Sign in with Google temporarily disabled for this app
We are facing the below screen when trying to authenticate to Google. The app that we are trying to authenticate is used for internal development and we did not publish it to our users.
Any idea why this occurs?
We faced an Unverified App screen before (as below) but now the authentication is disabled.
I found this thread some time ago when this happened to us in our development project on Google Cloud Platform.
You can use a project for development without verification. No problem on that. But there are some limitations (more information here and here). Basically, we reached the limit of 100 users accessing the application. It was strange because we were testing with few accounts (5-6) until we found that, if you uninstall and install the application again, it counts as a new user. We were testing incremental authorization, so we uninstalled/installed the application a lot of times and we reached the quota.
When you reach this limit, you will see the message "Sign in with Google temporarily disabled for this app" and only users from the organization where the project is hosted can access the application. So we couldn't make test with our accounts from a demo domain or our Gmail accounts.
The only solution available was to pass the OAuth verification form (even if you didn't want to publish the application), but there were problems to do it. For example, it was mandatory to remove http://localhost from valid OAuth URLs. And more problems related with development.
❗ But this has changed recently. I have accessed to OAuth credentials screen in Google Cloud Platform (APIs & Services > Credentials > OAuth consent screen) during this week and now the page it's different. Now you don't need to specify "Authorised JavaScript origins" and "Authorised redirect URIs", you just need to specify your scopes for Google APIs and the Authorised domains. Then, at the bottom of the page you will find the button "Submit Verification" and the process will start. You will also find some information on the right:
About the consent screen
The consent screen tells your users who is requesting access to their data and what kind of data you're asking to access.
OAuth Developer Verification
To protect you and your users, your consent screen may need to be verified by Google. Without verification, your users will see an additional page indicating that your app is not verified by Google.
Verification is required if
Your application type is public, and You add a sensitive scope Verification may take several days to complete. You will receive email updates as it's processed.
Saving without publishing
Even though your consent screen is unpublished, you can still test your application with users with the following limitations:
Sensitive scopes are limited to 100 grant requests before verification is required
Users see an additional page indicating that your app is not verified by Google.
To include "Authorised Javascript Origins" and Authorised redirect URIs" you need to go to APIs & Services > Credentials and there click on your OAuth 2.0 client ID. There will be a form where you can add them.
In our case it took 1 day to get a response from Google. In the email there were some instructions to pass the verification. We had to reply the email with a video uploaded on YouTube addressing the following points:
- How does user sign-up on your app and grants access to the sensitive scopes requested in verification?
- OAuth consent screen as seen by end users
- How does your application use the requested scopes to provide services to developers?
- A test account email and the password for us to test the user sign-up process and validate the project's functionality.
We recorded a video showing points 1, 2 and 3 and sent them a test account for number 4.
After 1 day, we got another response from Google confirming that our project had been verified.
So finally the problem was solved! 🙂
I hope this could help people in the same situation. It was really annoying for us.
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users