Using Gmail/GSuite SMTP OAUTH with Service Account


The Gmail/GSuite IMAP and SMTP servers have been extended to support authorization via the industry-standard OAuth 2.0 protocol. Using OAUTH protocol, user can do authentication by Gmail Web OAuth instead of inputting user and password directly in application.

You can click here to learn more detail about "OAUTH/XOAUTH2 with Gmail SMTP Server".


Google Service Account

Normal OAUTH requires user input user/password for authentication. Obviously, it is not suitable for background service. In this case, you should use google service account to access G Suite email service without user interaction. Service account only works for G Suite user, it doesn't work for personal Gmail account.


Create your project in Google Developers Console

To use "G Suite Service Account OAUTH" in your application, you should create a project in Google Developers Console at first.

Important Notice: You can use any google user to create service account, it doesn't require service account owner is a user in G Suite. But G Suite administrator must authorize service account in G Suite Admin Console to access user mailbox.


Create service account under current project


Enable Gmail API

Enable Gmail API in "Library" -> Search "Gmail", then click "Gmail API" and enable it. If you use Gmail API protocol to send email, you should enable this API, if you use SMTP protocol, you don't have to enable it.

After service account is created, you should enable "Domain-wide delegation" and create service key pair to access G Suite user mailbox.


Enable "Domain-wide delegation" and create service key


Authorize service account by G Suite administrator

To use service account to access user mailbox in G Suite, G Suite Administrator should authorize specified service account at first.

Important Notice: You can use any google user to create service account, it doesn't require service account owner is a user in G Suite. But G Suite administrator must authorize service account in G Suite Admin Console to access user mailbox.

After G Suite administrator authorized service account, you can use it to access any users mailbox in G Suite domain.


Use service account to send email impersonating user in G Suite Domain

The following examples demonstrate how to send email with service account + G Suite OAUTH

Example

[VB6 - Use service account to send email impersonating user in G Suite Domain]

Const ConnectNormal = 0
Const ConnectSSLAuto = 1
Const ConnectSTARTTLS = 2
Const ConnectDirectSSL = 3
Const ConnectTryTLS = 4

Const AuthAuto = -1
Const AuthLogin = 0
Const AuthNtlm = 1
Const AuthCramMd5 = 2
Const AuthPlain = 3
Const AuthMsn = 4
Const AuthXoauth2 = 5

Const CRYPT_MACHINE_KEYSET = 32 
Const CRYPT_USER_KEYSET = 4096 

Private Function GenerateRequestData(GsuiteUser) 

    GenerateRequestData = ""

    ' service account email address
    Const serviceAccount = "xxxxxx@xxxxxx.iam.gserviceaccount.com"
    Const scope = "https://mail.google.com/"
    Const aud = "https://oauth2.googleapis.com/token"

    Dim jwt As New EASendMailObjLib.SimpleJsonParser

    Dim header, playload
    header = jwt.JwtBase64UrlEncode("{""alg"":""RS256"",""typ"":""JWT""}")

    Dim iat, exp
    ' token request timestamp
    iat = jwt.GetCurrentIAT()
    ' token expiration time
    exp = iat + 3600

    playload = "{"
    playload = playload & """iss"":""" & serviceAccount & ""","
    playload = playload & """scope"":""" & scope & ""","
    playload = playload & """aud"":""" & aud & ""","
    playload = playload & """exp"":" & exp & ","
    playload = playload & """iat"":" & iat & ","
    playload = playload & """sub"":""" & gsuiteUser & """"
    playload = playload & "}"

    playload = jwt.JwtBase64UrlEncode(playload)

    Dim cert As New EASendMailObjLib.Certificate

    ' In web application, use CRYPT_MACHINE_KEYSET
    If Not cert.LoadPFXFromFile("D:\myfolder\myoauth-77dec4d192ec.p12", "notasecret", CRYPT_USER_KEYSET) Then
        MsgBox "Failed to load service account certificate!"
        Exit Function
    End If

    Dim signature
    signature = jwt.SignRs256(cert, header & "." & playload)
    If signature = "" Then
        MsgBox "Failed to sign request data!"
        Exit Function
    End If
    
    Dim dataToPost

    dataToPost = header & "." & playload & "." & signature
    GenerateRequestData = dataToPost

End Function

Private Function RequestAccessToken(requestData)
    RequestAccessToken = ""

