Client is unauthorized to retrieve access tokens using this method Gmail API C#

Question

I am getting the following error when i tried to authorize gmail api using service account

"Client is unauthorized to retrieve access tokens using this method"

static async Task MainAsync()
    {

        sstageEntities db = new sstageEntities();
        //UserCredential credential;
        Dictionary<string, string> dictionary = new Dictionary<string, string>();    
String serviceAccountEmail =
"xxx.iam.gserviceaccount.com";

        var certificate = new X509Certificate2(
            AppDomain.CurrentDomain.BaseDirectory +
              "xxx-8c7a4169631a.p12",
            "notasecret",
            X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);

        //string userEmail = "user@domainhere.com.au";

        ServiceAccountCredential credential = new ServiceAccountCredential(
            new ServiceAccountCredential.Initializer(serviceAccountEmail)
            {
                User = "xxx@xxx.com",
                Scopes = new[] { "https://mail.google.com/" }
            }.FromCertificate(certificate)
        );


        // Create Gmail API service.
        var gmailService = new GmailService(new BaseClientService.Initializer()
        {
            HttpClientInitializer = credential,
            ApplicationName = ApplicationName,
        });

        // Define parameters of request.

        var emailListRequest = gmailService.Users.Messages.List("xxx@xxx.com");
        emailListRequest.LabelIds = "INBOX";
        emailListRequest.IncludeSpamTrash = true;
        emailListRequest.Q = "from:bpm@xxx.co.in is:unread";



        //Get our emails
        var emailListResponse = await emailListRequest.ExecuteAsync();

I am using the p12 key which i got while creating service account.But when i run my console app the following error occurs.Any help would be really appreciated.

Thanks in advance !

Answer 1

Adding to @Shane's answer (I can't comment yet), which correctly links to the documentation for domain-wide delegation for service accounts

• https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

it may be helpful to point out that specific JWT error responses and their prescribed resolutions are mentioned on that page:

• https://developers.google.com/identity/protocols/oauth2/service-account#error-codes.

Further: The error the original poster provided is in there, and the prescribed resolution specifically mentions removing and re-adding the client in the domain-wide delegation tool

• https://admin.google.com/u/1/ac/owl/domainwidedelegation

This worked for me when I started getting that error response while using an existing client.

Answer 2

In case it helps anyone, I found that I had to enable the https://mail.google.com scope on the Google Workspace domain-wide delegation page.

This despite the fact that I needed only these two scopes for my application:

• https://www.googleapis.com/auth/gmail.send
• https://www.googleapis.com/auth/gmail.compose

At first I added just those two (send and compose) to the Google Cloud > APIs & Services > OAuth consent screen > Edit App > Scopes page (https://console.cloud.google.com/apis/credentials/consent/edit?project=project-name) and to the Google Workspace domain-wide delegation page (https://admin.google.com/ac/owl/domainwidedelegation)

But I would still get the error message: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

The only solution was to enable the https://mail.google.com scope on the Google Workspace domain-wide delegation page. This is the furthest reaching scope which is concerning, but I was able to retain only the send and compose scopes in the actual API configuration.

Answer 3

FWIW, since I'm too new to comment, DalmTo and Shane's answers pointed me in the right direction for my problem, which was that new functionality that I had added to an existing script (PHP) needed authorization of additional scopes for the service account. In my case, I'm working with the GMail API.

Besides the path mentioned in the Google documentation page that Shane cited, you can also go to https://admin.google.com/ac/owl/domainwidedelegation, where you can manage domain-wide delegation in a slightly different interface (I actually prefer it). I got to that page via Security > API Permissions, then clicking on the notice about those settings moving to App Access Control, where there's a "Manage Domain Wide Delegation" link at the bottom.

Answer 4

I had the same issue and it took me a while to realise what I was missing. I had already set Domain-wide authority in the service account setting. However, I had not added the clientid and API scope (e.g https://www.googleapis.com/auth/gmail.send, or https://mail.google.com/) in the Domain security settings, as per the link and screenshot below.

https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

Specifically, these steps:

Answer 5

In my case authorization was given to an old client id in https://admin.google.com/

After providing the scopes with correct client ID it started to work. (Use the guide link mentioned by DalmTo in above answer.

Answer 6

The service account needs to be authorized or it cant access the emails for the domain.

"Client is unauthorized to retrieve access tokens using this method"

Means that you have not authorized it properly check Delegating domain-wide authority to the service account