Must be a top private domain

Question

I'm learning about Google OAuth, and it says that my project has no appropriate credentials.

So I go to the Developers Console and click on the OAuth consent screen. I type my domain name into their question:

Authorized domains To protect you and your users, Google only allows applications that authenticate using OAuth to use Authorized Domains. Your applications' links must be hosted on Authorized Domains.

I have verified my domain, but I get "Must be a top private domain." The link takes me to some kind of java programming statement. Actually if I click on the Domain verification tab (again) there are no domain names listed, but I know I added it.

Q: How do I add my domain for being used with OAuth? Must I qualify it as a Top Private Domain or am I going down a rabbit hole?

Answer 1

Google oauth requires a top level domain for security purposes. A top level domain is the first one before the .com .net .biz, in other words it only has one dot. There are exceptions such as .co.uk.

Subdomains are controlled by the parent domains and are not necessarily owned or controlled by you. Imagine you have a Wordpress account at domain.wordpress.com. Wordpress closes your account and returns domain to inactive. A different user claims the domain user and domain.wordpress.com. If Google allowed subdomains they would be forced to believe the new user was you. (Since there is no requirement of public notification of the change)

Edit (a more generalized statement in response to a comment.)

If you own the domain, you have full control over it, and the ownership records are public. To prove your virtual identity as owner of the domain when subscribing to many services require a DNS record, that is created by you, as a challenge created by the provider, that can be read by the provider, prior to services being created. In the event of a change in ownership the original claimant, you, is sent a new record to the provided email address to add to your DNS server to prove you still own the domain. If you cannot prove you still maintain ownership of the name, as in the case of an expired domain hijack, all services are canceled.

Edit

The most probable problem is: Your domain verification is failing.

Start the verification process again. This will give you a new TXT record to add to your DNS. Go to your DNS providers page and add the record. While there look for the refresh value on the SOA record.

Convert the SOA refresh from seconds to hours. Divide by 3600.

Wait that amount of time + 4 hours for replication.

Use nslookup (or dig) and look for the TXT record. Be sure to use Google's DNS server at 8.8.8.8(server=8.8.8.8).

If the record is not found, wait some more, if (hours waiting > 72) break; else repeat check.

If nslookup was able to find the record, complete the verification process; if not contact your DNS provider(The client record hold can be an issue).

If at this point everything went well, You should have an authorized domain.

If not (domain disappears, contact Google support), It my have to do with the privacy settings on the domain. Most quote public domains have contact information.

Answer 2

You must use a TLD (top level domain). If you have a subdomain, it is owned by the person who owns the TLD. For example, you might have a blog at myamazingblog.wordpress.com, and wanted to use OAuth with it. Unfortunately, this would not be possible, since you do not own wordpress.com (the TLD).

Answer 3

Try testing on a different device or clearing cache.

For me it turned out I had everything correct (just with my example.com domain) but my iOS safari was caching something and it kept giving me the ‘not whitelisted’ message. Which led me to think I needed to add dev.example.com as well - which isn’t necessary.

So try going to the site on another device or browser to see if it works.