diff --git a/README.md b/README.md
index 0c9573bf03f3f9f9610f6a06323f5cd1d811ca4b..8f3ec4e2f287136a985a18d53878e0d31f12b5b1 100644
--- a/README.md
+++ b/README.md
@@ -86,7 +86,7 @@ Configuration is divided into different sections: `server`, `auth`, `ssh`, and `
 - `oauth_client_secret` : string. Oauth secret.
 - `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source.
 - `provider_opts` : object. Additional options for the provider.
-- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd.
+- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd. For Google auth a user is an email address. For GitHub auth a user is a GitHub username.
 
 #### Provider-specific options
 
diff --git a/server/auth/github/github.go b/server/auth/github/github.go
index 912caae6e3eb86fd52e7d0c75bf0316bcfceef86..24a4bbfdd0e577c98ecd8a2e4575564d601dab93 100644
--- a/server/auth/github/github.go
+++ b/server/auth/github/github.go
@@ -62,12 +62,17 @@ func (c *Config) Name() string {
 
 // Valid validates the oauth token.
 func (c *Config) Valid(token *oauth2.Token) bool {
-	if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+	if len(c.whitelist) > 0 && !c.whitelist[c.Username(token)] {
 		return false
 	}
 	if !token.Valid() {
 		return false
 	}
+	if c.organization == "" {
+		// There's no organization and the token is valid. Can only reach here
+		// if there's a user whitelist set and the user is in the whitelist.
+		return true
+	}
 	client := githubapi.NewClient(c.newClient(token))
 	member, _, err := client.Organizations.IsMember(c.organization, c.Username(token))
 	if err != nil {
diff --git a/server/auth/google/google.go b/server/auth/google/google.go
index 3a833ab9a69e7276553482c029f0df4d86b80842..08a4083cf7bec13cb8c57e6582f7d4f5a8d0d460 100644
--- a/server/auth/google/google.go
+++ b/server/auth/google/google.go
@@ -62,7 +62,7 @@ func (c *Config) Name() string {
 
 // Valid validates the oauth token.
 func (c *Config) Valid(token *oauth2.Token) bool {
-	if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+	if len(c.whitelist) > 0 && !c.whitelist[c.Email(token)] {
 		return false
 	}
 	if !token.Valid() {
@@ -78,11 +78,14 @@ func (c *Config) Valid(token *oauth2.Token) bool {
 	if err != nil {
 		return false
 	}
+	if ti.Audience != c.config.ClientID {
+		return false
+	}
 	ui, err := svc.Userinfo.Get().Do()
 	if err != nil {
 		return false
 	}
-	if ti.Audience != c.config.ClientID || ui.Hd != c.domain {
+	if c.domain != "" && ui.Hd != c.domain {
 		return false
 	}
 	return true
@@ -107,8 +110,8 @@ func (c *Config) Exchange(code string) (*oauth2.Token, error) {
 	return c.config.Exchange(oauth2.NoContext, code)
 }
 
-// Username retrieves the username portion of the user's email address.
-func (c *Config) Username(token *oauth2.Token) string {
+// Email retrieves the email address of the user.
+func (c *Config) Email(token *oauth2.Token) string {
 	svc, err := googleapi.New(c.newClient(token))
 	if err != nil {
 		return ""
@@ -117,5 +120,10 @@ func (c *Config) Username(token *oauth2.Token) string {
 	if err != nil {
 		return ""
 	}
-	return strings.Split(ui.Email, "@")[0]
+	return ui.Email
+}
+
+// Username retrieves the username portion of the user's email address.
+func (c *Config) Username(token *oauth2.Token) string {
+	return strings.Split(c.Email(token), "@")[0]
 }