Jump to content

OAUTH reading gmail account


Recommended Posts

  • Moderators

To get my head around OAUTH2 I bought a book with the same title by Matt Biehl. This gives a good overview on the internals and use of OAUTH2

This post is about accessing Gmail accounts using Googles OAUTH2 authorisation process.

Essentially this is a conversation involving multiple parties/servers and goes something like this :

  1. register app with google
  2. app sends request to googles oauth2 server : I would like to get access to emails from a specific account
  3. oauth server sends mail to email account  owner : do you agree in general y/n
  4. oauth server sends mail to email account  owner : do you agree this app specifically y/n
  5. oauth server sends authorisation code to app
  6. app sends to oauth/token : authorisation code, client id and client secret code
  7. oauth server sends an access token to app
  8. app sends access token to Gmail server
  9. Gmail server checks with oauth server if all ok y/n
  10. Gmail server send email info to app

 

1 Register app (manual)

go to https://console.developers.google.com and start a new project. Select this project and enable the Gmail API. Next steps are to create the credentials for this project. Set type of project to 'call Gmail API from webbrowser'  and give it a re-direct uri (http://www.lynkfs.com/oauth2callback) which is used to receive the access token later on. Also supply the gmail account.

Output of this process is a client-id and client-secret code. The json output looks something like this

client_id.json:
{"web":{"client_id":"**********54-g488vat18lh9letonlclj82mpisso25o.apps.googleusercontent.com","project_id":"sms-gmail-******","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://accounts.google.com/o/oauth2/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_secret":"**********fbob3FiixcNkGO"}}

 

 

2-5 Request permissions (browser)

This process uses the generated codes from the previous step :

https://accounts.google.com/o/oauth2/auth?
redirect_uri=http%3A%2F%2Fwww.lynkfs.com%2Foauth2callback&response_type=code&client_id=**********54-g488vat18lh9letonlclj82mpisso25o.apps.googleusercontent.com&scope=https%3A%2F%2Fmail.google.com%2F&approval_prompt=force

Note that the redirect_uri and scope are in urlencoded format (use https://www.urlencoder.org to get this encoding)

This generates a warning that the app is not verified yet by Google, which can be ignored for now. It also asks the gmail account owner if it is ok to give permission to access emails. When all good, it generates an access code directed to the specified endpoint, where 'code' is the access code :

http://www.lynkfs.com/oauth2callback/?code=**********oOs4d1E5Ud-uFIUGocpqJLNGvEz07_pWXEHbJzAe-XfhRa3oqb_iSa3KfavmhS96m2dfW30RxgVG9bo#

 

 

6-10 Getting emails (app)

Access code, client ID and client secret are used for a verification process by Googles OAUTH server. This is initiated by the app through a normal XMLHTTPRequest, specifying 'POST', a header ('application/x-www-form-urlencoded') and specific form-fields for access-code, client ID and client secret. 

The below curl command emulates this post request. (cURL is embedded in windows since Win10 and can be used from a terminal window (cmd). 

curl -X POST -H "content-type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code=**********oOs4d1E5Ud-uFIUGocpqJLNGvEz07_pWXEHbJzAe-XfhRa3oqb_iSa3KfavmhS96m2dfW30RxgVG9bo#&redirect_uri=http%3A%2F%2Fwww.lynkfs.com%2Foauth2callback&client_id=**********54-g488vat18lh9letonlclj82mpisso25o.apps.googleusercontent.com&client_secret=**********fbob3FiixcNkGO" "https://accounts.google.com/o/oauth2/token"

 

The response to this request is an access token

{
  "access_token" : "**********ZUMtl3tRxBaubj7CkGohXnKyqZetVwgd-PDEBBdXwsQyS6OMlYw7EVUgsI31KpZ-d0FRGD3uF6P-A4qHLbE_zEaIS5t0ypHon8Ujr4SY2-qGZgvayHETa_u",
  "expires_in" : 3600,
  "token_type" : "Bearer"
}

 

which then is used to access the actual Gmail server :

curl -H "Authorization: Bearer **********ZUMtl3tRxBaubj7CkGohXnKyqZetVwgd-PDEBBdXwsQyS6OMlYw7EVUgsI31KpZ-d0FRGD3uF6P-A4qHLbE_zEaIS5t0ypHon8Ujr4SY2-qGZgvayHETa_u" "https://www.googleapis.com/gmail/v1/users/lynkfs@gmail.com/messages"

 

The response is a list of email-id's :

   "threadId": "16365b4d517c6efb"
  },
  {
   "id": "1636587e232e2b8d",
   "threadId": "1636587e232e2b8d"
  },
  {
   "id": "16364296ff92443a",
   "threadId": "16364296ff92443a"
  },
  {
   "id": "1636420869e48b44",
   "threadId": "1636420869e48b44"
  },
  {
   "id": "16363f9ada40efd7",
   "threadId": "16363f9ada40efd7"
  },

 

which can be individually accessed by appending the id to the previous request (.....@gmail.com/messages/16363ac8731244e4)

and the final email details is a json structure looking like

{
 "id": "16363ac8731244e4",
 "threadId": "16363ac8731244e4",
 "labelIds": [
  "CATEGORY_PROMOTIONS",
  "UNREAD",
  "INBOX"
 ],
 "snippet": "Hey LynkFS, Since the Community Facebook Group was launched last year, we've grown, found our voice, and watched our customers find theirs. It's an amazing experience, and for those of",
 "historyId": "4398240",
 "internalDate": "1526385618000",
 "payload": {
  "partId": "",
  "mimeType": "multipart/alternative",
  "filename": "",
  "headers": [
   {
    "name": "Delivered-To",
    "value": "lynkfs@gmail.com"
   },

etc etc.

OAUTH2 can not only be used to access Gmail accounts, but also all 30-odd other Google services. And Facebook, LinkedIn and many more service providers.

Takes a bit of doing but once set up it is quite easy to use.

 


 

 

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...