0

I want to read emails of a @gmail.com email account. I've gone through the guides and code samples and I keep getting the Client is unauthorized to retrieve access tokens using this method error message. I can access the data using the OAuth2 3 legged method.

I also have a G-Suite admin and G-Suite organisation domain and emails. With these emails, the code works and I can retrieve the emails.

So, why can't I make it run for my personal gmail account (Non G-Suite)? Do I have to somehow authorize this service account in my gmail account? I haven't seen anything about it.

Please advise!

Thanks.

abielita
  • 13,147
  • 2
  • 17
  • 59
eddr
  • 38
  • 3
  • Are you trying to get the emails of @gmail.com email account, the same way as you get the mails of your domain ? If so, you can not have a delegation on gmail.com – Adrien QUINT Sep 11 '17 at 09:10
  • I don't understand the question. The regular gmail account service account has no delegation – eddr Sep 11 '17 at 09:52
  • 1
    In other words - can the service account work for a non G-Suite gmail account? if so, do I need to authorize it somehow via my gmail account? – eddr Sep 11 '17 at 10:27

2 Answers2

1

The short answer : No, you can not use service account with a classic gmail account. Use OauthID instead.

The fact that you were talking about service account made me think about a misunderstanding of the differences between managed account and gmail account, concerning the APIs.

Indeed, with a domain managed google account, you have the possibility to use a service account. You will create a project, an ID, and you will allow a Domain wide Delegation (DwD) for this service account, to your domain, with no restrictions except the Apis it will be able to use.

In the case of a gmail account, this is far different, as you can not have a DwD on gmail.com (or maybe you are CIA ..)

The best option here, is to use an Oauth ID. It's an authentication that depends on the consent of the concerned user.

You can read about this here

The approach is lightly different but the result will be the same, as the user can give a consent ad vitam aeternam.

Adrien QUINT
  • 589
  • 4
  • 18
  • Thanks! (1) OAuth2 approach is working for me as I vaguely said in the original post. (2) How come I can give my "pre-consent" it? it's my gmail and my service account. Isn't a bit strange? And why it is not mentioned in the docs? – eddr Sep 11 '17 at 12:34
  • I don't understand what you find strange. But you should have a look here : https://community.alteryx.com/t5/Alteryx-Knowledge-Base/How-to-Create-Google-API-Credentials/ta-p/11834 – Adrien QUINT Sep 11 '17 at 13:43
  • What I find strange is that I'm not authorized to access my own gmail account without this consent window. I'm using the same account to create the service account, and I have access to my own gmail, so I can verify it - why wouldn't I have the ability to read my own emails? – eddr Sep 11 '17 at 14:13
  • I understand what you mean. And i partially agree with that. But you need to think in a project way. You don't create an ID with your google account, but with your project ! Imagine you sharing me the project and then, i create an ID in this project. Should i have an access to your mails without your consent ? This way, the user allows once the application to access his emails and then, you would be able to read them without any more permission ! – Adrien QUINT Sep 11 '17 at 14:20
  • Of course, but an administrator has to allow the full privileges on its domain to your application ! Up to him to control this critical breach – Adrien QUINT Sep 11 '17 at 15:27
0

Do I have to somehow authorize this service account in my gmail account?

Yes. Based from this documentation, if your application runs in a Google Apps domain and accesses user data, the service account that you created needs to be granted access to the user data that you want to access. Please follow through the given documentation for the steps that must be performed by an administrator of the Google Apps domain.

You have encountered Client is unauthorized to retrieve access tokens using this method error because the service account needs to be authorized or it can't access the emails for the domain. See this link.

abielita
  • 13,147
  • 2
  • 17
  • 59
  • This is not a Google Apps domain ("G-Suite"). For non G-Suite domain, there are not instructions – eddr Sep 11 '17 at 16:15