sendNotificationEmails': 'false'
      }) ;
    ss.removeViewer(email) ;
    return true ;
  } catch (e) {
    return false ;
  }
}
Sam Talcott
  • 81
  • 4