Directory API / Gmail API - google-api

is there any way to manage gmail user settings (https://developers.google.com/gmail/api/quickstart/python) for all userids within a gsuite domain? The boilerplate works great for userid 'me' but I would like to to do it my whole list of gmail accounts.
I tried to enable delegation from directory API (https://developers.google.com/admin-sdk/directory/v1/guides/delegation) but how do I link the right with the gmail API ?
Do I still have to go throught restricted oauth2 so I cannot do it without the users consent?

I found my solution it is called GAM which is a great helper tool to set your directory API keys and provides cli to manage the gmail settings of the users
https://github.com/jay0lee/GAM/wiki/ExamplesEmailSettings#retrieving-a-signature

Related

Google workplace: activate gmail via API

I need to automate some flow on google workspace, now I'm stuck at Activating Gmail via API, I couldn't find any resource or example anywhere.
Appreciate for any help pointing out the reference or answer.
Update:
So I have google workspace and I am working on automate user and their gmail account. From the screenshot I can simply click on "Activate Gmail" and it will check against my MX records and have it activated, but I'm looking for a solution where I can do it from google API using Ruby.
For this one, you will most likely make use of Directory API's users.update instead of Gmail API. Gmail API only enables you to access gmail settings and the emails, not the user settings.
Sadly, I haven't found any fields dedicated for activating/enabling Gmail. The closest thing I found was isMailboxSetup, but it only identifies if the user have its Gmail activated.
Indicates if the user's Google mailbox is created. This property is only applicable if the user has been assigned a Gmail license.
Given the circumstances above, you might need to do it manually. For more info regarding the subject, visit the reference below.
Reference:
Admin SDK: Directory API

send emails from MY gmail account with OAuth2 and nodemailer

I want to send emails from my gmail address through my own server. I'm using nodemailer and using account credentials is flaky, and often times doesn't work and leads to this thread
I've implemented everything on that thread many times, and still it's flaky, and also I know OAuth2 is the way to go.
I have a project with cliendID and clientSecret in google developer console, as you can see:
But how do I get an access token WITHOUT any browser interaction?
I seem to be missing something trivial here ...
I've went through all google tutorials and docs I could find about OAuth2, tokens, and APIs, but all guides go through the browser in one point.
Go to the OAuth Playground, click the cog on the top right, check the Use your own OAuth credentials and insert your clientID and clientSecret.
Then select the Gmail API v1 scopes you want in the list to the left and follow the outlined steps and you will get an access_token and a refresh_token.
Google Oauth2 actually all Oauth2 implementations I am aware of require that a user grant an application access via a web browser.
There is an alternative type called service accounts this is more like oauth1 service accounts are preauthorized. You can grant a service account access to your google drive by sharing folders and files with the service account like you would any other user. Because they are preauthorized there is no browser window pop up with service accounts.
You can only user service accounts with Gmail if you have a Google domains account Gsuite. The admin can go in and grant the service account access to the Gmail account in question. Perform G Suite Domain-Wide Delegation of Authority
If this is a normal user Gmail account you cant use a service account. You will have to use Oauth2 popup the request and save the refresh token so that you can gain access at a later date.

Google Apps Marketplace - Adding scopes via Incremental authorisation

We have an existing web app which uses Google's OAuth 2.0 APIs for Admin Directory, Drive, etc for administrative tasks like backup and audit.
Currently we let our customers install backup and audit independently as 'modules' and each have separate client_ids and separate OAuth scopes (i.e. Admin directory for one, Drive for another).
We want to bring our app to the Google Apps Marketplace, and take advantage of Google Sign In (OpenID Connect), use service accounts with domain-wide delegation of authority, but still let our customers only authorize scopes they want to use.
Can we add new scopes to Google Apps Marketplace apps when a user wants to enable a certain feature?
The best practise guidelines (1) indicate that we should request all scopes we might want up front via the Marketplace SDK scopes section but we want to only request the scopes our customers are going to actually use.
(1) https://developers.google.com/apps-marketplace/practices#1_complete_the_listing_review_request_form
You can add new scopes. Your customer will still have to grant access though for the new scope/s from the ADMIN console.

Unauthorised access to Email Settings Google API

I am using both GAM and the Google API PHP client library to integrate with Google for Work.
I am using a service account and I have authorized the Client ID in the Admin console to access the following two scopes:
https://www.googleapis.com/auth/drive
https://apps-apis.google.com/a/feeds/emailsettings/2.0/
I have also enabled the Drive API and Admin SDK in the Developers Console. There is no Email Settings API that I can see.
I have followed this page and granted GAM access to all scopes during testing - which does include the Email Settings scope.
I can successfully use GAM and the PHP client library to access the Google Drive API. However, I always get a 403 - Unauthorised when trying to do any of the Email Settings API functions detailed in https://developers.google.com/admin-sdk/email-settings/
I am fairly confident that I have the authorised the right Client ID in the Admin Console. When I remove the scope https://www.googleapis.com/auth/drive from the Admin Console it blocks my access to Google Drive from both GAM and the PHP client library.
Any suggestions on what to try?
GAM does not use service accounts for email settings API, it uses standard OAuth 2.0 for installed apps. Be sure you used a super administrator to authorize GAM access to the email settings API. If you didn't, run
gam oauth revoke
And then another command like:
gam all users show imap
And this time make sure you are logged in as a super admin.
Jay's post led me to the answer - namely that I should be logged in as a super admin when accessing the Email Settings API.
I therefore created a super admin account and authenticated GAM using that. That gave GAM access.
In order to get the PHP client library working, I had to impersonate the super admin account when I created the OAuth2 token. The code to impersonate the admin account is below:
$credentials = new Google_Auth_AssertionCredentials(
$service_account_email,
$scopes,
$private_key,
'notasecret', // Default P12 password
'http://oauth.net/grant_type/jwt/1.0/bearer', // Default grant type
$admin_email
);
where
$service_account_email is the email address of the service account created in the Developer's console - not the super admin account.
$scopes is an array of the API URLs that you need to access
$private_key is the contents of the P12 certificate created from the Developer's console.
$admin_email is the email of the super admin account.
Hope this helps someone else.

Getting list of documents related to a particular user in Google Apps using Admin Account

i am creating an app using google apis.i need to access user's documents through google apis using google admin account.In past i can use google docs api like this
for example i am admin of domain iritesh.com and my email address is ritesh#iritesh.com.i logged in using admin account and can retrieve documents in google drive of rajat#iritesh.com using user_id = rajat#iritesh.com.
https://docs.google.com/feeds/"+user_id+"/private/full/folder:root/contents?v=3&alt=json
but now google docs api's are deprecated.can anyone please guideline How to acheive this using google apis now.
link reference : https://developers.google.com/google-apps/documents-list/#using_google_apps_administrative_access_to_impersonate_other_domain_users
With the new API's and OAuth 2 you can accomplish this functionality but for it you will have to use Service account with domain wide delegation.
Basically with the service account it would be possible to impersonate users in the domain and make API calls in user's behalf. For getting information about documents you will use the Drive API.
Here is the documentation on service account:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
And Drive API:
https://developers.google.com/drive/v2/reference/
hope this helps.

Resources