So I am looking to add in an OAuth screen to a C# desktop application. I've successfully integrated the code from OAuthDesktopApp that google provides here: https://github.com/googlesamples/oauth-apps-for-windows
I've created a project on Google Cloud platform, and I've generated an OAuth 2.0 Client ID.
The publishing status is "Testing", and there is a section for adding Test users. It says in a little text box:
"While publishing status is set to "Testing", only test users are able to access the app. Allowed user cap prior to app verification is 100, and is counted over the entire lifetime of the app."
So this seems great. If a user who isn't a tester tries to use the sign-in window, the response would be some sort of "OAuth authorization error". But I've tested with a second email address that isn't listed as a tester, and it proceeds to make a call with the API to get the user info! This shouldn't happen at all if the user isn't a tester should it?
Please check this example, the code I am running is this exactly but with my own OAuth credentials (ClientID, ClientSecret). https://github.com/googlesamples/oauth-apps-for-windows/blob/master/OAuthDesktopApp/OAuthDesktopApp/MainWindow.xaml.cs
Some more details about the "Why":
I was hoping that this would be an easy way to check if a user is a "tester" for the application I am developing. I am not super concerned about security, this isn't dealing with personal information, and my application isn't for nuclear launch codes. I am just interested in a clean way of handling authentication. ie: If user logs in and the response gave an error, I would have assumed that's the expected behaviour for non-tester emails. I might do more with the Google API if this works out well!
Thank you,
