Google OAuth2.0 allows users NOT in list of test users

Question

I'm developing a webapp which allows users to log in with their Google accounts, using OAuth2.0. I've created an OAuth2.0 client ID, configured the OAuth consent screen with the Publishing status set to 'Testing', and added a test user.

The frontend of my app is built with React, and I'm using a package (react-google-login) to handle the flow. I can successfully sign in with the Google account I added as a test user, and retrieve the basic profile information needed.

The problem is I can also sign in with other Google accounts, which have not been added to the list of test users. I imagine that Google should simply not issue access tokens for accounts which are not in the list of test users.

I feel like I've misunderstood something about the OAuth process, or I have configured something incorrectly. I would appreciate if anyone had any pointers?

Thanks.

Answer 1

Is it possible you're only asking for the email scope?

It appears the test user filter and possibly the whole concept of the 'app' being in test mode exists only inside the consent screen feature.

For some reason, Google doesn't show the consent screen if you only ask for email.

So... maybe that means you don't need a consent screen, and therefore don't need to care what that feature thinks about your app (that your app is in test mode and needs to be verified before going into production).

Or maybe it's a bug? Or maybe just because you can do this doesn't mean it's allowed by Google's terms. Maybe they just haven't implemented preventing that use case.

Anyway, it may help you to know that if you add a more significant scope like the Calendar API then the following things will change:

• Non-test users will get a message like "The developer hasn’t given you access to this app." and won't be able to complete oauth
• Test users will get a message like "Google hasn't verified this app"
• Test users will see a consent screen

Basically, everything starts working as expected.

By the way, just putting "email" or "profile" for scope seems to be an old way of doing things, and all the newer scopes want you to use a full URL for the scope (despite google themselves not using the full URL when you're configuring your scopes).

For example, if you want the email and calendar scopes, you can put this value for your scope field:

email https://www.googleapis.com/auth/calendar

Or you can use this equivalent value:

https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/calendar

Not suggesting you add a scope like email for the sake of it, just that it sheds light on what's happening, and if there's a scope like that that you need anyway, adding it will solve your problem.

Answer 2

It is indeed bugged.

I was in the same spot as you, assuming I had misunderstood something. After reviewing my code over and over with no luck, I made a Stack Overflow post, in which I was advised to post to Google's bug tracking system. After doing some troubleshooting with Google they confirmed the bug, and they are now working to fix it (for a little while already).

I included this thread as an example when talking to Google. I meant to post an update here after getting in touch with them, but I forgot, sorry!

The buganizer thread with more details: https://issuetracker.google.com/issues/211370835