diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index b4a02bc71340f4a59e221e954570cb75562a42db..9cf7a3be05907c468d183d67f53dc2b76c0429ab 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -35,7 +35,7 @@ type Config struct {
 
 	// Optional list of whitelisted domains when using Google
 	// If this field is nonempty, only users from a listed domain will be allowed to log in
-	HostedDomains []string `json:"hostedDomain"`
+	HostedDomains []string `json:"hostedDomains"`
 }
 
 // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@@ -198,7 +198,7 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
 	if len(c.hostedDomains) > 0 {
 		found := false
 		for _, domain := range c.hostedDomains {
-			if claims.HostedDomain != domain {
+			if claims.HostedDomain == domain {
 				found = true
 				break
 			}
diff --git a/examples/config-dev.yaml b/examples/config-dev.yaml
index feda4b6365498ef24ca406acbcacfa2f6a485686..542c0caeb2490402ccdf6436dd220bd4a77a9fca 100644
--- a/examples/config-dev.yaml
+++ b/examples/config-dev.yaml
@@ -67,7 +67,8 @@ connectors:
 #     clientID: $GOOGLE_CLIENT_ID
 #     clientSecret: $GOOGLE_CLIENT_SECRET
 #     redirectURI: http://127.0.0.1:5556/dex/callback
-#     hostedDomain: $GOOGLE_HOSTED_DOMAIN
+#     hostedDomains:
+#     - $GOOGLE_HOSTED_DOMAIN
 
 # Let dex keep a list of passwords which can be used to login to dex.
 enablePasswordDB: true