I need my customers to forward me the emails received on their Gmail account from certain email addresses.
To avoid them to setup these rule manually, I was wondering to use Gmail APIs to create a path where user just select the Gmail account and delegate us to setup the forwarding filter.
This works well, I can create/delete/list filters,
Problem arise when the forwarding email address is not already set, i.e. always:
To setup Forwarding address, domain-wide-delegation is required, and here starts my problems:
first of all is the meaning of domain-wide-delegation that makes me wonder:
domain would be gmail.com and clearly I'm not an admin of such domain
That means that what I'm trying to achieve it is not possible?
furthermore, I have another issue:
I created a Service Account and I have the
Email,
Key ID,
Client ID
service_account.json file with private key
and Domain Wide Delegation is set as Enabled
but I have not understood how to change the original routine in way of using Service Account instead of oAuth 2.0
I can imagine I have to change from using OAuth 2.0 Client IDs to service account
Can someone explain how to use service account instead of oAuth?
Related
I have a web application that currently sends automated password reset emails from a "no-reply" style email address in a gsuite domain. It currently works with simply a username and password over SMTP (with TLS), however, to get that working the GSuite Admin (who is not me) had to enable LSAs.
As I'm sure most are aware, Google is phasing that out over the next year, so going forward I'll have to use OAuth2 with the Gmail API (I think). I'm pretty new to this, so forgive my ignorance, but while I have successfully figured out how to send emails on behalf of a user (whereby the user needs to grant authorization to do so), I haven't figured out how to send emails on behalf of an automated account where there won't be someone to grant that authorization each time.
Based on my reading, it sounds like this needs to be set up as a service account with "domain wide delegation" granted by the GSuite Admin. However, if my understanding is correct, this would grant that service account access to send emails on behalf of ALL users in that domain, and not just the single email account I'd like to use. Is that correct? Is there a way to limit the access to individual accounts? (I suspect the admin will be nervous about doing that). Or am I completely on the wrong page as to how to proceed here?
Not sure if it really matters, but my current solution is implemented in PHP.
Any advice would be appreciated,
Thanks
I will give you some good news and other ones not so good.
1) Good news
The good news is you are on the right page about all the research you have made about service accounts and yes, you have to set domain wide delegation because the service account is a bot, which needs to impersonate a real person in order to send emails in his/her behave.
2) Bad news
The bad news is for the moment you can't restrict the users you would like to impersonate in your domain using the domain wide delegation. You would have to apply your own logic in your backend, which would do some kind of security process before the service account would impersonate that user. Let's hope Google in the future can add the feature of restricting certain users in a domain.
Aditional info
Just in case, you still don't know how to impersonate a user with a service account using PHP. Here it's a small example:
// Path to the service account json file
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account.json');
// User to impersonate
$user = "email#domain";
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->setApplicationName("My app name");
$client->setScopes(Google_Service_Gmail::MAIL_GOOGLE_COM);
$client->setSubject($user); // Set the user to impersonate;
// Construct the service object.
$service = new Google_Service_Gmail($client);
I want to create a website which will automatically create an email address for my domain name whenever my visitor opts for my product. I had tried with manually but it is a TDS work so I want to automate the same.
for eg:
adam123 signs up to my member's site.
The website should run a script where the email address is created automatically.
Email to adam123#my-domain.com goes to johns email address: adam123#hotmail.com and mymail#my-domain.com
To create an email address and a forwarder you need to have access to the underplaying administrator API from your email environment. Depending on your hoster this might not be possible and there might be legal security reasons why this isn´t possible. Additional you might need a special API to control the unterlaying email environment and there is no general one. As you didn´t specify which email environment you are using its not really possible to provide you something.
So for example if your server is running Plesk you might wish to try to use the Plesk API and the manage email API from it.
I'm working with the Gmail API for an internal application. I need to set email forwarding for both incoming and outgoing emails for all the users using the admin account. I'm using the Google PHP API client library in Yii.
I'm following this article.
