1)User visits https://attacker.tld (this can be intentional or via a pop-under)
2) attacker.tld redirects users via status code 302/301 to the oauth endpoints
2.1) redirect 1: https://accounts.google.com/o/oauth2/v2/auth? client_id=[client-id] &response_type=code &scope=openid email &redirect_uri=https://iap.googleapis.com/v1/oauth/clientIds/[client-id]:handleRedirect &code_challenge=[redacted] &code_challenge_method=S256 &cred_ref=true &state=[redacted]
2.2) redirect 2: https://iap.googleapis.com/v1/oauth/clientIds/[client-id]:handleRedirect? state=[redacted] &code=[redacted] &scope=email openid https://www.googleapis.com/auth/userinfo.email &authuser=0 &prompt=none
2.3) redirect 3: https://attacker.tld/ ?gcp-iap-mode=AUTHENTICATING &redirect_token_v2=[redacted]
3) The user's email address is served directly in the HTTP 401 response as a result of 2.3, on the attacker.tld domain name. From this we know that the user's email address has been shared without consent.
Not having received a response, I assumed it was pending. Weeks later I went back to their portal to double check. They had responded, but only within their portal. The ticket went back and forth, claiming that it wasn't reproducible. Finally, I provided them with the live URL at https://withpersona-gov.com.
Once again they argued that the bug wasn't reproducible. Conveniently, the site had changed to redirect to the main withpersona domain, just 2 days after I provided them with the URL.
Obviously this would have been or still is a massive violation of privacy laws. I feel that I've been gaslit here.