    If requestData = "" Then
        Exit Function
    End If

On Error GoTo ErrorHandle

    Dim httpRequest
    Set httpRequest = CreateObject("MSXML2.ServerXMLHTTP")
    
    requestData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" & requestData
    
    httpRequest.setOption 2, 13056
    httpRequest.Open "POST", "https://oauth2.googleapis.com/token", True
    httpRequest.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    httpRequest.Send requestData
    
    Do While httpRequest.ReadyState <> 4
        DoEvents
        httpRequest.waitForResponse (1)
    Loop
    
    Dim Status
    Status = httpRequest.Status
    
    If Status < 200 Or Status >= 300 Then
        MsgBox "Failed to get access token from server."
        MsgBox httpRequest.responseText
        Exit Function
    End If

    Dim result
    result = httpRequest.responseText
    
    Dim oauthParser As New EASendMailObjLib.OAuthResponseParser
    oauthParser.Load result
    
    Dim accessToken
    accessToken = oauthParser.AccessToken
    
    If accessToken = "" Then
        MsgBox "Failed to parse access token from server response."
        Exit Function
    End If

    RequestAccessToken = accessToken
    Exit Function

ErrorHandle:
    MsgBox "Failed to request access token." & Err.Description
        
End Function

Private Sub SendEmail(GsuiteUser As String)
    ' GsuiteUser is the full email address of the user in GSuite, user@gsuitedomain

    Dim access_token As String
    ' request access token from Google server by service account
    ' withou user interaction
    access_token = RequestAccessToken(GenerateRequestData(GsuiteUser))

    If access_token = "" Then
        Exit Sub
    End If

    Dim oSmtp As EASendMailObjLib.Mail
    Set oSmtp = New EASendMailObjLib.Mail
    oSmtp.LicenseCode = "TryIt"

    oSmtp.ServerAddr = "smtp.gmail.com"
    oSmtp.ServerPort = 587

    ' Enable SSL/TLS connection
    oSmtp.ConnectType = ConnectSSLAuto

    ' Gmail OAUTH/XOAUTH2 type
    oSmtp.AuthType = AuthXoauth2 
    oSmtp.UserName = GsuiteUser
    oSmtp.Password = access_token
    
    oSmtp.FromAddr = GsuiteUser
    oSmtp.AddRecipient "Support Team", "support@emailarchitect.net", 0
    
    oSmtp.BodyText = "Hello, this is a test...."
    If oSmtp.SendMail() = 0 Then
        MsgBox "Message delivered!"
    Else
        MsgBox oSmtp.GetLastErrDescription()
    End If

