1

I am trying to perform server-side OAuth so I can use a specific user account in my domain to send emails (hence using GMail API) via my application.

Mine is a purely server-side app and I cannot perform "user consent" via a UI.

I have created a project in Google App Engine and have obtained service account credentials (P12 key).

My code looks like this -

new GoogleCredential.Builder()
  .setTransport(httpTransport)
  .setJsonFactory(JSON_FACTORY)
  .setServiceAccountId(googleEmailerServiceAccountId)
  .setServiceAccountPrivateKeyFromP12File(new File(googleEmailerServiceAccountPrivateKeyLocation)).setServiceAccountScopes(Collections.singleton(GmailScopes.GMAIL_COMPOSE))
  .setServiceAccountUser("xxx@xxx.com")
  .build()

I have delegated domain wide access to the application (for GMAIL COMPOSE scope) via the admin console as per https://developers.google.com/identity/protocols/OAuth2ServiceAccount.

And I still get an Unauthorised 401 when I try to send emails from my app.

Since there is no explicit documentation for the Gmail API that says it allows domain wide delegation, I am guessing it is not allowed for Gmail.

Is there any way of achieving this programatically?

Any idea would be much appreciated. Thanks!

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Meghana Viswanath
  • 43
  • 1
  • 6
  • Unless you can grant another user access to that gmail account I don't think you are going to get a service account to work with Gmail. – Linda Lawton - DaImTo Sep 30 '15 at 08:34
  • Thanks for the reply @DalmTo. But this link here [link](https://support.google.com/mail/answer/138350?hl=en) says both users will be listed in the emails that are sent out by the delegated user. This won't work for me. – Meghana Viswanath Sep 30 '15 at 08:49
  • What you can do is authenticate it once. Save the refresh token then use that to access it. Service accounts have to be pre-authorized I really don't think it will work with Gmail but I don't have a domain account so cant test it myself. – Linda Lawton - DaImTo Sep 30 '15 at 08:50
  • Even to authenticate it once, I have to have a web app which I don't. I tried to re-use the refresh token from another client and that obviously didn't work. – Meghana Viswanath Sep 30 '15 at 08:53
  • create a dummy application to just create a refresh token. As long as you use the same client id it will work. (I have done that before) – Linda Lawton - DaImTo Sep 30 '15 at 08:54
  • OK. That's a good idea. I'll try and update. Thanks! – Meghana Viswanath Sep 30 '15 at 08:55
  • http://www.daimto.com/google-3-legged-oauth2-flow/ might help – Linda Lawton - DaImTo Sep 30 '15 at 08:56
  • That's done it for me. Wish there was a fully programmatic way of achieving this. Thanks to you @DaImTo. If you add in your comment as an answer, I'll go and accept it. – Meghana Viswanath Sep 30 '15 at 14:16
  • The usual "fully programmatic" way is to use the Client Credentials OAuth2 grant type: https://tools.ietf.org/html/rfc6749#section-1.3.4. – Charlie Reitzel Dec 12 '19 at 23:36

1 Answers1

0

As far as I know you cant use a service account with Gmail. Service accounts must be pre authorized.

Authorizing Your App with Gmail

All requests to the Gmail API must be authorized by an authenticated user. Gmail uses the OAuth 2.0 protocol for authenticating a Google account and authorizing access to user data. You can also use Google+ Sign-in to provide a "sign-in with Google" authentication method for your app.

  1. Share a Google drive folder with the Service account. Add the service account email as a user on a google drive folder it has access
  2. Share a Google calendar with the service account, just like any other user.

Service accounts don't work on all Google APIs. To my knowledge you cant give another user access to your Gmail so there will be now to pre authorize the service account.

Recommendation / work around / hack

Create a dummy app using the same client id, authenticate it get the refresh token then use the refresh token in your application.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • I downvoted this answer because service account impersonation generally works for the Gmail API. There is a problem particular to the OP's case that has not been identified yet. – Brandon Jewett-Hall Oct 09 '15 at 22:00
  • Please post code for useing a service account with Gmail I have not seen this done as there is no way to preauthenticate it. I would be very interested in seeing your working code – Linda Lawton - DaImTo Oct 09 '15 at 22:25
  • If you consult the documentation you will not find any reference to using service accounts with Gmail. https://developers.google.com/gmail/api/auth/about-auth – Linda Lawton - DaImTo Oct 12 '15 at 07:05
  • There is a working example (C#) presented in the [answer](http://stackoverflow.com/a/24795241/3377170.) to "Can we access GMAIL API using Service Account?" Service account impersonation is a generic Google API feature and therefore is not specifically referenced in the Gmail API documentation. – Brandon Jewett-Hall Oct 13 '15 at 22:39