We are using UserService with OpenId to send emails on behalf of the logged in user.
As we want to move to OAuth2/OpenID Connect for login to comply with the new marketplace guideline I'd like to know if it is possible to use App Engine's MailService with OAuth2 / service accounts to be able to send emails on behalf of the user.
I know that it is possible to send emails using the old GMail API, but then we are stuck with the daily GMail limits which are far too low for our usecase.
You can use the current GMail api via OAuth 2 and you can impersonate users with Service Accounts. There isn't a specific example for Gmail + Service accounts but Drive has good documentation that you should be able to extrapolate. If the quota limits are unmanageable, than you'll need to evaluate IMAP if you want a Google-powered solution.
Related
I am successfully able to read my inbox content using Gmail API with desktop application.
But when I am trying to read other person gmail inbox, I am getting Delegation denied exception?
So my question here, will Gmail Api allow the applications to access other persons inbox or only the person who credentials are being used in generating Client_secret file??
Yes, it is possible to access others Gmail inbox. To access Gmail mailboxes, use Gmail API. Gmail API gives you flexible, RESTful acess to the user's inbox with a natural interface to Threads, Messages and History.
All you need to use the Gmail API is the client library for your choice of language and an app that can authenticate as a Gmail user. All requests to the Gmail API must be authorized by an authenticated user. You should use server-side flow when your application needs to access Google APIs on behalf of the user.
Here's a documentation how to implement Server-Side Authorization: https://developers.google.com/gmail/api/auth/web-server
This may be due to regulatory restrictions, I'm not sure why but it turns out that Google has not yet built any back-end support options for tracing Gmail messages within the Google Workspace administrator console
If your organization needs access to another user's Gmail account or tracks Gmail messages, I Highly Recommend using the Gmail Reader, it's a verified Google Workspace plugin, with a very user-friendly interface and a quick safe installation process directly from your Google Workspace Marketplace administrator console.
see the EZ Gmail Reader at Google Workspace Marketplace
I am trying to perform server-side OAuth so I can use a specific user account in my domain to send emails (hence using GMail API) via my application.
Mine is a purely server-side app and I cannot perform "user consent" via a UI.
I have created a project in Google App Engine and have obtained service account credentials (P12 key).
My code looks like this -
new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(googleEmailerServiceAccountId)
.setServiceAccountPrivateKeyFromP12File(new File(googleEmailerServiceAccountPrivateKeyLocation)).setServiceAccountScopes(Collections.singleton(GmailScopes.GMAIL_COMPOSE))
.setServiceAccountUser("xxx#xxx.com")
.build()
I have delegated domain wide access to the application (for GMAIL COMPOSE scope) via the admin console as per https://developers.google.com/identity/protocols/OAuth2ServiceAccount.
And I still get an Unauthorised 401 when I try to send emails from my app.
Since there is no explicit documentation for the Gmail API that says it allows domain wide delegation, I am guessing it is not allowed for Gmail.
Is there any way of achieving this programatically?
Any idea would be much appreciated.
Thanks!
As far as I know you cant use a service account with Gmail. Service accounts must be pre authorized.
Authorizing Your App with Gmail
All requests to the Gmail API must be authorized by an authenticated
user. Gmail uses the OAuth 2.0 protocol for authenticating a Google
account and authorizing access to user data. You can also use Google+
Sign-in to provide a "sign-in with Google" authentication method for
your app.
Share a Google drive folder with the Service account. Add the service account email as a user on a google drive folder it has access
Share a Google calendar with the service account, just like any other user.
Service accounts don't work on all Google APIs. To my knowledge you cant give another user access to your Gmail so there will be now to pre authorize the service account.
Recommendation / work around / hack
Create a dummy app using the same client id, authenticate it get the refresh token then use the refresh token in your application.
I am the admin of a Google domain and I need to he able to read users emails in my php app. How is this possible? I have tried to use IMAP but it won't even connect. Is there something special that apps have to do?
Here is a list of all the ways to read a user's Gmail mailbox, outside of App Engine :
IMAP, as you said. Provided it is enabled on your domain. Most of our customers disable it for security reasons (no audit trace of the connections).
Apps Script, but it requires the user's consent, even if you're an admin
The Email Audit API, but an Email extraction takes approximately 2 weeks (no kidding)
If IMAP is enabled on your domain, then it's the best choice. However, by default GAE does not allow outgoing connections apart from HTTP requests. The workaround for this limitation is the Sockets API, currently in preview. You can check it out here.
Note that you will also need to use an OAuth2 service account (domain-wide delegation) and IMAP-XOAuth2 to authenticate with the IMAP protocol.
Is it possible to limit my endpoints api to my organization's Google accounts?
P.D.
I do not have access to the Administrator account.
Thanks
You could protect your API method by injecting the User object. Now, when the API Method is invoked, you can check for the User object and get the Email Addresses and Authenticating Domain to perform your check and move ahead in your API Method.
The company I work in has Google Apps for business account and I want to create this pet project (guided by HR) in which I need to fetch all the emails and calendars of everyone in this company to do some analysis. I am not bothered with the content of the email I just need the sender's and reciever's info. Is there an API for that?
(assume I will have admin access to the account).
Gmail IMAP and Google Calendar both support OAuth 2.0 authentication with a service account allowing you to authenticate as your end users to get/set/modify their data:
Gmail OAuth 2.0 Authentication
OAuth 2.0 Service Accounts
Google Calendar v3
Google Drive Domain-wide Delegation of Authority (process is identical for Calendar v3 API all the way up to the point of building the service)