I believe OAuth is working as expected. It provides valid authentication/identity for email addresses because "user@domain" and "user+wildcard@domain" are still validated as email addresses "owned" by the user.
The issue is with the Google org website: admins cannot revoke credentials for accounts/emails they cannot see.
> Because these non-Gmail Google accounts aren’t actually a member of the Google organization, they won’t show up in any administrator settings, or user Google lists.
The issue is with the Google org website: admins cannot revoke credentials for accounts/emails they cannot see.
> Because these non-Gmail Google accounts aren’t actually a member of the Google organization, they won’t show up in any administrator settings, or user Google lists.