3

I'm building a web service that needs to read a normal Gmail inbox (not part of a domain).

Code:

String serviceAccountEmail = "1234567890@developer.gserviceaccount.com";

var certificate = new X509Certificate2(@"key.p12", "notasecret", X509KeyStorageFlags.Exportable);

ServiceAccountCredential credentials = new ServiceAccountCredential(
    new ServiceAccountCredential.Initializer(serviceAccountEmail)
    {
        Scopes = new string[] { GmailService.Scope.GmailModify },
        User = "user@gmail.com"
    }.FromCertificate(certificate));

var service = new GmailService(new BaseClientService.Initializer()
{
    HttpClientInitializer = credentials,
    ApplicationName = ApplicationName,
});

UsersResource.MessagesResource.ListRequest allMessages = service.Users.Messages.List("me");

IList<Message> messages = allMessages.Execute().Messages;

Error:

An unhandled exception of type 'Google.Apis.Auth.OAuth2.Responses.TokenResponseException' occurred in Google.Apis.dll

Additional information: Error:"unauthorized_client", Description:"Unauthorized client or scope in request.", Uri:""

I can't see any reason why this doesn't work but after reading this, it seems you can't use service account credentials on a personal @gmail account. Does anybody know if this is true or what I'm doing wrong?

Any help is appreciated!

Update

If I change the Scope to GmailService.Scope.GmailReadonly, I can view the mail but am unable to modify the labels which is a requirement for me.

Community
  • 1
  • 1
TomSelleck
  • 6,706
  • 22
  • 82
  • 151
  • You could try the broad scope `Scopes = new[] { "https://mail.google.com/" }`. – Tholle Aug 05 '15 at 15:35
  • No luck unfortunately, `https://www.googleapis.com/auth/gmail.readonly` works but not `https://mail.google.com/` – TomSelleck Aug 05 '15 at 16:00
  • 2
    If you want to use your personal account for service account, then better approach is to use 3-legged oauth with offline access because service account cannot act on its own, while impersonating with personal account, it will give error as only domain admin can do so. – SGC Aug 05 '15 at 20:40
  • Thanks @SGC, is there any documentation supporting or explaining why this is the case? I think I will take a different approach such as [Imapx](https://imapx.codeplex.com/). Seems straightforward and less hassle. – TomSelleck Aug 06 '15 at 09:00
  • @Tom. Sorry I couldnot find any documentation. – SGC Aug 07 '15 at 20:29
  • In my case the above code with GmailService.Scope.GmailReadonly throws the unauthorized_client error. Any idea? – Rahatur Feb 19 '16 at 01:18

1 Answers1

0

A service account is a dummy user, might have its on gmail account but I doubt it (I have also never tested it) For a service account to be able to access your data it has to be given permission to access it.

Just like any other user a service account isn't going to have access to your email because as far as I know there is no way to grant another person or service account access to a users email.

Lets consider google calendar as an example. If I grant the service account email address access a calendar on my account it will be able to read from it. If I grant it access to a folder on my google drive it will be able to read from that as well. Basically you add the service account email as a user like you would any other user if you can do that then a service account can access the data.

This also doesn't work on Blogger and YouTube because you cant' add an email address to give another user access to your account. As far as I know there is no way to grant another person or email access to read your gmail. You will need to use OAUTH2 and authenticate the user.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449