Using Google API with service account credentials in no domain account
I am creating a web service that needs to read a regular Gmail inbox (not part of a domain).
code:
String serviceAccountEmail = "1234567890@developer.gserviceaccount.com";
var certificate = new X509Certificate2(@"key.p12", "notasecret", X509KeyStorageFlags.Exportable);
ServiceAccountCredential credentials = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
Scopes = new string[] { GmailService.Scope.GmailModify },
User = "user@gmail.com"
}.FromCertificate(certificate));
var service = new GmailService(new BaseClientService.Initializer()
{
HttpClientInitializer = credentials,
ApplicationName = ApplicationName,
});
UsersResource.MessagesResource.ListRequest allMessages = service.Users.Messages.List("me");
IList<Message> messages = allMessages.Execute().Messages;
Mistake:
An unhandled exception of type 'Google.Apis.Auth.OAuth2.Responses.TokenResponseException' occurred in Google.Apis.dll
Additional information: Error:"unauthorized_client", Description:"Unauthorized client or scope in request.", Uri:""
I see no reason why this doesn't work, but after reading this , it looks like you cannot use the service account credentials in the personal @gmail account. Does anyone know if this is true or what I am doing wrong?
Any help is appreciated!
Update
If I change Scope
to GmailService.Scope.GmailReadonly
, I can view the mail, but I cannot change the labels that are required for me.
source to share
The service account is a bogus user, can have its own gmail account, but I doubt it (I never tested it either). For a service account to be able to access your data, it must be granted permission to access it.
Like any other user, the service account will not have access to your email, since as far as I know there is no way to give another user or service account access to users' email.
Let's take a Google calendar as an example. If I have provided the email address of the service account accessing the calendar in my account, he will be able to read it. If I give him access to a folder on my google drive, he can read that as well. Typically, you add the address of the service account as a user, as if you could use any other user if you can, and then the service account can access the data.
It also doesn't work on Blogger and YouTube because you can't add an email address to give another user access to your account. As far as I know, there is no way to give another person or email access to your Gmail. You will need to use OAUTH2 and authenticate the user.
source to share