I want my web application to be multitenanted with one AWS Cognito user pool per tenant, as described here: https://docs.aws.amazon.com/cognito/latest/developerguide/bp_user-pool-based-multi-tenancy.html
I also want my application to support federated sign-in with Google. So a user should be able to visit the Cognito hosted UI and choose "Continue with Google".
According to AWS's Add social sign-in to a user pool instructions, I need to configure my Google "OAuth client ID" with the domain of a single Cognito user pool. But: each of my tenants will have its own Cognito user pool domain. According to Authorized Javascript Origins wildcard alternative, it's impossible to set a wildcard domain like https://*.auth.us-east-1.amazoncognito.com as an authorized JavaScript origin on an OAuth client ID. And according to how to create a oauth client id for gcp programmatically it is impossible to programmatically create/update these OAuth client IDs - you can create an IAP OAuth client programmatically, but I don't think IAP OAuth clients are what I need here.
So: do I have to manually update my OAuth client ID with a new authorised JavaScript origin and authorised redirect URI every time a new tenant is created? Is there any alternative?