Visual C++ - Retrieve email using Gmail/G Suite OAuth 2.0 + IMAP4 protocol in background service (service account)¶
By default, you need to enable ” Allowing less secure apps” in Gmail/G Suite, then you can retrieve email with user/password IMAP4 authentication.
However Google will disable traditional user authentication in the future, switching to Google OAuth is strongly recommended now.
Sections:
- Installation
- Add reference
- Google Service Account
- Create project in Google Developers Console
- Create service account in current project
- Create service key
- Enable Gmail API
- Authorize service account by G Suite administrator
- Enable TLS Strong Encryption Algorithms in .NET 2.0 and .NET 4.0
- Access token lifetime
- Visual C++ - Retrieve email using Gmail/G Suite OAuth 2.0 from IMAP4 server with service account - example
- EA Oauth Service for Gmail
- TLS 1.2 protocol
- Related links
Installation¶
Before you can use the following sample codes, you should download the EAGetMail Installer and install it on your machine at first. Full sample projects are included in this installer.
Add reference¶
To better demonstrate how to retrieve email and parse email, let’s create a Visual C++ console project named “receiveemail” at first, and then add the reference of EAGetMail in your project.
To use EAGetMail POP3 & IMAP4 ActiveX Object in your project, the first step is “Add header files of EAGetMail to your project”.
Please go to C:\Program Files\EAGetMail\Include\tlh
or C:\Program Files (x86)\EAGetMail\Include\tlh folder, find eagetmailobj.tlh and eagetmailobj.tli,
and then copy these files to your project folder. You can start to use it to retrieve email and parse email in your project.
Google Service Account¶
Normal OAuth requires user input user/password in Web Browser. Obviously, it is not suitable for background service. In this case, you should use google service account to access G Suite or Google Workspace email service without user interaction. Service account only works for G Suite or Google Workspace user, it doesn’t work for personal Gmail account.
Create project in Google Developers Console¶
To use “G Suite or Google Workspace Service Account OAuth” in your application, you should create a project in Google Cloud Console at first.
Important
You can use any google user to create service account, it doesn’t require service account owner is a user in G Suite. But G Suite or Google Workspace administrator must authorize service account in Google Admin Console to access user mailbox.
Open Google Cloud console, create a new project by https://console.cloud.google.com/projectcreate.
After the project is created, select it from projects list as current project.
Create service account in current project¶
Click
"Credentials"->"Manage service accounts"
Click
"CREATE SERVICE ACCOUNT"
Input a name for your service account, click
"DONE"
After service account is created, you should enable "Domain-wide delegation" and create service key pair
to access G Suite or Google Workspace user mailbox.
Create service key¶
Go back to your service account -> Keys, click
Add Key, you can select"p12"or"json"key type, both can work well, then you will get a file which contains private key, save the file to local disk.Now you have created service account with key pair successfully. You can use created private key in your codes to request
"access token"impersonating a user in G Suite or Google Workspace.
- To access user data in G Suite, you must get authorization from G Suite or Google Workspace administrator. You should go back to your service account -> Details, copy your service account email address and client id.
Enable Gmail API¶
Enable Gmail API in "Library" -> Search "Gmail", then click "Gmail API" and enable it.
Authorize service account by G Suite administrator¶
To use service account to access user mailbox in G Suite or Google Workspace, G Suite Administrator should authorize specified service account at first.
Important
Important Notice: You can use any google user to create service account, it doesn’t require service account owner is a user in G Suite or Google Workspace. But G Suite or Google Workspace administrator must authorize service account in G Suite or Google Workspace Admin Console to access user mailbox.
The administrator should open admin.google.com, go to Admin Console, click
"Security">API Control;
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the service account’s Client ID
Click Add new and enter your service account client ID.
Enter the
client IDof the service account or OAuth2 client ID of the app.In the OAuth scopes (comma-delimited) field, enter the list of scopes that your application should be granted access to. and input
https://mail.google.com/,email,profilein One or More API Scopes, click"Authorize".
- Click Authorize.
After the administrator authorized service account, you can use it to access any users mailbox in G Suite or Google Workspace domain.
