Google email via OAuth not possible?

Hello,

Has anyone been able to get a google based Email Account to authenticate via OAuth?

I’ve not been able to get anything to work, and I’m wondering if it is even possible. It was all working fine until the new “Connected Apps” workflow was introduce. Now, I’m able to set up an app, able to authenticate and generate tokens, but when I attempt to sign in with any email I get an error “Please check your email login credentials.”

Stack trace:

Traceback (most recent call last):
  File "apps/frappe/frappe/email/smtp.py", line 111, in session
    Oauth(_session, self.email_account, self.login, self.access_token).connect()
  File "apps/frappe/frappe/email/oauth.py", line 48, in connect
    self._connect_smtp()
  File "apps/frappe/frappe/email/oauth.py", line 75, in _connect_smtp
    self._conn.auth(self._mechanism, lambda x: self._auth_string, initial_response_ok=False)
  File "/usr/lib/python3.10/smtplib.py", line 662, in auth
    raise SMTPAuthenticationError(code, resp)
smtplib.SMTPAuthenticationError: (535, b'5.7.8 Username and Password not accepted. Learn more at\n5.7.8  https://support.google.com/mail/?p=BadCredentials s1-20020aa78d41000000b0064fa2fdfa9esm2752638pfe.81 - gsmtp')

Any help is greatly appreciated.

Any tips or guidance? Even just knowing that someone has gotten Gmail to work via OAuth and a Connected App would be extremely helpful.

Hi:

Is your account configured to allow smtp? (Account - Settings - Security)

I don’t see a specific setting for SMTP in account - settings - security. This should be from the gmail settings, or the workspace admin settings?

In either case, I think SMTP is configured properly, as I’m able to use other apps using OAuth login. It worked for me previously as well, before the “Connected App” setup came into play.

Hi:

I am trying with google account … and it’s working for me …

  • Created api credentials for Oauth (Google Side)
  • Create connected app in Frappe side. Scope: https://mail.google.com
  • Create mail account linked to this connected app
  • Authenticate connected app and mail account

In my case to send and receive without problems.

Note: i just got it five minutes ago, i can’t see refresh token … I don’t know if it is required in Google OAuth flow, maybe it will stop, but … at least I can say is still running …

3 Likes

Sorry, first approach was wrong :slight_smile: Forget about SMTP settings

1 Like

Thanks @avc, once again you come through!

I was copying the details here and didn’t realize I needed a scope named https://mail.google.com. It’s working splendidly. Thank you so much! I owe you.

Hi:
I’m glad to been helpful … actually I owe you much more :slight_smile:

That’s kind. :slight_smile:

I have one more question in case you happen to know: do you have an idea if it is possible to authorize an email address that isn’t matched to a Frappe User? For example, if I want to set up a shared email account like “contact@example.com”, do I also have to create a user with the email address “contact@example.com”?

Hi:

I can’t try this, but maybe you can achieve it with “send as” feature on Gmail

In Frappe side try to configure this account using “Use different Email ID” check in email account config.

This way one authenticated gmail user can send mail from different accounts.
Anyway, I am not an GMail experienced user …

Token for combination of connected app + frappe user is created when frappe user clicks the Connect to {app} button on connected app form view.

This means multiple frappe users can create a token using same account from oauth2 provider.

E.g. you’ve Google workspace account newsletter@example.com, then multiple frappe users can create tokens by login using newsletter@example.com.
Not recommended as every user needs to know credentials and 2fa for newsletter@example.com

It just the flexibility available.

Recommended to create token for frappe users by login using their respective Google workspace accounts. No password or any 2fa sharing is necessary in this case.

Thanks to you both. This makes a lot of sense. So long as app-specific passwords keep working for google, that seems like a better way to go for shared inboxes. I really appreciate the work and explanations. :beers: