Reputation: 188
Access gmail email with oauth for intranet webapp
I have a web app deployed on 50 clients (ie 50 servers), let's say each client has 50 end client each (so total end user 2500).
I want to allow the end users retrieved their email on their dashboard, including gmail emails.
I began to follow google instructions about it. I will make my auth full client javascript so I follow these guidelines https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow#js-client-library
Problem, even just reading email seem to be a restricted scope
https://www.googleapis.com/auth/gmail.readonly Read all resources and their metadata—no write operations. Restricted
So if I don't submit my app into the verification process, it will be an unverified app so it will suppose to stop working after 100 connections (see https://support.google.com/cloud/answer/7454865) and I read the token will be delete frequently so it will not be convenient for my end user.
The different solutions I might have:
- submit my app to the verification process : it seem complicated as f***. moreover, my app is actually deployed on (many) intranet server. so the different url can be https://192.168.1.53:5000, https://myaddress.local,etc. I don't understand what will be the process on that. Should I create an app (on google dashboard) for each of my client? And make the process of each of them? How can Google verify an app which is not public?
- make the app internal only on Google dashboard: actually it's designed for what I need. Problems, it seem it works only with Google workspace account. This last one cost money (a lot, see https://workspace.google.fr/intl/fr/pricing.html) and moreover my end client want to use their personal gmail address, not something related to their organization)
So I ran out solution. It seems crazy that I don't find a simple (and free) solution to allow my end users to import theirs email in my app.
I know their is also the imap solution, actually it's the one I use to import the mails (other than gmail but also gmail), but for make it works with gmail you have to remove security from their gmail account and its not something I can ask to my end users (for security reason, but also because they are not confident with IT tools so I want to make it simple as possible)
I wait for your suggestions if you have any
Thank you !
Upvotes: 1
Views: 458
Answers (1)
Reputation: 117281
i don't submit my app into the verification process, it will be an unverified app so it will suppose to stop working after 100 connections
100 users and only one 100 users you wont be able to authorize anyone else.
i read the token will be delete frequently so it will not be convenient for my end user.
Actually its the refresh token that gets revoked after seven days. But if your using Javascript and implicit flow you dont have a refresh token so this shouldn't be an issue for you.
my app is actually deployed on (many) intranet server. so the different url can be https://192.168.1.53:5000, https://myaddress.local,etc.
You cant for starters Google is going to want to see it running so it will need to be a public server, you will also need a public domain to host your TOS, and privacy policies so that google can see it. It will also cost you between $15k - $75k for the third party security audit of your application.
How google can verify an app which is not public?
You cant
make the app internal only on google dashboard : actually its designed for what i need. problems, it seem it works only with google workspace account. This last one cost money (a lot, see https://workspace.google.fr/intl/fr/pricing.html) and moreover my end client want to use their personal gmail address, not something related to their organization)
This will also mean that all your users have to be on your workspace domain as their personal gmail emails wont work with workspace. You can only read their emails on the domain.
So i ran out solution. It seem crazy i don't find a simple (and free) solution to allow my end users to import theirs email in my app.
That's because there isnt one.
I know their is also the imap solution, actually its the one i use actually to import the mails (other than gmail but also gmail), but for make it works with gmail you have to remove security from their gmail account and its not something i can ask to my end users (for security reason, but also because they are not confident with IT tools so i want to make it simple as possible)
I would not recommend trying to go though IMAP or SMTP, you would need the passwords to your users gmail accounts and that's a bad idea. Or you would need to use XOauth in which case you need to be verified.
I wait for your suggestions if you have any
My suggestion is decide if you really want this feature in your app. If you do.
- Host it on a domain instead of internally.
- apply for verification and go though all the hoops required.
Upvotes: 1
Related Questions
- Gmail Oauth2 Access with intranet web server
- Impersonation for Accessing Gmail API
- Accessing user GMail Account through API
- How to get OAuth access to GMail?
- Gmail Api Mail Read Reciept
- How to accesses Gmail with a web app using OAuth and .Net
- OAuth 2.0 with GMAIL API using
- Gmail API - Scope
- using Oauth 2 to acces Gmail API in web application not installed on Google App Engine
- fetch gmail with oauth2