-
-
Notifications
You must be signed in to change notification settings - Fork 822
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IMAP client Authenticate problems with OAuth2 using Google service account #1786
Comments
I'm experiencing a similar issue. I also enabled logging to see what's going on.
Looks like MailKit "forgets" to actually send the authentication info and the connection cuts by the server. |
@Davilarek If I were to guess, you are trying to reuse a If you are going to reuse a @frank4040 it might help if you could get a protocol log - the server response might contain useful info (the base64 encoded blob that it sends back after a failed authentication). Odds are high that I'm not going to be able to help you, though, because OAuth2 is impossible to debug from the client side. You will likely need to reach out to Google for assistance. |
@jstedfast, this is the log I get: Connected to imaps://imap.gmail.com:993/ Of course it's possible my service account is not set up correctly. But if i would know the correct Google cloud settings (in terms of roles, rights, permissions, keys, or whatever) then I can easily set that up since I have full control in the cloud console. Just a simple roadmap to have the basics working is essentially all I need. Already gone through your page at https://github.com/jstedfast/MailKit/blob/master/GMailOAuth2.md, but there is no service account section. Hope this logging helps in getting me out of the dirt! |
@jstedfast Above log was btw with the service account, this is the log using the real google account. Connected to imaps://imap.gmail.com:993/ Slightly different, but still failing. However, hope this gives some new clues. |
You could try using |
@jstedfast So taking one step back... Honestly, I think it is entirely possible that I am missing some project setting in the google cloud console, like a hidden checkbox somewhere that needs ticked, a missing permission, etc. So is there a general/practical usecase where MailKit has actually worked with a google service account? At this point I don't really care about security, just functionality. So I have no problem setting everything 'open' to the world, as long as I can read mails. Al the finetunings can come later. |
👍
There's nothing that I know of that I can just point to, unfortunately, because of the nature of open source (kinda can't go checking-in code with credentials into a public repo). I know for sure that I have personally gotten it to work in the past and I'm pretty sure I just used the normal email address for my account, but this was probably going on 4-5 years ago at this point and is what I based some of my original documentation on. The best I can suggest to you is to go back to the docs and reread them and follow the steps to make sure you didn't miss anything. Verify that you set the proper scope (https://mail.google.com and not SMTP.Send or whatever they called it). You could also try setting up an app-specific password (not sure if that is still an option, but it used to be) to bypass OAuth altogether. I truly hate OAuth. I get so many questions every week from people who are struggling with setting it up and I can never help them because all I can say is "RTFM". There's absolutely nothing I can do from my end or MailKit's end. It's all up to you to properly configure it. I don't even know what options are available in Google's configuration screens anymore. FWIW, Both Google and Microsoft essentially consider IMAP/SMTP/etc to be "dead" and don't really want you using those protocols anyway. They want you to use their HTTP REST APIs: |
Yeah... 2 years ago I already had to implement MS Graph support, which succeeded by the way. I was able to create a flow where I read mail messages in a stream and directly pass it to my good old parsing routine wich uses a MimeKit object for all content parsing ( In this case, I at least already found a way to extract a simular format (.eml) using the Google API GmailService(), so in that regard I can hopefully blend it in smoothly, using this Google API (again) for just the fetching part. The only wall I keep hitting is that even Google's own API does not seem to accept a service account, only a standard 'OAuth Client ID' which gives me a browser page for consent. And although that works in my simple console testapp (I can fetch mails after the consent), this cannot be used in our production env because we use a Windows Service to fetch mails and store them in a database, all in the background, fully unattended, for numerous mailboxes. And this service (obviously) has no user interface, plus no one is logged into the server where this service runs. And even when someone would occasionally log in, it wil never be under the same username as the service. So no one will ever be able to see a consent screen (I think, didn't try. But is unacceptable anyway, I guess the service would even get stuck immediately and stops processing altogether, waiting for a response that never comes). It's all very frustrating, since most Google docs seem out of date or broken. Links don't work like they should, most info and code is obsolete, it's a real mess. In about a month time it becomes mandatory to use Oath when fetching mails from gmail, so I hope I will find a solution before then (fingers crossed). But thanks for everything! (When I find a solution, I will post it here for others) |
Hi I have the same problem! Simeone found solutions to that? |
I am really having trouble getting through the 'Authenticate' step in MailKit.
I need to use a Google Service Account since I read all mails in the background from a Windows Service without any user interface.
I can already get a token, but the final 'Authenticate' step still fails. Tried about a thousand things, to no avail.
In the Google Cloud console, I created a new custom Role with these permissions:
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
(I selected about all that could even remotely be associated with tokens and service accounts)
Then I added this role to the Service Account, both the gserviceaccount.com as my own.
I created a KEY and downloaded the JSON file. The content of that is in my JSONdata variabele.
Like this (a bit scrambled here and there)
And this is basically what I have so far:
`
`
Output:
I even took these steps with both my personal gmail account as wel as my corporate account, but same results.
It's really driving me crazy, I already spent several days on this.
What am I doing wrong here? Hope someone can help!
The text was updated successfully, but these errors were encountered: