Is this really a Google OAuth issue, or more failure my many service providers to properly verify the OAuth token assertions before allowing access? Seems to me the latter.
It sounds like the issue is that these service providers are obeying Google's aliasing rules, but also ignoring the fact that you shouldn't be using email as a primary identifier [1]? It's funny, if they had adhered to the spec more they'd be fine; but if they adheredess and treated alias' as distinct emails, these platforms would at least be more secure.
I believe OAuth is working as expected. It provides valid authentication/identity for email addresses because "user@domain" and "user+wildcard@domain" are still validated as email addresses "owned" by the user.
The issue is with the Google org website: admins cannot revoke credentials for accounts/emails they cannot see.
> Because these non-Gmail Google accounts aren’t actually a member of the Google organization, they won’t show up in any administrator settings, or user Google lists.
kr0bat|2 years ago
[1] https://developers.google.com/identity/openid-connect/openid...
mikea1|2 years ago
The issue is with the Google org website: admins cannot revoke credentials for accounts/emails they cannot see.
> Because these non-Gmail Google accounts aren’t actually a member of the Google organization, they won’t show up in any administrator settings, or user Google lists.