[Users] Setting up OAuth2 for GMail

Pierre Fortin pf at pfortin.com
Thu May 5 04:43:37 UTC 2022 

>Setting up OAuth 2.0 for Gmail
>
>Follow the instructions here:
>https://support.google.com/googleapi/answer/6158849

Leave it to Google to put out instructions that barely match the
screens...  ;p   After looking around with one gmail account, started
fresh with a second account...

Go to the API Console
Agree to Terms of Service
APIs & Services
  CREATE PROJECT
    Project Name: ___________    (ignore Location)
  CREATE
# Notifications:  (ignored)
Credentials
  CONFIGURE CONSENT SCREEN
    Select: External
    CREATE
      Edit app registration
        App information
          App name:  cm
          User support email:  email
          App logo:  (ignored)
          App domain
            Application home page:  (ignored)
            Application privacy policy link:  (ignored)
            Application terms of service link:  (ignored)
          Authorized domains
            (ignored)
          Developer contact information
            email
          SAVE AND CONTINUE
  Scopes
    (ignored all; returned here later)
    SAVE AND CONTINUE
  Test users
    (ignored all)
    SAVE AND CONTINUE
  Summary
    BACK TO DASHBOARD
OAuth consent screen
  PUBLISH APP
    CONFIRM
Credentials
  +CREATE CREDENTIALS
    OAuth client ID
  Create OAuth client ID
    Application type:  Desktop app
    Name:  name
      [Note: It may take 5 minutes to a few hours for settings to take
      effect]  
    CREATE
  OAuth client created
    Your Client ID:  (copied to CM)
    Your Client Secret:  (copied to CM)  -- never saw a "pencil icon"...
    Apply (in CM)
    DOWNLOAD JSON
    OK

CM: Open default browser with request
Google response:
Authorization Error
Error 400: invalid_request

You can't sign in to this app because it doesn't comply with Google's
OAuth 2.0 policy for keeping apps secure.

You can let the app developer know that this app doesn't comply with one
or more Google validation rules. The content in this section has been
provided by the app developer. This content has not been reviewed or
verified by Google. If you’re the app developer, make sure that these
request details comply with Google policies.

    redirect_uri: urn:ietf:wg:oauth:2.0:oob


Used Copy Link which gives same error.

[more below]

>Note: If you use more than one Google/Gmail account, make sure you are
>signed in to Google Cloud Platform with the desired account before
>creating a project or changing any settings. (It is possible to be
>signed into multiple accounts; just make sure the browser tab/window you
>are working in is controlled by the correct account.)
>
>When setting up the project use these settings:
>
>  Project name: Anything of your choice
>
>  Publishing status (of project): 'In Production'
>
>  User type: External
>
>Notes related to the above:
>
>1. If/when you create a new project, if it appears that the process has
>stalled, look in the top-right corner for a notification icon that you
>can click on and then select the relevant project. This should then open
>that project's dashboard so you can continue with the process. (As of 24
>Mar 2022.)
>
>2. Regarding Google's above-linked instructions related to the
>"Credentials" page: Where it says "Click 'New Credentials'" it should
>read "Click '+ CREATE CREDENTIALS'" (as of 24 Mar 2022).
>
>3. Regarding "Publishing status", the initial default is 'Testing'. To
>change this to 'In Production' click on the 'Publish App' button in the
>'Publishing status' section of the 'OAuth Consent Screen', and then
>click on 'Confirm'. This results in the status changing to ‘In
>Production’ and a new section ‘Verification Status’ showing with a
>‘Needs verification’ status, which can be safely ignored. If this
>doesn't work for some reason, you can switch back to 'Testing' status on
>the same 'OAuth Consent Screen' page you used before. For this status to
>work you need to make sure you've added the desired email address to the
>'Test Users' list on the 'Edit App Registration' - 'Test Users' page of
>the 'OAuth Consent Screen' setup process (or on the main 'OAuth Consent
>Screen' page). Note that with this status each authorization code will
>only last for seven days, after which you will be unable to connect and
>will see authorization errors in the network log. To get a new
>authorization code, go to the 'OAuth2' page of the Claws Mail settings
>and repeat the steps for getting an authorization code and completing
>authorization. (Note that there is no need to get a new client ID or
>client secret.) (as of 17 Apr 2022)
>
>
>OAuth consent screen settings:
>
>  App name: Anything of your choice
>
>  User support email: Your own email
>
>  Developer email: Your own email
>
>  App domain entries: Leave blank
>
>Scopes settings:
>
>  Click on 'Add or Remove Scopes'.
>
>  Select (check the box) this entry: "Gmail API,
> ", Read, compose, send and permanently delete
> all your email from Gmail"

I get 25 rows; but no GMail...  entered "gmail" in filter and get "No
rows to display"

Added "https://mail.google.com/" and ADD TO TABLE, UPDATE -- I get:

   Verification required

   A restricted scope was added. To verify your app, it will need to go
   through the verification process. If the app is accessing the scope
   from or through a server, it will need to go through an independent
   security review, which can cost $15-$75k.

CONTINUE

Now I see:
 Your restricted scopes
 Approval required.
 Gmail scopes
 API
 Scope
 User-facing description
 https://mail.google.com/
 Read, compose, send, and permanently delete all your email from Gmail

>      (Note that the list is in alphabetical order and you may need to
> go to a later page to find this entry. Also, if you can't find it in
> the list, you can enter the URL manually at the bottom of the page to
> add it to the list.)
>
>  Click on 'Update'.
>
>  Confirm that the section 'Your restricted scopes' shows the entry you
> just added.
>
>  Click on 'Save and Continue'.
>
>Getting the Client ID
>
>  APIs and Services on the left menu, then Credentials entry
>
>  Copy the Client ID to the corresponding field on Claws Mail's account
> settings' 'Oauth2' page.
>
>  Select "Edit OAuth Credentials" (pencil icon), then copy the Client

No pencil icon; just copied Client Secret to CM.  If this means the
pencil icon on the Google Credentials page; that's only needed if you've
dismissed the ID/Secret popup window.

> Secret to the corresponding field on Claws Mail's account settings'
> 'Oauth2' page.
>
>Troubleshooting:
>
>It's possible / probable that Gmail will 'complain' about giving access
>to an unverified third-party app. If this keeps you from using Claws to
>access your Gmail, you may need to log in to Gmail's web-mail interface
>and review / revise your security settings there. This may involve

Click: gear. 
  Click: See all settings -- nothing obvious.

>dismissing the warning Google gives about the Project that you set up
>for Claws to access GMail on your account. If you dismiss a Warning,
>Google may then ask you why you are dismissing it, providing several
>options, leaving you free to choose the one which seems most suitable. 

I see nothing of the sort...  So, of course, net log gives:
  * OAuth2 access token not obtained

Now what? 

Pierre

More information about the Users mailing list