...
Google and Facebook have both an automated and manual verification and review process, according to the type of client, scope and claims the client has access to. (See https://developers.google.com/apps-script/guides/client-verification and https://support.google.com/cloud/answer/9110914?hl=en).
Verification Procedure
As of November 2019 the OAuth Clients needs to be verified in order to be usable. A dedicated OAuth Verification Job in the ops build system has been created to perform verification of a specific client. The following procedure can be used in order to verify a client:
Once a request is received and the client needs to be verified, create a new ticket in JIRA with the client id
Launch the OAuth Verification Job filling out the required parameters (Note: you will need a Jenkins account):
SESSION_TOKEN: A valid session token for an admin user
CLIENT_ID: the id of the client to verify
ETAG: The etag of the client to verify (this is to ensure that the client didn’t change after the client details were read)
VERIFY_STATUS: Leave enabled (deselecting would un-verify a client)
Resolve the related JIRA issue
Initial Implementation
As from the design review meeting held on the 11th of November 2019 the synapse team decided that due to the number of expected use cases a complete verification process is not needed and the initial implementation will be based on white listing on a case by case the oauth clients:
...