Learn more detail from: https://developers.google.com/identity/protocols/oauth2/service-account
Enable TLS Strong Encryption Algorithms in .NET 2.0 and .NET 4.0¶
Because HttpWebRequest is used to get access token from web service.
If you’re using legacy .NET framework (.NET 2.0 - .NET 3.5 and .NET 4.0 - 4.6.1),
you need to enable Strong Encryption Algorithms to request access token:
Put the following content to a file named NetStrongEncrypt.reg, right-click this file -> Merge -> Yes.
You can also download it from https://www.emailarchitect.net/webapp/download/NetStrongEncrypt.zip.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
Access token lifetime¶
You don’t have to request access token every time. By default,
access token expiration time is 3600 seconds, you can reuse the access token repeatedly before it is expired.
Visual C++ - Retrieve email using Gmail/G Suite OAuth 2.0 from IMAP4 server with service account - example¶
include "stdafx.h" // pre-compile header
#include <stdio.h>
#include <tchar.h>
#include "C:\Program Files (x86)\EAGetMail\Include\tlh\EAGetMailObj.tlh"
using namespace EAGetMailObjLib;
#include "C:\Program Files (x86)\EAGetMail\Include\tlh\msxml3.tlh"
using namespace MSXML2;
const int MailServerPop3 = 0;
const int MailServerImap4 = 1;
const int MailServerEWS = 2;
const int MailServerDAV = 3;
const int MailServerMsGraph = 4;
const int MailServerAuthLogin = 0;
const int MailServerAuthCRAM5 = 1;
const int MailServerAuthNTLM = 2;
const int MailServerAuthXOAUTH2 = 3;
const int GetMailInfos_All = 1;
const int GetMailInfos_NewOnly = 2;
const int GetMailInfos_ReadOnly = 4;
const int GetMailInfos_SeqRange = 8;
const int GetMailInfos_UIDRange = 16;
const int GetMailInfos_PR_ENTRYID = 32;
const int GetMailInfos_DateRange = 64;
const int GetMailInfos_OrderByDateTime = 128;
DWORD _getCurrentPath(LPTSTR lpPath, DWORD nSize)
{
DWORD dwSize = ::GetModuleFileName(NULL, lpPath, nSize);
if (dwSize == 0 || dwSize == nSize)
{
return 0;
}
// Change file name to current full path
LPCTSTR psz = _tcsrchr(lpPath, _T('\\'));
if (psz != NULL)
{
lpPath[psz - lpPath] = _T('\0');
return _tcslen(lpPath);
}
return 0;
}
BOOL RequestAccessToken(const TCHAR* requestData, _bstr_t &accessToken)
{
try
{
IServerXMLHTTPRequestPtr httpRequest = NULL;
httpRequest.CreateInstance(__uuidof(MSXML2::ServerXMLHTTP));
if (httpRequest == NULL)
{
printf("Failed to create XML HTTP Object, please make sure you install MSXML 3.0 on your machine.\r\n");
return FALSE;
}
_bstr_t fullRequest = _bstr_t("grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=") + requestData;
const char* postData = (const char*)fullRequest;
LONG cdata = strlen(postData);
LPSAFEARRAY psaHunk = ::SafeArrayCreateVectorEx(VT_UI1, 0, cdata, NULL);
for (LONG k = 0; k < (int)cdata; k++)
{
BYTE ch = (BYTE)postData[k];
::SafeArrayPutElement(psaHunk, &k, &ch);
}
_variant_t requestBuffer;
requestBuffer.vt = (VT_ARRAY | VT_UI1);
requestBuffer.parray = psaHunk;
_variant_t async(true);
_bstr_t uri("https://oauth2.googleapis.com/token");
httpRequest->setOption((MSXML2::SERVERXMLHTTP_OPTION)2, 13056);
httpRequest->open(L"POST", uri, async, vtMissing, vtMissing);
httpRequest->setRequestHeader(L"Content-Type", L"application/x-www-form-urlencoded");
httpRequest->send(requestBuffer);
while (httpRequest->readyState != 4) {
httpRequest->waitForResponse(1);
}
long status = httpRequest->status;
