How to send emails from machine account using Gmail API / OAuth2

2
votes

I have a web application that currently sends automated password reset emails from a "no-reply" style email address in a gsuite domain. It currently works with simply a username and password over SMTP (with TLS), however, to get that working the GSuite Admin (who is not me) had to enable LSAs.

As I'm sure most are aware, Google is phasing that out over the next year, so going forward I'll have to use OAuth2 with the Gmail API (I think). I'm pretty new to this, so forgive my ignorance, but while I have successfully figured out how to send emails on behalf of a user (whereby the user needs to grant authorization to do so), I haven't figured out how to send emails on behalf of an automated account where there won't be someone to grant that authorization each time.

Based on my reading, it sounds like this needs to be set up as a service account with "domain wide delegation" granted by the GSuite Admin. However, if my understanding is correct, this would grant that service account access to send emails on behalf of ALL users in that domain, and not just the single email account I'd like to use. Is that correct? Is there a way to limit the access to individual accounts? (I suspect the admin will be nervous about doing that). Or am I completely on the wrong page as to how to proceed here?

Not sure if it really matters, but my current solution is implemented in PHP.

Any advice would be appreciated,

Thanks

1
phpgmail-apigoogle-oauthgoogle-workspace

1 Answers

1
votes

I will give you some good news and other ones not so good.

1) Good news

The good news is you are on the right page about all the research you have made about service accounts and yes, you have to set domain wide delegation because the service account is a bot, which needs to impersonate a real person in order to send emails in his/her behave.

2) Bad news

The bad news is for the moment you can't restrict the users you would like to impersonate in your domain using the domain wide delegation. You would have to apply your own logic in your backend, which would do some kind of security process before the service account would impersonate that user. Let's hope Google in the future can add the feature of restricting certain users in a domain.

Aditional info

Just in case, you still don't know how to impersonate a user with a service account using PHP. Here it's a small example:

// Path to the service account json file
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account.json');

// User to impersonate
$user = "email@domain";

$client = new Google_Client();
$client->useApplicationDefaultCredentials(); 
$client->setApplicationName("My app name");
$client->setScopes(Google_Service_Gmail::MAIL_GOOGLE_COM);  
$client->setSubject($user); // Set the user to impersonate;

// Construct the service object.
$service = new Google_Service_Gmail($client);