Connect to Google via OAuth2

I shamelessly plagiarized this from Lev and have not worked with him to simplify this document yet - we try and shorten it with a video.

Create OAuth2 Client

  • Click on ENABLE API AND SERVICES

  • Search for Gmail API and enable it

  • Select OAuth consent screen

  • Type custom Application Name (to be displayed with consent screen)

  • Select User type to be Internal

  • Optionally upload icon file

  • Add scopes

Optionally add authorized domain

  • Select Credentials and click on “+CREATE CREDENTIALS”

Select OAuth Client ID

 

  • Select “Other” and type name of your choice

Authenticate To Google

… and obtain Authentication Token

Now is time for one time authentication with Google. This manual step need to be done only once.

  • Construct URL as in example below, using real Application Client ID value and real Scopes value

https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=[Scopes]&response_type=code

https://accounts.google.com/o/oauth2/auth?client_id=429737536994-s7relij60hk56e9e5o3d2beg3ol1q9tr.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://mail.google.com/&response_type=code
  • Paste this URL in any browser. You will be redirected to authenticate with Google using standard Sign in dialog. Upon successful authentication read the message from Google and click on “Allow” button. The authorization_code will be provided to you.

  • Copy and save it for later use. Close this window.

Configure Iguana

Authorization Token exchange

  • Open Translator project.

  • Toggle Auto-execution to DISABLED. We don’t want script to run before configuration editing is completed, because the authorization_code is one time use code.

  • Edit file cfg.lua

    • Paste client_id

    • Paste client_secret

    • Paste authorization_code

    • Set cfg.key to random very long string. This will be used to decrypt encrypted configuration values on the fly during script execution.

    • Set cfg.user_id = ‘me@domain.com’ –- replace ‘me@domain.com’ with your real email address with Gmail. It has to be same Gmail user for whom Application Client was created

  • Execute the script.

  • Freeze any activity (to preserve Annotations content “as is” for a while) and examine content of Annotations.

  • Function trace() visualizes the value of access_token provided by Google

 

  • For purpose of this demonstration, receiving “parseError” in reply to function call “client:send_email()“ means we have successfully passed the OAuth2 authentication. We receive parse_error because in this demonstration we don’t pass any valid “body” for the email to be sent. Composing valid email body is not part of this tutorial article, although complete sample code is included with this OAuth2 sample project. The Gmail example is totally intuitive for one who examines its sample code.

Only to prove the concept, here is example of execution with entire email message, in an RFC 2822 formatted and base64url encoded string, passed in argument to function call client:send_email()

To complete this tutorial, remove parts of code which aren't required in Production environment.

  • Edit main.lua to remove 2 no longer needed function calls:

    • client:exchange_authorization()

    • trace(client.access_token('access_token', 'r'))

  • Edit configuration file to remove lines containing private data. All together, 5 lines of code are removed.

    • cfg.client_id = '429737536994 … gleusercontent.com'

    • cfg.client_secret = 'rtjxqqQXUg … y7pySFjXs'

    • cfg.authorization_code = 'vcWMHC … mRiR_pZC-k'

    • config.save{password=cfg.client_id, config='application_client_id.xml', key=cfg.key}

    • config.save{password=cfg.client_secret, config='application_client_secret.xml', key=cfg.key}

In Production

Demonstrated code can be integrated with various Iguana Translator projects. With or without the included Gmail example.

Depending on the goals of any given Iguana Translator project, any other additional API offered by Google can be added to Application’s authentication scope.

In Production deployment, the Authorization Token exchange step [the call to “client:exchange_authorization()“] can be skipped.

Instead, four known upfront values for

  • access_token

  • refresh_token

  • client_id

  • client_secret

… can be written to encrypted files by calling config.save() as part of deployment procedure. The value cfg.key is same value as in respective production google/cfg.lua file.

config.save{password='known refresh token', config='application_client_refresh_token.xml', key=cfg.key} config.save{password='known access token', config='application_client_access_token.xml', key=cfg.key} config.save{password='known client_id', config='application_client_id.xml', key=cfg.key} config.save{password='known client_secret', config='application_client_secret.xml', key=cfg.key}

Important aspect to keep in mind is that if more than single channel is using same token, this token will be forced to refresh concurrently. The refresh may occur quite frequently and to hit Google’s quota for the rate. Wherever is possible, consider to use dedicated Application Client with each Translator Project.

Files

Project can be downloaded from /ClientSolutions/IGUANA_CHANNEL_VERSION-6_1_0/OAuth2_with_Google-From-rFC14vH9kjC9PC

Separate example of how to compose outbound email item for Gmail can be downloaded from /ClientSolutions/IGUANA_CHANNEL_VERSION-6_1_0/OAuth2_with_Google-From-rFC14vH9kjC9PC