_bstr_t responseText = httpRequest->responseText;
if (status < 200 || status >= 300)
{
printf("Failed to get access token from server: %d %s\r\n", status, (const char*)responseText);
return FALSE;
}
IOAuthResponseParserPtr oauthParser = NULL;
oauthParser.CreateInstance(__uuidof(EAGetMailObjLib::OAuthResponseParser));
oauthParser->Load(responseText);
accessToken = oauthParser->AccessToken;
if (accessToken.length() == 0)
{
printf("Failed to parse access token from server response: %d %s\r\n", status, (const char*)responseText);
return FALSE;
}
return TRUE;
}
catch (_com_error &ep)
{
printf("Failed to get access token: %s", (const char*)ep.Description());
return FALSE;
}
}
BOOL GenerateRequestData(const char* gsuiteUser, _bstr_t &requestData)
{
// service account email address
// You should create your client id and client secret,
const char* serviceAccount = "xxxx@xxxx.iam.gserviceaccount.com";
const char* scope = "https://mail.google.com/";
const char* aud = "https://oauth2.googleapis.com/token";
ISimpleJsonParserPtr jwtPtr = NULL;
jwtPtr.CreateInstance(__uuidof(EAGetMailObjLib::SimpleJsonParser));
_bstr_t header = jwtPtr->JwtBase64UrlEncode(_bstr_t("{\"alg\":\"RS256\",\"typ\":\"JWT\"}"));
// token request timestamp
long iat = jwtPtr->GetCurrentIAT();
// token expiration time
long exp = iat + 3600;
char iatBuf[MAX_PATH + 1];
char expBuf[MAX_PATH + 1];
sprintf_s(iatBuf, MAX_PATH, "%d", iat);
sprintf_s(expBuf, MAX_PATH, "%d", exp);
_bstr_t playload = _bstr_t("{");
playload += _bstr_t("\"iss\":\"") + _bstr_t(serviceAccount) + _bstr_t("\",");
playload += _bstr_t("\"scope\":\"") + _bstr_t(scope) + _bstr_t("\",");
playload += _bstr_t("\"aud\":\"") + _bstr_t(aud) + _bstr_t("\",");
playload += _bstr_t("\"exp\":") + _bstr_t(expBuf) + _bstr_t(",");
playload += _bstr_t("\"iat\":") + _bstr_t(iatBuf) + _bstr_t(",");
playload += _bstr_t("\"sub\":\"") + _bstr_t(gsuiteUser) + _bstr_t("\"");
playload += _bstr_t("}");
playload = jwtPtr->JwtBase64UrlEncode(playload);
ICertificatePtr cert = NULL;
cert.CreateInstance(__uuidof(EAGetMailObjLib::Certificate));
// In web application, use CRYPT_MACHINE_KEYSET
if (cert->LoadFromFile(_bstr_t("D:\\MyData\\oauth-77dac4d192ec.p12"),
_bstr_t("notasecret"), CRYPT_USER_KEYSET) == VARIANT_FALSE)
{
printf("Failed to load service account certificate!");
return FALSE;
}
_bstr_t signature = jwtPtr->SignRs256(cert, header + _bstr_t(".") + playload);
if (signature.length() == 0)
{
printf("Failed to sign request data!");
return FALSE;
}
requestData = header + _bstr_t(".") + playload + _bstr_t(".") + signature;
return TRUE;
}
void RetrieveEmail()
{
::CoInitialize(NULL);
// gsuiteUser is the full email address of the user in GSuite, for example: user@gsuitedomain
const char* gsuiteUser = "user@mydomainingsuit.com";
_bstr_t requestData, accessToken;
if (!GenerateRequestData(gsuiteUser, requestData))
{
return;
}
// request access token from Google server by service account
// withou user interaction
if (!RequestAccessToken((const TCHAR*)requestData, accessToken))
{
return;
}
try
{
TCHAR szPath[MAX_PATH + 1];
_getCurrentPath(szPath, MAX_PATH);
TCHAR szMailBox[MAX_PATH + 1];
wsprintf(szMailBox, _T("%s\\inbox"), szPath);
// Create a folder to store emails
::CreateDirectory(szMailBox, NULL);
IMailServerPtr oServer = NULL;
oServer.CreateInstance(__uuidof(EAGetMailObjLib::MailServer));
