I am trying to use google api for getting new emails from gmail account. However reading the docs I found that there are two types to access api the first one without authorization (with json credential) and second one one is Service Account (with p12 certificate and secretkey)
Can not understand what the difference between this access? What exactly should I use?
Thanks
Oauth2 is the first type you are looking at. With Oauth2 a consent screen is displayed to the user who must approve your access. Usage you want to access a users Gmail account, you want to access a users google calendar, you want to access a users google drive.
With a service account access is pre-authorized by taking the service account email address and adding it as a user for data in question. Usage: You want to allow other users to upload files to your google drive account, you would add the service account email address to a folder on google drive then the service account will be able to upload to that folder with out having to prompt any user for permissions.
Use Oauth2 when you want to access a users account, use a service account when you want to access an account controlled by you the developer.
If you want to access a users Gmail account you need to use Oauth2 you cant grant another user access to your Gmail so there is no way to give a service account access to it.
Related
How to send service emails
from my backend with smtp.google.com or Gmail API while making sure
the secret stored on the backend server can only be used to send emails from a specific sender?
Goal
send user account activation emails from my backend
use smtp.google.com or Gmail API (i.e. no own SMTP server)
authenticate with OAuth2.0 (i.e. don't enable "less secure apps")
Current state
implemented the email sending part
for testing, I created a noreply#**.** Google Suite account
for testing, I generated an accessToken via OAuth2 Playground
using the accessToken I can send emails via smtp.googl.com
Problem
Google suggests to use a service account for this
But to send emails from no-reply#x.y I have to enable Domain-wide Delegation
Domain-wide delegation allows to impersonate every domain account
the secret stored on the backend should only allow to send mails from no-reply#**.**
Lets start with send user account activation emails from my server I am gong to assume that you have a web app. This web app allows users to register with your system. Now when a user registers with your system you want to automatically send them an account creation email. Your idea is to use Google rather than setting up your own smtp server and sending these emails from your own system. Not a bad idea really.
Lets think about this for a minute the emails would need to be sent automatically so you need some kind of service sending them. To do that you want to use a service account. Again this is a great idea using a pre authorized service account that you will not need to have a user to authorize the app.
The only issue is that service accounts do not work with normal gmail accounts. To use a service account with Gmail api you need to use a google workspace domain account. The workspace domain admin would then be able to add permissions to the service account letting it act like a user on the domain. In this case your idea of no-reply.
So your workspace domain account would have a user called no-reply. The domain admin would then configure domain wide delegation to the service account allowing it to pretend that it is the user called no-reply. For all intents and purposes the service account is the no-reply user. It will be able to send mails as if they are coming from that user.
For all this to work you will need the workspace account with that user.
Have a look at the following link, it's actually one of Google's better examples it shows how to set up the delegation.
Perform Google Workspace Domain-Wide Delegation of Authority
Here you create a service account with credentials, allow this account to impersonate other users (e.g. the no-reply user), to only use the Gmail API and to only use it to send emails.
the documentation is a bit outdated, you can skip the step Grant users access to this service account and create the service account key afterwards via the service account edit function: Manage keys
in the step Domain wide delegation you need Google Admin not the Google Cloud Platform Admin Console as in the previous step
Just remember to swap out the lines about
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.group
and use
https://www.googleapis.com/auth/gmail.send
instead as you want to access the Gmail API and only allow the service account to send (not read) emails
tip
in the sample code in that link
.setServiceAccountUser(userEmail)
userEmail is the email address of the user you want to impersonate in this case no-reply#x.y
So I guess what I am saying is that what you want to do is definitely possible, however, it may be easier just to set up your own SMTP server.
I'm trying to create contacts in my google account using the 2lo (2 legged oauth), to achieve this Ive created a service account using my test account AAAAAAA#gmail.com, this step creates a "new email address" for the service, something like: XXXXXXX#YYYYYYYY.iam.gserviceaccount.com.
I'm able to access the google api with this account without the user intervention (2lo), and when I create a new contact using the api, this contact is related to XXXXXXX#YYYYYYYY.iam.gserviceaccount.com and not to the account I used to create the service account AAAAAAA#gmail.com, I can't see the created contact using my test account (AAAAAAA#gmail.com).
Is it possible to create a contact on my AAAAAAA#gmail.com account using a service account? what steps shou;d I follow?
Thanks
No, you cannot create contact. You need service account, which is an account that belongs to your application instead of an individual end user. Your application calls Google APIs on behalf of the service account, so users aren't directly involved.
If you want to access user data for users in your Google Apps domain, then delegate domain-wide access to the service account. Then, your application prepares to make authorized API calls by using the service account's credentials to request an access token from the OAuth 2.0 auth server.
You may follow the steps listed here: . It shows how to create a service account.
I am writing a program (written in java) for businesses that manages google drive data of domain users (download/read/...).
I need to authenticate once, using domain admin's credentials, get a token and refresh token, and fetch the data of all domain users.
I succeeded with doing it for the admin user itself, using google's Drive REST API
How can I manage all the domain users with one access token and refresh token?
In Google Apps, the admin does not have the ability to access the user's information directly.
The way to achieve this is through a service account and domain wide delegation.
With this approach, after the admin grants permissions to you app, the app will be able to impersonate users in the domain and perform actions on their behalf. e.g. you can access users Drive information.
I want to develop an application that uses the Picasa Google API for uploading images to my own account. I've already created the Service Account from the API Console and have created the code to upload the image (which works correctly given a valid access_token obtained from the OAuth2 playground).
However, when trying to obtain an access_token with the Google-api php library, this one doesn't seem to be associated to my own username (obviously, no consent screen), which throws me a 404 Not found error message when trying to access data from my personal account.
From what I've read over at https://developers.google.com/api-client-library/php/auth/service-accounts I could create an apps account to setup permissions for a whole domain. Is this, however, necessary given that I only want to access information from my own account? (the same I used to register the application in the API console). Couldn't this be done beforehand using API panel?
A service account is not you and does not by default have access to any data. Think of a service account as a dummy user. If you take the service account email address and add it as a user on a folder in your google drive it will have access to that folder on google drive. If you take the service account email address and give it access to one of your calendars on Google Calendar it will have access to the calendar.
If you set the album public I suspect it will then have access to the album. I did some Googleing and I cant see how you can add another users email address to an album on picasa.
I suggest you try using Oauth2.
I know that the Google Analytics API requires Open Authorization, which requires user confirmation.
Is there any alternative if I just need it for my own internal usage? Can I skip the confirmation part?
You can use a service account. A service account will allow you to access your own Google Analytics data with out requiring authentication.
Once you have created a service account in the Google Developer console you can then take the service account email address and add it as a user at the ACCOUNT level like you would any other user.
Then you will be able to use the service account to authenticate to the Google analytics API.