Create project and service account for Google Workspace OAUTH - Tutorial¶
Because Google Workspace has disabled basic authentication in SMTP/POP/IMAP services, you have to use modern authentication (OAUTH) to login Gmail SMTP/POP/IMAP service.
To use OAUTH, the access token is required. There are two ways to retrieve the access token from Google server:
- User login the account by web browser, the application uses the returned authorization code to request the access token. This way requires user interactive attending, it is not suitable for server-side application.
- Create a service account, and the administrator grants the access to the project, the application uses the client secret to request the access token directly.
This tutorial introduces the second way which doesn’t require user attending, it is suitable for background service, it only works with Google Workspace account.
Create project in Google Developers Console¶
To use “Google Workspace Service Account OAuth” in your application, you should create a project in Google Cloud Console at first.
Important
You can use any google user to create service account, it doesn’t require service account owner is a user in Google Workspace. But Google Workspace administrator must authorize service account in Google Admin Console to access user mailbox.
Open Google Cloud Console, create a new project by https://console.cloud.google.com/projectcreate.
After the project is created, select it from projects list as current project.
Create service account in current project¶
Click
"Credentials"->"Manage service accounts"
Click
"CREATE SERVICE ACCOUNT"
Input a name for your service account, click
"DONE"
After service account is created, you should enable "Domain-wide delegation" and create service key pair
to access Google Workspace user mailbox.
Create service key¶
Go back to your service account -> Keys, click
Add Key, please select"json"key type, both can work well, then you will get a file which contains private key, save the file to local disk. If you use it in EA Oauth Service, you can import the json file directly.Now you have created service account with key pair successfully. You can use created private key in your codes to request
"access token"impersonating a user in Google Workspace.
- To access user data in Google Workspace, you must get authorization from Google Workspace administrator. You should go back to your service account -> Details, copy your service account email address and client id.
Enable Gmail API¶
Enable Gmail API in "Library" -> Search "Gmail", then click "Gmail API" and enable it.
If you use Gmail API protocol to send email, you should enable this API, if you use SMTP protocol, you don’t have to enable it.
Authorize service account by Google Workspace administrator¶
To use service account to access user mailbox in Google Workspace, Google Workspace Administrator should authorize specified service account at first.
Important
Important Notice: You can use any google user to create service account, it doesn’t require service account owner is a user in Google Workspace. But Google Workspace administrator must authorize service account in Google Workspace Admin Console to access user mailbox.
The administrator should open admin.google.com, go to Admin Console, click
"Security">API Control;
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the service account’s Client ID
Click Add new and enter your service account client ID.
Enter the
client IDof the service account or OAuth2 client ID of the app.In the OAuth scopes (comma-delimited) field, enter the list of scopes that your application should be granted access to. and input
https://mail.google.com/,email,profilein One or More API Scopes, click"Authorize".
- Click Authorize.
After the administrator authorized service account, you can use it to access any user’s mailbox in Google Workspace domain.
Learn more detail from: https://developers.google.com/identity/protocols/oauth2/service-account
Use service account in third-party application (EA Oauth Service)¶
You can use the service account, private key id and private key in third-party application that supports OAUTH.
If you have a legacy email application doesn’t support OAUTH, the following third-party application can use the
above fields to help your application to connect Gmail.
Free Email Support¶
Not enough? Please contact our technical support team.
Remarks
We usually reply emails within 24hours. The reason for getting no response is likely that your SMTP server bounced our reply. In this case, please try to use another email address to contact us. Your Gmail, Hotmail or Office 365 email account is recommended.