セキュリティ2026-07-01

[Security] Zero Trust Authentication Design using Google Workspace OAuth2 for Internal Systems on Vercel


The Limits and Collapse of Security via Physical Boundaries (VPNs)

In the past, security for "internal-only admin panels" and "business systems" was guaranteed by restricting access entirely through corporate networks or VPNs (Virtual Private Networks).

However, now that remote work is standard and architectures spanning multiple SaaS platforms are common, negative side effects frequently occur. These include "once a VPN is breached, all internal systems become accessible," "business delays due to VPN bandwidth congestion," and "connection troubles from mobile devices."

There is an urgent need to discard the premise that "the corporate network equals safety" and shift to "Zero Trust Security," where every incoming connection is verified on a case-by-case basis.

This article explains how to build a gateway architecture that integrates Google Workspace Account Authentication (OAuth2)—which is already adopted company-wide in most cases—with Vercel Edge Computing, enabling safe access to internal-only applications without requiring a VPN.


2. Before & After: Resolving the Bottleneck

Item Traditional VPN (Perimeter Defense) (Before) Google OAuth + Zero Trust (After)
Access Convenience Slow connections, frequent drops Ultra-fast loading equivalent to public websites
Security Strength Vulnerable to lateral movement if breached once Constantly enforces device security state (e.g., 2FA)
User Management Frequent missed removals of VPN accounts for departing employees Access revoked instantly the moment the parent Google Workspace account is suspended
Operating Costs Maintenance fees for dedicated physical routers and expensive VPN licenses Operation costs are virtually free due to serverless authentication at the infrastructure level

3. Implementation Example: Domain Restriction and Auth Verification with Next.js Middleware

Below is a code example using Next.js (App Router) Edge Middleware to parse session information and open the system exclusively to users possessing an email address with the company's official Google Workspace domain (e.g., @hadayalab.com).

import { NextRequest, NextResponse } from "next/server";
import { getToken } from "next-auth/jwt";

export async function middleware(req: NextRequest) {
  const session = await getToken({
    req,
    secret: process.env.NEXTAUTH_SECRET,
  });

  const url = req.nextUrl.clone();

  // 1. Redirect to the login page if no session exists
  if (!session) {
    url.pathname = "/api/auth/signin";
    return NextResponse.redirect(url);
  }

  // 2. Strictly check if the user's email belongs to the corporate domain
  const userEmail = session.email || "";
  const allowedDomain = "@hadayalab.com";

  if (!userEmail.endsWith(allowedDomain)) {
    // Return 403 (Forbidden) or forcefully log out if not a corporate domain
    return new NextResponse(
      JSON.stringify({
        error: "Forbidden",
        message: "This application is restricted to HadayaLab personnel. Please log in with an approved Google Workspace account.",
      }),
      { status: 403, headers: { "Content-Type": "application/json" } }
    );
  }

  // 3. Allow the request through if authentication and domain checks pass
  return NextResponse.next();
}

// Set paths to apply authentication checks (exclude static assets and login APIs)
export const config = {
  matcher: [
    "/admin/:path*",
    "/dashboard/:path*",
    "/api/secure/:path*",
  ],
};

4. HadayaLab's Zero Trust Security Deployment Package

At HadayaLab, we provide network architectures that allow employees to swiftly execute business operations from anywhere, while fully protecting cloud-based AI agents and operational dashboards from external malicious access.

  • Integration of Google Identity-Aware Proxy (IAP) and Vercel: Unifying authentication and authorization policies at the cloud infrastructure level.
  • Strict Binding of Mobile Devices and IDs: Enforcing client certificates and Google Workspace MFA (Multi-Factor Authentication) policies.
  • Encrypted File Uploads for Confidential Data: Designing Signed URLs to securely send files directly from the Next.js frontend to specific folders in AWS S3 or Google Drive.

If you are a security administrator looking to "eliminate the burden of managing VPNs" or "securely launch internal systems on Vercel," please consider HadayaLab's Zero Trust Infrastructure Design service.

Get Your Free Workflow Audit