I have a project where subdomains are created for each of my users. So, if my project is example.com, a customer of mine might have steve.example.com.
I then added social logins with Google and Facebook. For Google's "Authorized JavaScript origins" and "Authorized redirect URIs", they don't allow wildcard domains. What's the best way to handle this?
Next, it gets more complicated for users that want to load steve.example.com on their own domain via CNAME. So if example2.com's DNS is pointed to steve.example.com, it appears I need to add example2.com to my Authorized Javascript Origins. What's the best way to handle this? Can I add it via API? I can't find any documentation regarding this and I'd rather not have to manually add 1000 subdomains and domains to Google.
Do you want a user to authorize a scope "A" for site 1 and get it auto approved for site 2? Most likely not.
If you use the same client ID (put these all in the same project) that means they should just be approved once by a user. This may be a privacy violation if the sites are different and a user may not want to sign-in to one of those but into another. To solve this, you should be creating a different client id for each of your customer. Another good reason to create a project/client id is if for some reason there is abuse and one of the client ID is compromised then other/all customers are not effected.
If you are creating project/client ids for each project then you should add the right subdomain there during the configuration. I also recommend not having all the projects (1000s as you say) in one Google account.