Server-side OAuth for user impersonation via GMail API

1
votes

I am trying to perform server-side OAuth so I can use a specific user account in my domain to send emails (hence using GMail API) via my application.

Mine is a purely server-side app and I cannot perform "user consent" via a UI.

I have created a project in Google App Engine and have obtained service account credentials (P12 key).

My code looks like this -

new GoogleCredential.Builder()
  .setTransport(httpTransport)
  .setJsonFactory(JSON_FACTORY)
  .setServiceAccountId(googleEmailerServiceAccountId)
  .setServiceAccountPrivateKeyFromP12File(new File(googleEmailerServiceAccountPrivateKeyLocation)).setServiceAccountScopes(Collections.singleton(GmailScopes.GMAIL_COMPOSE))
  .setServiceAccountUser("[email protected]")
  .build()

I have delegated domain wide access to the application (for GMAIL COMPOSE scope) via the admin console as per https://developers.google.com/identity/protocols/OAuth2ServiceAccount.

And I still get an Unauthorised 401 when I try to send emails from my app.

Since there is no explicit documentation for the Gmail API that says it allows domain wide delegation, I am guessing it is not allowed for Gmail.

Is there any way of achieving this programatically?

Any idea would be much appreciated. Thanks!

1
gmail-apiservice-accounts
Unless you can grant another user access to that gmail account I don't think you are going to get a service account to work with Gmail. - DaImTo
Thanks for the reply @DalmTo. But this link here link says both users will be listed in the emails that are sent out by the delegated user. This won't work for me. - Meghana Viswanath
What you can do is authenticate it once. Save the refresh token then use that to access it. Service accounts have to be pre-authorized I really don't think it will work with Gmail but I don't have a domain account so cant test it myself. - DaImTo
Even to authenticate it once, I have to have a web app which I don't. I tried to re-use the refresh token from another client and that obviously didn't work. - Meghana Viswanath
create a dummy application to just create a refresh token. As long as you use the same client id it will work. (I have done that before) - DaImTo

1 Answers

0
votes

As far as I know you cant use a service account with Gmail. Service accounts must be pre authorized.

Authorizing Your App with Gmail

All requests to the Gmail API must be authorized by an authenticated user. Gmail uses the OAuth 2.0 protocol for authenticating a Google account and authorizing access to user data. You can also use Google+ Sign-in to provide a "sign-in with Google" authentication method for your app.

  1. Share a Google drive folder with the Service account. Add the service account email as a user on a google drive folder it has access
  2. Share a Google calendar with the service account, just like any other user.

Service accounts don't work on all Google APIs. To my knowledge you cant give another user access to your Gmail so there will be now to pre authorize the service account.

Recommendation / work around / hack

Create a dummy app using the same client id, authenticate it get the refresh token then use the refresh token in your application.