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
Following is what I'm trying to do.
define('JSON_FILE', '/path/to/json/file');
$user_to_impersonate = '<My domain wide authorized admin email address>';
$scopes = [ \Google_Service_Gmail::GMAIL_SETTINGS_SHARING,\Google_Service_Gmail::MAIL_GOOGLE_COM];
$google_client = new \Google_Client();
$google_client->setAuthConfig(CLIENT_SECRET_PATH);
$google_client->setScopes($scopes);
$google_client->setSubject($user_to_impersonate);
$google_client->setIncludeGrantedScopes(true);
// setup the forwarding address
$service = new \Google_Service_Gmail($google_client);
$f = new \Google_Service_Gmail_AutoForwarding();
$f->setEnabled(TRUE);
$f->setEmailAddress('<my forwarding email address>');
$f->setDisposition("leaveInInbox");
$service->users_settings->updateAutoForwarding('me',$f)
I get the following error,
Unrecognized forwarding address
I know that something is not correct :). Can someone please let me know your expert response to fix this and get this working. I feel that i'm trying to set the forwarding for the email address I'm using but not for all the users. But I want to set the same email address for all the emails in the organisation Gmail account.
Thanks in advance!
You get this error: failedPrecondition: Unrecognized forwarding address because you have not yet created a verified forwarding address. You need to create a forwarding address first using this API. Then your user needs to verify that email address before you can forward any emails to it.
The problem with this approach is that you need this authorization scope gmail.settings.sharing in order to do it, which in turn needs Domain-wide Delegation of Authority. See how to set it up here. If you do not setup this delegation you will get this error when trying to create a forwarding address: forbidden: Access restricted to service accounts that have been delegated domain-wide authority.
So you need to perform 2 steps:
Setup domain delegation of authority
Create a forwarding address (via API) before using it
Hope this helps.
It may just be a formatting error, but please remove the "\" characters as it may contribute to the error you're encountering.
If you want to forward emails to and from the admin account to a list of users (all), you can use ForwardingAddresses API for that.
Do note that messages can only be forwarded to registered and verified email addresses. This may be reason why you're getting the error. Create a forwardingAddress before you call the updateAutoForwarding, and hopefully it will work our right.
Happy coding!
Correct me if I'm wrong:
With respect to a user's email address associated with their account...
You can ask for and receive email addresses from openID providers (i.e. Google, Yahoo!, AOL, etc.).
You cannot obtain email addresses from OAuth providers (i.e. Twitter, LinkedIn, etc.).
You can receive email addresses from Facebook via OAuth.
If I am wrong and there is a way to obtain email address via OAuth, please describe an easy method.
Well what you have described is almost right.It dependents upon what you want both protocols Oauth and Open-id provides a way to Authentication but Oauth provides a fine grained control.
basically you can get Email address from Google/Yahoo/Window Live using Oauth and as per your analysis Both Twitter and LinkedIn model do not have the option to give back email.associated with the user.
But you need to have a clear understanding of whats different between both of them as that will clear your case what is provided by way
Both work on domain of security, identity, and authorization.
work on the principal of decentralization.
With Open ID, there is no suggestion of two web apps sharing your data. Except in the very limited sense that the Open ID provider may hold some general information about you.but this is data of a generic.
OAuth lets you authorise one website – the consumer – to access your data from another website
In short OpenId is coarse-grained while OAuth is more fine-grained.Oauth proicde a level of security by asking use to provide access to your data to the party who is asking the access and now its in the hand of user to allow or deny while with Open_id generic data will be available.
So choice is all yours.
I've got Oauth support in place for an app I'm working on. What I'm trying to work through is the logic for associating Oauth accounts.
Example:
Let's say a user has logged in before. They authenticated using Facebook. I now have an email address which I can safely assume will always be unique to that user. However, Twitter does not provide email addresses through its Oauth implementation, so if someone signs in with Twitter, and then Facebook, how do I correctly associate their account? I can't use user name, or handler, because obviously that could vary per provider. Is there any other way I could do this?
Do I require the user to enter their email address if they use an Oauth provider which omits it? I'm trying to put together the best user experience and the most stable system - so your help is highly appreciated.
If you're looking at working with multiple identity providers then your best solution would be to use an internal ID unique to your system and then associate the external accounts with that ID when the external authentication takes place. Additionally users in FB can change their primary email address so it would be safe to assume it's unique it's probably not safe to assume that it's current.