Connect to Google via OAuth2
I shamelessly plagiarized this from Lev and have not worked with him to simplify this document yet - we try and shorten it with a video.
Create OAuth2 Client
Login into console.developers.google.com with Gmail login name
Click on ENABLE API AND SERVICES
Search for Gmail API and enable it
Select OAuth consent screen
Type custom Application Name (to be displayed with consent screen)
Select User type to be Internal
Optionally upload icon file
Add scopes
email
profile
openid
Optionally add authorized domain
Select Credentials and click on “+CREATE CREDENTIALS”
Select OAuth Client ID
Select “Other” and type name of your choice
Authenticate To Google
… and obtain Authentication Token
Now is time for one time authentication with Google. This manual step need to be done only once.
Construct URL as in example below, using real Application Client ID value and real Scopes value
https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=[Scopes]&response_type=code
https://accounts.google.com/o/oauth2/auth?client_id=429737536994-s7relij60hk56e9e5o3d2beg3ol1q9tr.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://mail.google.com/&response_type=code
Paste this URL in any browser. You will be redirected to authenticate with Google using standard Sign in dialog. Upon successful authentication read the message from Google and click on “Allow” button. The authorization_code will be provided to you.
Copy and save it for later use. Close this window.
Configure Iguana
Authorization Token exchange
Open Translator project.
Toggle Auto-execution to DISABLED. We don’t want script to run before configuration editing is completed, because the authorization_code is one time use code.
Edit file cfg.lua
Paste client_id
Paste client_secret
Paste authorization_code
Set cfg.key to random very long string. This will be used to decrypt encrypted configuration values on the fly during script execution.
Set cfg.user_id = ‘me@domain.com’ –- replace ‘me@domain.com’ with your real email address with Gmail. It has to be same Gmail user for whom Application Client was created
Execute the script.
Freeze any activity (to preserve Annotations content “as is” for a while) and examine content of Annotations.
Function trace() visualizes the value of access_token provided by Google
For purpose of this demonstration, receiving “parseError” in reply to function call “client:send_email()“ means we have successfully passed the OAuth2 authentication. We receive parse_error because in this demonstration we don’t pass any valid “body” for the email to be sent. Composing valid email body is not part of this tutorial article, although complete sample code is included with this OAuth2 sample project. The Gmail example is totally intuitive for one who examines its sample code.
Only to prove the concept, here is example of execution with entire email message, in an RFC 2822 formatted and base64url encoded string, passed in argument to function call client:send_email()
To complete this tutorial, remove parts of code which aren't required in Production environment.
Edit main.lua to remove 2 no longer needed function calls:
client:exchange_authorization()
trace(client.access_token('access_token', 'r'))
Edit configuration file to remove lines containing private data. All together, 5 lines of code are removed.
cfg.client_id = '429737536994 … gleusercontent.com'
cfg.client_secret = 'rtjxqqQXUg … y7pySFjXs'
cfg.authorization_code = 'vcWMHC … mRiR_pZC-k'
config.save{password=cfg.client_id, config='application_client_id.xml', key=cfg.key}
config.save{password=cfg.client_secret, config='application_client_secret.xml', key=cfg.key}
In Production
Demonstrated code can be integrated with various Iguana Translator projects. With or without the included Gmail example.
Depending on the goals of any given Iguana Translator project, any other additional API offered by Google can be added to Application’s authentication scope.
In Production deployment, the Authorization Token exchange step [the call to “client:exchange_authorization()“] can be skipped.
Instead, four known upfront values for
access_token
refresh_token
client_id
client_secret
… can be written to encrypted files by calling config.save() as part of deployment procedure. The value cfg.key is same value as in respective production google/cfg.lua file.
config.save{password='known refresh token', config='application_client_refresh_token.xml', key=cfg.key}
config.save{password='known access token', config='application_client_access_token.xml', key=cfg.key}
config.save{password='known client_id', config='application_client_id.xml', key=cfg.key}
config.save{password='known client_secret', config='application_client_secret.xml', key=cfg.key}
Important aspect to keep in mind is that if more than single channel is using same token, this token will be forced to refresh concurrently. The refresh may occur quite frequently and to hit Google’s quota for the rate. Wherever is possible, consider to use dedicated Application Client with each Translator Project.
Files
Project can be downloaded from /ClientSolutions/IGUANA_CHANNEL_VERSION-6_1_0/OAuth2_with_Google-From-rFC14vH9kjC9PC
Separate example of how to compose outbound email item for Gmail can be downloaded from /ClientSolutions/IGUANA_CHANNEL_VERSION-6_1_0/OAuth2_with_Google-From-rFC14vH9kjC9PC