Google Oauth2.0 Unpublished Test App accepts users not in test user list

Question

I use google Ouath2.0 with passport.js in my Next.js/Node.js web-app. Registering and logging in works as expected. However, anyone with a google account is able to register, regardless of being in the test users list. The app is unpublished, and so only test users registered by me in the Oauth Consent screen should be able to register and login.

Does anyone know how to fix this? As far as I have understood it, login when not registered as a test user should simply fail. I have seen this asked elsewhere with no answers, and I am not able to contact google as that requires a paid support level.

Answer 1

I had a quick look at this and observed the same (incorrect) behavior; I too was unable to restrict authenticated users to the list of test users:

1. Created Apps Script Web app (for a quick win)
2. Associated a Cloud Platform project with it
3. Enabled Gmail API in the project and added one of its "restricted" scopes
4. Added one Google account to test users

I was able to login using the test user and any other Gmail account regardless of whether I included a Gmail restricted scope.

One thing I observed but am unable to explain is that I was not presented with the app's (project's) OAuth Consent Screen. Each time I logged in (incognito), I was prompted by the standard Google login screen only. I expected to be prompted by the OAuth Consent Screen before accessing the app. This likely explains why identities aren't being limited to the test users but I'm unsure why I'm not seeing the consent screen.

Even without Google paid support, you may file issues like this using Google's public issue tracker and these will be seen by Google Engineering.

I recommend you file under "Cloud Platform > Security & Identity" and let someone within Google triage:

https://issuetracker.google.com/issues/new?component=187167&template=1162765