SmtpAuthentication.OAuth20 authentication failing for Gmail.

0 votes
asked Sep 14, 2016 by santoshgh (210 points)
retagged Nov 17, 2016 by Tomas Knopp

OAuth20 authentication is failing for Gmail.

Below is the smtpException I am getting:
"OAUTH: Bad authentication request (400)."

Below is the code snippet:

try{
        Smtp client = new Smtp();
        client.Connect("smtp.gmail.com", SslMode.Implicit);

        string accessToken = GetAccessToken();
        // which gives the valid access token: ya29.Ci9eAx9cGKj2yV2KJ08v0uGbdE2EhIYPMRW2Vx0Dmzo5sQWP4SfdV2nDdkVDKFZN9Q

        // prepare token
        string pattern = string.Format("user={0}{1}auth=Bearer {2}{1}{1}", userEmailId, '\x1', accessToken);
        string token = Convert.ToBase64String(Encoding.ASCII.GetBytes(pattern));

        client.Login(token, SmtpAuthentication.OAuth20);
    }
    catch(SmtpException ex)
    {}

Kindly let me know if there is anything that I am missing out...

Regards
Santosh

Applies to: Rebex Secure Mail

1 Answer

0 votes
answered Sep 14, 2016 by Lukas Matyska (39,520 points)
selected Nov 16, 2016 by santoshgh
 
Best answer

It is hard to say, what is wrong. The error message is very general and I don't known what the GetAccessToken method does.

However, I have couple of ideas what can be wrong:

  1. email doesn't match the token
  2. access token is already in XOAUTH2 format
  3. access token has already expired and needs to be refreshed

We wrote a blog post about using OAUTH with Gmail.

Please follow the steps there and you should be able to diagnose the problem or at least make your program working.

commented Oct 29, 2016 by santoshgh (210 points)
Hi Lukas,

Thanks for the above reply and sorry for reverting back so late on this thread. Issue was with the Scope of Gmail authorization request.  

Issue:
If the scope is "view and mange mail" ( https://mail.google.com), I am able to login into Smtp client and able to send the mail but but if i reduce the scope to just Gmail.Send (https://www.googleapis.com/auth/gmail.send)  which is all i need in my case. I am getting SmtpException:  OAUTH: Bad authentication request (400) error...

Queries:
Is it possible to just use scope Gmail.Send to send the mail using Rebex secure mail?

Its a business requirement to keep the  blast radius as small as possible is case someone is able to impersonate oauth tokens...

 Regards
Santosh
(Intuit India)
commented Oct 31, 2016 by Lukas Matyska (39,520 points)
Hello,

it is a Gmail configuration question. I don't know what Google requires for `gmail.send`. Please, try to ask Google, what should be set in this case. The Rebex part is only to take provided token and send it to Google in authorization process.

However I have an idea. Try to add `profile` and/or `email` into scope array. The values are described at https://developers.google.com/identity/protocols/googlescopes#google_sign-in
commented Nov 14, 2016 by santoshgh (210 points)
Hi Lukas,


Tried adding profile and email to scope but NO success,

However We are able to send the mail using google libraries  with just the  scope https://www.googleapis.com/auth/gmail.send).

Currently we are using Rebex 1.0 and want to upgrade to the latest version. Kindly share the point of contact..

 Regards
Santosh
commented Nov 14, 2016 by Lukas Matyska (39,520 points)
As registered user, use https://www.rebex.net/protected/ to manage your orders.
commented Nov 15, 2016 by Lukas Matyska (39,520 points)
I did a small research on this issue on internet and I have found that only applicable scope for IMAP and SMTP access is "https://mail.google.com/" (Full access).

See: https://developers.google.com/gmail/xoauth2_protocol#oauth_20_scopes.

Line: The scope for IMAP and SMTP access is https://mail.google.com/.

It seems that restricted permissions are available only when using Gmail API directly (https://developers.google.com/gmail/api/).
commented Nov 16, 2016 by santoshgh (210 points)
Thanks Lukas for the quick reply.  It worked for Gmail

 But running into similar issue for Outlook with scope : openid+offline_access+profile+https://outlook.office.com/mail.send.. Any inputs from you in this regard can really help...
commented Nov 16, 2016 by Lukas Matyska (39,520 points)
Hello. I have just answered similar question. Please look at http://forum.rebex.net/6650/error-for-outlook-oauth2?show=6653#a6653
commented Nov 17, 2016 by santoshgh (210 points)
Thanks Lukas
...