Django Google OAuth2: Fix Test User Block

Brief Answer

You’re encountering this issue because Google treats new OAuth applications as unverified by default, restricting access to only “test users” until the application goes through Google’s verification process. As the project owner, you have administrative privileges over your Google Cloud project but are not automatically eligible to be a test user for your own OAuth application, which is why you’re seeing the “only test users can be used” message despite owning the project.

Contents

• Understanding Google OAuth Verification Process
• Why Project Owners Can’t Be Test Users
• Properly Configuring OAuth Consent Screen
• Steps to Verify Your Google OAuth Application
• Troubleshooting Common Issues
• Alternative Solutions

---

Understanding Google OAuth Verification Process

Google implements a verification process for OAuth applications to enhance security and ensure proper use of user data. When you create a new OAuth2 client ID in your Google Cloud project, Google automatically classifies it as an “unverified” application. This classification isn’t a reflection of your actions or intentions but rather Google’s standard security protocol.

Important: Verification is required for applications that will be used by users outside your organization, even if you’re the developer and owner.

During the verification period, your OAuth application is restricted to:

• Only users explicitly listed as “test users”
• Your Google Workspace domain (if applicable)
• Personal accounts you’ve specifically authorized

This temporary restriction serves several purposes:

• Prevents unauthorized applications from accessing Google user data
• Allows Google to review your application’s privacy policy and permissions
• Ensures developers properly configure OAuth consent screens before public release

The verification process typically takes several days to complete, during which your application remains in this restricted state. This is why you’re seeing the message about “test users only” despite being the project owner.

Why Project Owners Can’t Be Test Users

This is a crucial point that causes confusion for many developers. As the owner of a Google Cloud project, you automatically have elevated privileges that include:

• Full administrative access to the project
• Ability to create and manage OAuth credentials
• Authority to modify project settings and configurations

However, these owner privileges do not automatically make you eligible to be a test user for your own OAuth application. Here’s why:

Google’s OAuth system treats test users differently from project owners. Test users are specifically designed for development and testing purposes, allowing developers to verify their applications work correctly before public release. By definition, test users are external to the application’s development and ownership structure.

When you attempt to add yourself as a test user, Google’s system recognizes you as the project owner and displays an “ineligible” message because:

1. Conflict of Interest: Allowing owners to be test users could bypass verification requirements
2. Security Model: Google maintains a clear separation between development and user roles
3. Audit Trail: Keeping test users separate provides clearer usage logs and analytics

This separation is intentional and protects both developers and users by ensuring proper verification processes are followed before applications can access user data.

Properly Configuring OAuth Consent Screen

The OAuth consent screen is a critical component of your Google OAuth setup that many developers overlook or misconfigure. This is where you define how your application will present itself to users during the authentication process.

To properly configure the OAuth consent screen:

1. Access Google Cloud Console → Navigate to “APIs & Services” → “OAuth consent screen”

2. Select User Type:

   • For most applications, choose “External”
   • If using within your organization, choose “Internal”

3. Fill in Required Information:

   • App Name: The name users will see when authenticating
   • User Support Email: Support contact for authentication issues
   • Developer Contact Information: Your contact details

4. Configure Scopes:

   • Add the specific permissions your application needs (e.g., Gmail, Calendar, etc.)
   • Be precise and only request necessary permissions

5. Add Test Users:

   • This is where you add the email addresses of people who can test your application
   • Since you can’t add yourself, add a different Google account you own or have access to
   • These users will be able to authenticate while your application is in verification

The key insight here is that the OAuth consent screen configuration directly impacts who can authenticate with your application. Properly configuring this screen is essential for both the verification process and user experience.

---

Steps to Verify Your Google OAuth Application

Once you’ve properly configured the OAuth consent screen, the next step is to complete Google’s verification process. Here’s how to do it:

1. Prepare Your Application for Verification

Before submitting your application for verification:

• Ensure your application has a functional privacy policy
• Verify that your application’s purpose and functionality align with the requested permissions
• Test the authentication flow with your test users
• Document your application’s usage of Google APIs

2. Submit for Verification

1. In the OAuth consent screen configuration, you’ll see a status indicating “Verification not required” or similar
2. Click on “Verify” to begin the process
3. Fill out the verification application form with:
   • Your application’s website
   • Primary contact information
   • Detailed description of your application’s functionality
   • Explanation of how you’ll use the requested Google APIs

3. Review Process

After submission:

• Google will review your application (typically 3-7 business days)
• You may receive requests for additional information
• Monitor your email for communications from Google’s verification team

4. Post-Verification

Once verified:

• Your application status will change to “Verified”
• All users (not just test users) will be able to authenticate
• You can remove test user restrictions if desired

---

Troubleshooting Common Issues

Even with proper configuration, you may encounter issues during the OAuth setup process. Here are common problems and their solutions:

Issue: “Test user ineligible” error

Solution: As established, you cannot add yourself as a test user. Instead:

• Create a separate Google account for testing
• Add this account as a test user
• Use this account to test your Django application during development

Issue: Credentials not working after adding test user

Solution: Ensure you’ve:

• Properly configured redirect URIs in your OAuth client ID settings
• Added the correct client ID and secret to your Django settings
• Installed and configured django-allauth correctly

Issue: Verification taking too long

Solution: Google verification can take up to 7 business days. If it’s been longer:

• Check your email for any requests for additional information
• Verify that all required OAuth consent screen fields are completed
• Contact Google support if the delay exceeds 10 business days

Issue: Scopes not working after verification

Solution: After verification, some scopes may still require additional approval:

• Review the specific scope requirements in Google documentation
• Ensure you’ve requested all necessary scopes during OAuth consent screen setup
• Be prepared to provide additional justification for sensitive permissions

---

Alternative Solutions

If you need to authenticate multiple users during development or prefer not to wait for verification, consider these alternatives:

1. Use Google Workspace (formerly G Suite)

If your organization uses Google Workspace:

• Set up your application as an internal OAuth client
• This bypasses some verification requirements for users within your organization
• Contact your Google Workspace administrator for assistance

2. Implement Local Development Authentication

For development purposes:

• Create a local authentication system alongside Google OAuth
• Use django-allauth’s social account features but with a fallback to local authentication
• This allows you to test other application functionality while waiting for verification

3. Use Other OAuth Providers

As a temporary workaround:

• Implement OAuth with other providers (GitHub, Facebook, etc.)
• These providers may have different verification processes or requirements
• Once your Google OAuth is verified, you can remove other providers if desired

Conclusion

The issue you’re encountering with Google OAuth authentication in your Django application is a standard part of Google’s security verification process. As the project owner, you have administrative privileges but cannot automatically authenticate as a test user because of the intentional separation between development and user roles in Google’s OAuth system.

To resolve this issue:

1. Properly configure the OAuth consent screen with all required information
2. Add alternative Google accounts as test users for development and testing
3. Submit your application for verification through the Google Cloud Console
4. Wait for verification (typically 3-7 business days) before opening to all users

Remember that this verification process is ultimately designed to protect both developers and users by ensuring proper handling of authentication and data access. While it may seem inconvenient initially, it’s an important step in creating a secure and trustworthy application.