SmtpAuthentication.OAuth20 authentication failing for Gmail.

Question

OAuth20 authentication is failing for Gmail.

Below is the smtpException I am getting:
"OAUTH: Bad authentication request (400)."

Below is the code snippet:

try{
        Smtp client = new Smtp();
        client.Connect("smtp.gmail.com", SslMode.Implicit);

        string accessToken = GetAccessToken();
        // which gives the valid access token: ya29.Ci9eAx9cGKj2yV2KJ08v0uGbdE2EhIYPMRW2Vx0Dmzo5sQWP4SfdV2nDdkVDKFZN9Q

        // prepare token
        string pattern = string.Format("user={0}{1}auth=Bearer {2}{1}{1}", userEmailId, '\x1', accessToken);
        string token = Convert.ToBase64String(Encoding.ASCII.GetBytes(pattern));

        client.Login(token, SmtpAuthentication.OAuth20);
    }
    catch(SmtpException ex)
    {}

Kindly let me know if there is anything that I am missing out...

Regards
Santosh

Answer 1

It is hard to say, what is wrong. The error message is very general and I don't known what the GetAccessToken method does.

However, I have couple of ideas what can be wrong:

1. email doesn't match the token
2. access token is already in XOAUTH2 format
3. access token has already expired and needs to be refreshed

We wrote a blog post about using OAUTH with Gmail.

Please follow the steps there and you should be able to diagnose the problem or at least make your program working.

Comments

Hi Lukas,

Thanks for the above reply and sorry for reverting back so late on this thread. Issue was with the Scope of Gmail authorization request.  

Issue:
If the scope is "view and mange mail" ( https://mail.google.com), I am able to login into Smtp client and able to send the mail but but if i reduce the scope to just Gmail.Send (https://www.googleapis.com/auth/gmail.send)  which is all i need in my case. I am getting SmtpException:  OAUTH: Bad authentication request (400) error...

Queries:
Is it possible to just use scope Gmail.Send to send the mail using Rebex secure mail?

Its a business requirement to keep the  blast radius as small as possible is case someone is able to impersonate oauth tokens...

 Regards
Santosh
(Intuit India)

---

Hello,

it is a Gmail configuration question. I don't know what Google requires for `gmail.send`. Please, try to ask Google, what should be set in this case. The Rebex part is only to take provided token and send it to Google in authorization process.

However I have an idea. Try to add `profile` and/or `email` into scope array. The values are described at https://developers.google.com/identity/protocols/googlescopes#google_sign-in

---

Hi Lukas,


Tried adding profile and email to scope but NO success,

However We are able to send the mail using google libraries  with just the  scope https://www.googleapis.com/auth/gmail.send).

Currently we are using Rebex 1.0 and want to upgrade to the latest version. Kindly share the point of contact..

 Regards
Santosh

---

As registered user, use https://www.rebex.net/protected/ to manage your orders.

---

I did a small research on this issue on internet and I have found that only applicable scope for IMAP and SMTP access is "https://mail.google.com/" (Full access).

See: https://developers.google.com/gmail/xoauth2_protocol#oauth_20_scopes.

Line: The scope for IMAP and SMTP access is https://mail.google.com/.

It seems that restricted permissions are available only when using Gmail API directly (https://developers.google.com/gmail/api/).

---

Thanks Lukas for the quick reply.  It worked for Gmail

 But running into similar issue for Outlook with scope : openid+offline_access+profile+https://outlook.office.com/mail.send.. Any inputs from you in this regard can really help...

---

Hello. I have just answered similar question. Please look at http://forum.rebex.net/6650/error-for-outlook-oauth2?show=6653#a6653

---

Thanks Lukas