Connected App for outgoing email via OAuth

antgel · March 27, 2025, 3:06pm

We use Google Workspace for our email and want to set up ERPNext outgoing email via OAuth / service principal as app passwords are quite rightly discontinued.

When trying to create the Connected App on the ERPNext side, we get the following error which I think speaks for itself:

Connected App i6c44sp0mv: ‘Redirect URI’ (https://erpnext.staging.main.infra.foobarcreativ.com:443/api/method/frappe.integrations.doctype.connected_app.connected_app.callback/i6c44sp0mv) will get truncated, as max characters allowed is 140.

(foobarcreativ has the same number of numbers as the actual domain but redacted for security.)

We’re on 144 characters, four too many but can’t lose anything. We even need the :443 because of this bug: `Social Login`'s `Authorized redirect URIs` are using `http` instead of `https` and other errors · Issue #39705 · frappe/erpnext · GitHub

Is this our error or a bug and what can we do about it, is it an arbitrary limit or deep in the system? 140 characters in a URL as of 2025 seems really short and not scalable.

revant_one · March 27, 2025, 10:55pm

Try to increase the length using “Customize Form” feature on “Connected App”.

The field in frappe code needs to change to text. That’ll accomodate long urls.

volkswagner · March 27, 2025, 11:08pm

The following doesn’t work for eliminating the need for port?

bench --site {{site-name}} set-config host_name https://{{site-name}}

antgel · March 28, 2025, 5:19pm

Thanks; I did this and it worked. I’ll create a GitHub issue.

Now I have another issue. We’re currently sending outgoing mail with Google Workspace SMTP Relay with authentication off (limited by IP addresses). But I’m wondering now if what I want to do will even work as Google Workspace seems to use JWT, not OAuth for service accounts / domain-wide delegation. Is there a way to get ERPNext to work with Google Workspace for sending outgoing mail without linking to any specific user? (I also have admin on Google Workspace / Cloud.)

I then tried setting OAuth up anyway with my personal company email account, just to see if that would work. I was able to set up the OAuth Connected App and authenticate with “Connect to…”.

But when I went back to Email Account, enabled SMTP authentication, and chose OAuth with this connected app, I got the following message:

Please check your email login credentials. smtplib.SMTPAuthenticationError: (535, b'5.7.8 Username and Password not accepted. For more information, go to\n5.7.8 https://support.google.com/mail/?p=BadCredentials 98e67ed59e1d1-3039f8b28acsm500967a91.10 - gsmtp')

What might I be doing wrong? ERPNext shouldn’t be sending a username and password.

(I did change the Email Domain server from smtp.gmail.com to smtp-relay.gmail.com.)

antgel · March 28, 2025, 5:23pm

Not in our case; if we don’t hard-code the port, the redirect assumes port 8000 which the Docker backend container runs on. I think it’s as described in `Social Login`'s `Authorized redirect URIs` are using `http` instead of `https` and other errors · Issue #39705 · frappe/erpnext · GitHub.

revant_one · March 29, 2025, 1:57am

Check this Google email via OAuth not possible?

antgel · March 29, 2025, 11:07pm

Thank you; I had seen that already but will continue that thread which seems more dedicated to the subject.