End Sub


[Visual C++ - Use service account to send email impersonating user in G Suite Domain] #include "pch.h" #include <tchar.h> #include <Windows.h> #include "EASendMailObj.tlh" using namespace EASendMailObjLib; #include "msxml3.tlh" using namespace MSXML2; const int ConnectNormal = 0; const int ConnectSSLAuto = 1; const int ConnectSTARTTLS = 2; const int ConnectDirectSSL = 3; const int ConnectTryTLS = 4; const int AuthAuto = -1; const int AuthLogin = 0; const int AuthNtlm = 1; const int AuthCramMd5 = 2; const int AuthPlain = 3; const int AuthMsn = 4; const int AuthXoauth2 = 5; BOOL RequestAccessToken(const TCHAR* requestData, _bstr_t &accessToken) { try { IServerXMLHTTPRequestPtr httpRequest = NULL; httpRequest.CreateInstance(__uuidof(MSXML2::ServerXMLHTTP)); if (httpRequest == NULL) { _tprintf(_T("Failed to create XML HTTP Object, please make sure you install MSXML 3.0 on your machine.\r\n")); return FALSE; } _bstr_t fullRequest = _bstr_t("grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=") + requestData; const char* postData = (const char*)fullRequest; LONG cdata = strlen(postData); LPSAFEARRAY psaHunk = ::SafeArrayCreateVectorEx(VT_UI1, 0, cdata, NULL); for (LONG k = 0; k < (int)cdata; k++) { BYTE ch = (BYTE)postData[k]; ::SafeArrayPutElement(psaHunk, &k, &ch); } _variant_t requestBuffer; requestBuffer.vt = (VT_ARRAY | VT_UI1); requestBuffer.parray = psaHunk; _variant_t async(true); _bstr_t uri(_T("https://oauth2.googleapis.com/token")); httpRequest->setOption((MSXML2::SERVERXMLHTTP_OPTION)2, 13056); httpRequest->open(L"POST", uri, async, vtMissing, vtMissing); httpRequest->setRequestHeader(L"Content-Type", L"application/x-www-form-urlencoded"); httpRequest->send(requestBuffer); while (httpRequest->readyState != 4) { httpRequest->waitForResponse(1); } long status = httpRequest->status; _bstr_t responseText = httpRequest->responseText; if (status < 200 || status >= 300) { _tprintf(_T("Failed to get access token from server: %d %s\r\n"), status, (const TCHAR*)responseText); return FALSE; } IOAuthResponseParserPtr oauthParser = NULL; oauthParser.CreateInstance(__uuidof(EASendMailObjLib::OAuthResponseParser)); oauthParser->Load(responseText); accessToken = oauthParser->AccessToken; if (accessToken.length() == 0) { _tprintf(_T("Failed to parse access token from server response: %d %s\r\n"), status, (const TCHAR*)responseText); return FALSE; } return TRUE; } catch (_com_error &ep) { _tprintf(_T("Failed to get access token: %s"), (const TCHAR*)ep.Description()); return FALSE; } } BOOL GenerateRequestData(const TCHAR* gsuiteUser, _bstr_t &requestData) { // service account email address const TCHAR* serviceAccount = _T("xxxx@xxxx.iam.gserviceaccount.com"); const TCHAR* scope = _T("https://mail.google.com/"); const TCHAR* aud = _T("https://oauth2.googleapis.com/token"); ISimpleJsonParserPtr jwtPtr = NULL; jwtPtr.CreateInstance(__uuidof(EASendMailObjLib::SimpleJsonParser)); _bstr_t header = jwtPtr->JwtBase64UrlEncode(_T("{\"alg\":\"RS256\",\"typ\":\"JWT\"}")); // token request timestamp long iat = jwtPtr->GetCurrentIAT(); // token expiration time long exp = iat + 3600; TCHAR iatBuf[MAX_PATH + 1]; TCHAR expBuf[MAX_PATH + 1]; _stprintf_s(iatBuf, MAX_PATH, _T("%d"), iat); _stprintf_s(expBuf, MAX_PATH, _T("%d"), exp); _bstr_t playload = _bstr_t("{"); playload += _bstr_t("\"iss\":\"") + _bstr_t(serviceAccount) + _bstr_t("\","); playload += _bstr_t("\"scope\":\"") + _bstr_t(scope) + _bstr_t("\","); playload += _bstr_t("\"aud\":\"") + _bstr_t(aud) + _bstr_t("\","); playload += _bstr_t("\"exp\":") + _bstr_t(expBuf) + _bstr_t(","); playload += _bstr_t("\"iat\":") + _bstr_t(iatBuf) + _bstr_t(","); playload += _bstr_t("\"sub\":\"") + _bstr_t(gsuiteUser) + _bstr_t("\""); playload += _bstr_t("}"); playload = jwtPtr->JwtBase64UrlEncode(playload); ICertificatePtr cert = NULL; cert.CreateInstance(__uuidof(EASendMailObjLib::Certificate)); // In web application, use CRYPT_MACHINE_KEYSET if (cert->LoadPFXFromFile(_T("D:\\MyData\\oauth-77dac4d192ec.p12"), _T("notasecret"), CRYPT_USER_KEYSET) == VARIANT_FALSE) { _tprintf(_T("Failed to load service account certificate!")); return FALSE; } _bstr_t signature = jwtPtr->SignRs256(cert, header + _bstr_t(".") + playload); if (signature.length() == 0) { _tprintf(_T("Failed to sign request data!")); return FALSE; } requestData = header + _bstr_t(".") + playload + _bstr_t(".") + signature; return TRUE; } void SendEmail(const TCHAR* gsuiteUser) { ::CoInitialize(NULL); // gsuiteUser is the full email address of the user in GSuite, for example: user@gsuitedomain _bstr_t requestData, accessToken; if (!GenerateRequestData(gsuiteUser, requestData)) { return; } // request access token from Google server by service account // withou user interaction if (!RequestAccessToken((const TCHAR*)requestData, accessToken)) { return; } IMailPtr oSmtp = NULL; oSmtp.CreateInstance(__uuidof(EASendMailObjLib::Mail)); oSmtp->LicenseCode = _T("TryIt"); oSmtp->ServerAddr = _T("smtp.gmail.com"); oSmtp->ServerPort = 587; // Enable SSL/TLS connection oSmtp->ConnectType = ConnectSSLAuto; // Gmail OAUTH type oSmtp->AuthType = AuthXoauth2; oSmtp->UserName = gsuiteUser; oSmtp->Password = accessToken; oSmtp->FromAddr = gsuiteUser; oSmtp->AddRecipient(_T("Support Team"), _T("support@emailarchitect.net"), 0); oSmtp->BodyText = _T("Hello, this is a test...."); if (oSmtp->SendMail() == 0) _tprintf(_T("Message delivered!")); else _tprintf((const TCHAR*)oSmtp->GetLastErrDescription()); }
