Accept Workspace aliases with warning instead of hard reject

Google Workspace accounts may return a primary address from the
profile API that differs from the alias the user added. Since we
can't verify Workspace aliases without admin API access, accept
same-domain mismatches with a logged warning. Gmail/googlemail
domains are excluded from this relaxation since their aliases are
fully handled by normalizeGmailAddress.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: wesm

internal/oauth/oauth.go

@@ -323,17 +323,27 @@ func (m *Manager) resolveTokenEmail(
 				"(re-run the command to try again)", email, err)
 	}
 
-	// Accept the token if the profile email matches the expected
-	// email (case-insensitive) or shares the same Google domain
-	// (alias). Reject if the emails are for entirely different
-	// accounts.
 	if !sameGoogleAccount(email, profile.EmailAddress) {
-		return "", fmt.Errorf(
-			"token mismatch: expected %s but authorized as %s "+
-				"(wrong account selected during authorization — "+
-				"please try again and select %s)",
-			email, profile.EmailAddress, email,
-		)
+		// For Workspace domains, the profile may return the
+		// primary address when the user added an alias. We
+		// can't verify aliases without admin API access, so
+		// accept same-domain mismatches with a warning.
+		if sameWorkspaceDomain(email, profile.EmailAddress) {
+			m.logger.Warn(
+				"profile email differs from expected "+
+					"(possible Workspace alias)",
+				"expected", email,
+				"profile", profile.EmailAddress,
+			)
+		} else {
+			return "", fmt.Errorf(
+				"token mismatch: expected %s but authorized "+
+					"as %s (wrong account selected during "+
+					"authorization — please try again and "+
+					"select %s)",
+				email, profile.EmailAddress, email,
+			)
+		}
 	}
 
 	return profile.EmailAddress, nil
@@ -359,6 +369,25 @@ func sameGoogleAccount(expected, canonical string) bool {
 	return expectedNorm != "" && expectedNorm == canonicalNorm
 }
 
+// sameWorkspaceDomain returns true if two email addresses share the
+// same non-Gmail domain (case-insensitive). Returns false for
+// gmail.com and googlemail.com since those aliases are fully handled
+// by sameGoogleAccount/normalizeGmailAddress.
+func sameWorkspaceDomain(a, b string) bool {
+	ai := strings.LastIndex(a, "@")
+	bi := strings.LastIndex(b, "@")
+	if ai < 0 || bi < 0 {
+		return false
+	}
+	domA := strings.ToLower(a[ai+1:])
+	domB := strings.ToLower(b[bi+1:])
+	if domA != domB {
+		return false
+	}
+	// Gmail aliases are handled by sameGoogleAccount
+	return domA != "gmail.com" && domA != "googlemail.com"
+}
+
 // normalizeGmailAddress returns a canonical form of a gmail.com or
 // googlemail.com address by lowercasing, removing dots from the local
 // part, and mapping googlemail.com → gmail.com. Returns "" for

internal/oauth/oauth_test.go

@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"encoding/json"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -27,6 +28,7 @@ func setupTestManager(t *testing.T, scopes []string) *Manager {
 	return &Manager{
 		config:    &oauth2.Config{Scopes: scopes},
 		tokensDir: tokensDir,
+		logger:    slog.Default(),
 	}
 }
 
@@ -677,6 +679,106 @@ func TestAuthorize_RejectsMismatch(t *testing.T) {
 	}
 }
 
+// TestAuthorize_WorkspaceAlias verifies that a Workspace alias
+// (different local part, same domain) is accepted with a warning
+// rather than hard-rejected.
+func TestAuthorize_WorkspaceAlias(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = fmt.Fprintf(w,
+				`{"emailAddress": "primary@company.com"}`)
+		}))
+	defer srv.Close()
+
+	mgr := setupTestManager(t, Scopes)
+	mgr.profileURL = srv.URL
+	mgr.browserFlowFn = func(
+		_ context.Context, _ string, _ bool,
+	) (*oauth2.Token, error) {
+		return &oauth2.Token{
+			AccessToken: "ws-token",
+			TokenType:   "Bearer",
+			Expiry:      time.Now().Add(time.Hour),
+		}, nil
+	}
+
+	// alias@company.com -> profile returns primary@company.com
+	err := mgr.Authorize(context.Background(), "alias@company.com")
+	if err != nil {
+		t.Fatalf("Authorize should accept same-domain alias: %v", err)
+	}
+
+	// Token saved under the original alias identifier.
+	loaded, err := mgr.loadToken("alias@company.com")
+	if err != nil {
+		t.Fatalf("loadToken failed: %v", err)
+	}
+	if loaded.AccessToken != "ws-token" {
+		t.Errorf("wrong access token: got %q", loaded.AccessToken)
+	}
+}
+
+// TestAuthorize_CrossDomainReject verifies that entirely different
+// domains are rejected even for Workspace accounts.
+func TestAuthorize_CrossDomainReject(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = fmt.Fprintf(w,
+				`{"emailAddress": "user@other.com"}`)
+		}))
+	defer srv.Close()
+
+	mgr := setupTestManager(t, Scopes)
+	mgr.profileURL = srv.URL
+	mgr.browserFlowFn = func(
+		_ context.Context, _ string, _ bool,
+	) (*oauth2.Token, error) {
+		return &oauth2.Token{
+			AccessToken: "test",
+			TokenType:   "Bearer",
+			Expiry:      time.Now().Add(time.Hour),
+		}, nil
+	}
+
+	err := mgr.Authorize(context.Background(), "user@company.com")
+	if err == nil {
+		t.Fatal("expected error for cross-domain mismatch")
+	}
+	if !strings.Contains(err.Error(), "token mismatch") {
+		t.Errorf("error should contain 'token mismatch': %q",
+			err.Error())
+	}
+}
+
+func TestSameWorkspaceDomain(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		a, b string
+		want bool
+	}{
+		{"user@company.com", "admin@company.com", true},
+		{"user@Company.Com", "admin@company.com", true},
+		{"user@company.com", "user@other.com", false},
+		{"user@gmail.com", "other@gmail.com", false},
+		{"user@googlemail.com", "other@googlemail.com", false},
+		{"noat", "user@gmail.com", false},
+		{"user@gmail.com", "noat", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.a+"_"+tt.b, func(t *testing.T) {
+			t.Parallel()
+			got := sameWorkspaceDomain(tt.a, tt.b)
+			if got != tt.want {
+				t.Errorf(
+					"sameWorkspaceDomain(%q, %q) = %v, want %v",
+					tt.a, tt.b, got, tt.want)
+			}
+		})
+	}
+}
+
 func TestSameGoogleAccount(t *testing.T) {
 	t.Parallel()