// Gmail IMAP server address
oServer->Server = _bstr_t("imap.gmail.com");
oServer->User = _bstr_t(gsuiteUser);
// Use access token as password
oServer->Password = accessToken;
// Use OAUTH 2.0
oServer->AuthType = MailServerAuthXOAUTH2;
// Use IMAP4 Protocol
oServer->Protocol = MailServerImap4;
// Enable SSL Connection
oServer->SSLConnection = VARIANT_TRUE;
// Set IMAP4 SSL Port
oServer->Port = 993;
IMailClientPtr oClient = NULL;
oClient.CreateInstance(__uuidof(EAGetMailObjLib::MailClient));
oClient->LicenseCode = _T("TryIt");
_tprintf(_T("Connecting %s ...\r\n"), (const TCHAR*)oServer->Server);
oClient->Connect(oServer);
// Get new email only, if you want to get all emails, please remove this line
oClient->GetMailInfosParam->GetMailInfosOptions = GetMailInfos_NewOnly;
IMailInfoCollectionPtr infos = oClient->GetMailInfoList();
_tprintf(_T("Total %d emails\r\n"), infos->Count);
for (long i = 0; i < infos->Count; i++)
{
IMailInfoPtr pInfo = infos->GetItem(i);
_tprintf(_T("Index: %d; Size: %d; UIDL: %s\r\n\r\n"),
pInfo->Index, pInfo->Size, (const TCHAR*)pInfo->UIDL);
TCHAR szFile[MAX_PATH + 1];
// Generate a random file name by current local datetime,
// You can use your method to generate the filename if you do not like it
SYSTEMTIME curtm;
::GetLocalTime(&curtm);
::wsprintf(szFile, _T("%s\\%04d%02d%02d%02d%02d%02d%03d%d.eml"),
szMailBox,
curtm.wYear,
curtm.wMonth,
curtm.wDay,
curtm.wHour,
curtm.wMinute,
curtm.wSecond,
curtm.wMilliseconds,
i);
// Receive email from POP3 server
IMailPtr oMail = oClient->GetMail(pInfo);
_tprintf(_T("From: %s\r\n"), (const TCHAR*)oMail->From->Address);
_tprintf(_T("Subject: %s\r\n"), (const TCHAR*)oMail->Subject);
// Save email to local disk
oMail->SaveAs(szFile, VARIANT_TRUE);
// Mark email as read to prevent retrieving this email again.
oClient->MarkAsRead(pInfo, VARIANT_TRUE);
// If you want to delete current email, please use Delete method instead of MarkAsRead
// oClient->Delete(pInfo);
}
// Delete method just mark the email as deleted,
// Quit method expunge the emails from server exactly.
oClient->Quit();
}
catch (_com_error &ep)
{
_tprintf(_T("Error: %s"), (const TCHAR*)ep.Description());
}
}
EA Oauth Service for Gmail¶
If your code is too complex or out of maintenance, and you don’t want to change anything in your source codes, then you can have a try with EA Oauth Service for Gmail. It provides an easy way for the legacy email application that doesn’t support OAUTH 2.0 to send and retrieve email from Gmail without changing any codes. SMTP, POP, IMAP and SSL/TLS protocols are supported.
TLS 1.2 protocol¶
TLS is the successor of SSL, more and more SMTP servers require TLS 1.2 encryption now.
If your operating system is Windows XP/Vista/Windows 7/Windows 2003/2008/2008 R2/2012/2012 R2, you need to
enable TLS 1.2 protocol in your operating system like this:
Enable TLS 1.2 on Windows XP/Vista/7/10/Windows 2008/2008 R2/2012
Appendix
- Retrieve email and parse email in Visual C++ - Tutorial
- EAGetMail POP3/IMAP4 Component SDK
- Using UIDLManager to mark email as read/downloaded
- Download only unread/new emails from IMAP or MS Exchange Server
- Search emails and filter emails on IMAP or MS Exchange Server
- Retrieve emails from specified folder in IMAP or MS Exchange Server
Comments
If you have any comments or questions about above example codes, please click here to add your comments.