[Delphi - Use service account to send email impersonating user in G Suite Domain] const ConnectNormal = 0; ConnectSSLAuto = 1; ConnectSTARTTLS = 2; ConnectDirectSSL = 3; ConnectTryTLS = 4; AuthAuto = -1; AuthLogin = 0; AuthNtlm = 1; AuthCramMd5 = 2; AuthPlain = 3; AuthMsn = 4; AuthXoauth2 = 5; CRYPT_MACHINE_KEYSET = 32; CRYPT_USER_KEYSET = 4096; function TForm1.RequestAccessToken(requestData: WideString): WideString; var httpRequest: TServerXMLHTTP; oauthParser: TOAuthResponseParser; fullRequest: OleVariant; status: integer; responseText: WideString; accessToken: WideString; begin result := ''; httpRequest := TServerXMLHTTP.Create(Application); fullRequest := 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion='; fullRequest := fullRequest + requestData; httpRequest.setOption(2, 13056); httpRequest.open('POST', 'https://oauth2.googleapis.com/token', true); httpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); httpRequest.send(fullRequest); while( httpRequest.readyState <> 4 ) do begin try httpRequest.waitForResponse(1); Application.ProcessMessages(); except ShowMessage('Server response timeout (access token).'); exit; end; end; status := httpRequest.status; responseText := httpRequest.responseText; if (status < 200) or (status >= 300) then begin ShowMessage('Failed to get access token from server.' + responseText); exit; end; oauthParser := TOAuthResponseParser.Create(Application); oauthParser.Load(responseText); accessToken := oauthParser.AccessToken; if accessToken = '' then begin ShowMessage('Failed to parse access token from server response.'); exit; end; result := accessToken; end; function TForm1.GenerateRequestData(gsuiteUser: WideString): WideString; const // service account email address serviceAccount: WideString = 'xxxx@xxxx.iam.gserviceaccount.com'; scope: WideString = 'https://mail.google.com/'; aud: WideString = 'https://oauth2.googleapis.com/token'; var jwt: TSimpleJsonParser; cert: TCertificate; pfxPath: WideString; header: WideString; playload: WideString; signature: WideString; iat, exp: integer; begin result := ''; SetThreadLocale(GetSystemDefaultLCID()); jwt := TSimpleJsonParser.Create(application); header := jwt.JwtBase64UrlEncode('{"alg":"RS256","typ":"JWT"}'); // token request timestamp iat := jwt.GetCurrentIAT(); // token expiration time exp := iat + 3600; playload := '{'; playload := playload + '"iss":"' + serviceAccount + '",'; playload := playload + '"scope":"' + scope + '",'; playload := playload + '"aud":"' + aud + '",'; playload := playload + '"exp":' + IntToStr(exp) + ','; playload := playload + '"iat":' + IntToStr(iat) + ','; playload := playload + '"sub":"' + gsuiteUser + '"'; playload := playload + '}'; playload := jwt.JwtBase64UrlEncode(playload); cert := TCertificate.Create(application); // load service account certificate to sign request data pfxPath := 'D:\MyData\GSuite\outh-77aec4d192ec.p12'; if not cert.LoadPFXFromFile(pfxPath, 'notasecret', CRYPT_USER_KEYSET) then begin ShowMessage('Failed to load certificate!'); exit; end; signature := jwt.SignRs256(cert.DefaultInterface, header + '.' + playload); if signature = '' then begin ShowMessage('Failed to sign request data!'); exit; end; result := header + '.' + playload + '.' + signature; end; procedure TForm1.SendEmail(gsuiteUser: string); var oSmtp : TMail; accessToken: WideString; begin // request access token with service account // gsuiteUser is the full email address of the user in GSuite, for example: user@gsuitedomain accessToken := RequestAccessToken(GenerateRequestData(gsuiteUser)); if accessToken = '' then exit; oSmtp := TMail.Create(Application); oSmtp.LicenseCode := 'TryIt'; // Gmail SMTP server address oSmtp.ServerAddr := 'smtp.gmail.com'; oSmtp.ServerPort := 587; // Enable SSL/TLS connection oSmtp.ConnectType := ConnectSSLAuto; // Gmail OAUTH type oSmtp.AuthType := AuthXoauth2; oSmtp.UserName := email; oSmtp.Password := accessToken; // Set sender email address oSmtp.FromAddr := email; // Add recipient email address oSmtp.AddRecipientEx('support@emailarchitect.net', 0); // Set email subject oSmtp.Subject := 'simple email from Delphi project'; // Set email body oSmtp.BodyText := 'this is a test email sent from Delphi project, do not reply'; ShowMessage('start to send email ...'); if oSmtp.SendMail() = 0 then ShowMessage('email was sent successfully!') else ShowMessage('failed to send email with the following error: ' + oSmtp.GetLastErrDescription()); end; end.

