What is the equivalent of hd param authentication for AuthSub in OAuth2

Question

In AuthSub, for Google Apps hosted domains I could use the hd parameter to redirect the user to that domain, get them to login to that domain and receive the token.

What is the equivalent functionality in OAuth2?

I came across this URL: https://developers.google.com/drive/delegation

Is this the only way? From what I understand, the service account gets direct access to all the users? The workflow would be different from what used to be for AuthSub, where the user had to login to their individual domain account? Is this understanding correct?

Answer 1

I think I found a solution, but not sure if it is the correct one.

For test, I just added &hd=mydomain.com to the auth url and I was correctly redirected to the the domain login page. Once I logged in, I did get 403, Admin has disabled third party apps. So I logged in to the google apps admin and enabled the checkbox. And it worked fine.

I just need a confirmation from Google drive developers if this is a correct solution or works currently only because AuthSub/ OAuth1 is yet to be disabled?

UPDATE: hd=default does not work. You can set it to empty string.

Answer 2

This is not a great solution, but you can pass the user_id parameter to the authorization URI for OAuth2.0 to pass the email address of a domain user. That is if you know the email address.

If not, you should trust the user to select the right account if they are multiply logged in.

As I say: sorry, not a great solution here.