Remarks

You don't have to request access token every time, once you get an access token, it is valid within 3600 seconds.

If you don't want to use OAUTH 2.0, Gmail also supports traditional ESMTP authentication, but you need to enable Allowing less secure apps or Sign in using App Passwords.

Remarks

If you don't want to use OAUTH 2.0, Gmail also supports traditional ESMTP authentication, but you need to enable Allowing less secure apps or Sign in using App Passwords.

Online Example

VB6 - Send Email using Google/Gmail OAuth 2.0 Authentication
VB6 - Send Email using Gmail/G Suite OAuth 2.0 in Background Service (Service Account)
VB6 - Send Email using Microsoft OAuth 2.0 (Modern Authentication) from Hotmail/Outlook Account
VB6 - Send Email using Microsoft OAuth 2.0 (Modern Authentication) + EWS Protocol from Office 365 Account
VB6 - Send Email using Microsoft OAuth 2.0 (Modern Authentication) + EWS Protocol from Office 365 in Background Service

Delphi - Send Email using Google/Gmail OAuth 2.0 Authentication
Delphi - Send Email using Gmail/G Suite OAuth 2.0 in Background Service (Service Account)
Delphi - Send Email using Microsoft OAuth 2.0 (Modern Authentication) from Hotmail/Outlook Account
Delphi - Send Email using Microsoft OAuth 2.0 (Modern Authentication) + EWS Protocol from Office 365 Account
Delphi - Send Email using Microsoft OAuth 2.0 (Modern Authentication) + EWS Protocol from Office 365 in Background Service

Visual C++ - Send Email using Google/Gmail OAuth 2.0 Authentication
Visual C++ - Send Email using Gmail/G Suite OAuth 2.0 in Background Service (Service Account)
Visual C++ - Send Email using Microsoft OAuth 2.0 (Modern Authentication) from Hotmail/Outlook Account
Visual C++ - Send Email using Microsoft OAuth 2.0 (Modern Authentication) + EWS Protocol from Office 365 Account
Visual C++ - Send Email using Microsoft OAuth 2.0 (Modern Authentication) + EWS Protocol from Office 365 in Background Service

See Also

Using EASendMail ActiveX Object
Registration-free COM with Manifest File
User Authentication and SSL Connection
Enable TLS 1.2 on Windows XP/2003/2008/7/2008 R2
Using Gmail SMTP OAUTH
Using Office365 EWS OAUTH
Using Office365 EWS OAUTH in Background Service
Using Hotmail SMTP OAUTH
From, ReplyTo, Sender and Return-Path
Digital Signature and Email Encryption - S/MIME
DomainKeys Signature and DKIM Signature
Send Email without SMTP server(DNS lookup)
Work with EASendMail Service(Mail Queuing)
Programming with Asynchronous Mode
Programming with FastSender
Mail vs. FastSender
Bulk Email Sender Guidelines
Process Bounced Email (Non-Delivery Report) and Email Tracking
Work with RTF and Word
EASendMail ActiveX Object References
EASendMail SMTP Component Samples