Has anyone been able to get a google based Email Account to authenticate via OAuth?
I’ve not been able to get anything to work, and I’m wondering if it is even possible. It was all working fine until the new “Connected Apps” workflow was introduce. Now, I’m able to set up an app, able to authenticate and generate tokens, but when I attempt to sign in with any email I get an error “Please check your email login credentials.”
Stack trace:
Traceback (most recent call last):
File "apps/frappe/frappe/email/smtp.py", line 111, in session
Oauth(_session, self.email_account, self.login, self.access_token).connect()
File "apps/frappe/frappe/email/oauth.py", line 48, in connect
self._connect_smtp()
File "apps/frappe/frappe/email/oauth.py", line 75, in _connect_smtp
self._conn.auth(self._mechanism, lambda x: self._auth_string, initial_response_ok=False)
File "/usr/lib/python3.10/smtplib.py", line 662, in auth
raise SMTPAuthenticationError(code, resp)
smtplib.SMTPAuthenticationError: (535, b'5.7.8 Username and Password not accepted. Learn more at\n5.7.8 https://support.google.com/mail/?p=BadCredentials s1-20020aa78d41000000b0064fa2fdfa9esm2752638pfe.81 - gsmtp')
I don’t see a specific setting for SMTP in account - settings - security. This should be from the gmail settings, or the workspace admin settings?
In either case, I think SMTP is configured properly, as I’m able to use other apps using OAuth login. It worked for me previously as well, before the “Connected App” setup came into play.
Note: i just got it five minutes ago, i can’t see refresh token … I don’t know if it is required in Google OAuth flow, maybe it will stop, but … at least I can say is still running …
I was copying the details here and didn’t realize I needed a scope named https://mail.google.com. It’s working splendidly. Thank you so much! I owe you.
I have one more question in case you happen to know: do you have an idea if it is possible to authorize an email address that isn’t matched to a Frappe User? For example, if I want to set up a shared email account like “contact@example.com”, do I also have to create a user with the email address “contact@example.com”?
Token for combination of connected app + frappe user is created when frappe user clicks the Connect to {app} button on connected app form view.
This means multiple frappe users can create a token using same account from oauth2 provider.
E.g. you’ve Google workspace account newsletter@example.com, then multiple frappe users can create tokens by login using newsletter@example.com.
Not recommended as every user needs to know credentials and 2fa for newsletter@example.com
It just the flexibility available.
Recommended to create token for frappe users by login using their respective Google workspace accounts. No password or any 2fa sharing is necessary in this case.
Thanks to you both. This makes a lot of sense. So long as app-specific passwords keep working for google, that seems like a better way to go for shared inboxes. I really appreciate the work and explanations.
Scope: https://mail.google.com/ Description: Full access to the account’s mailboxes, including permanent deletion of threads and messages This scope should only be requested if your application needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes.
Any ideas why we are forced to use this excessive scope?
I’ve tried less permissive scopes, like https://www.googleapis.com/auth/gmail.insert, but they lead to this error message when trying to send an email:
Traceback with variables (most recent call last):
File "apps/frappe/frappe/email/oauth.py", line 48, in connect
self._connect_smtp()
self = <frappe.email.oauth.Oauth object at 0x7f21adcc6ef0>
File "apps/frappe/frappe/email/oauth.py", line 75, in _connect_smtp
self._conn.auth(self._mechanism, lambda x: self._auth_string, initial_response_ok=False)
self = <frappe.email.oauth.Oauth object at 0x7f21adcc6ef0>
File "/usr/lib/python3.10/smtplib.py", line 662, in auth
raise SMTPAuthenticationError(code, resp)
self = <smtplib.SMTP object at 0x7f21a6d83a90>
mechanism = 'XOAUTH2'
authobject = <function Oauth._connect_smtp.<locals>.<lambda> at 0x7f21adcdac20>
initial_response_ok = False
initial_response = None
response = 'REDACTED__SOME_LONG_TOKEN'
code = 535
resp = b'5.7.8 Username and Password not accepted. For more information, go to\n5.7.8 https://support.google.com/mail/?p=BadCredentials j32-20020a05600c1c2000b0040ecd453e8esm5687929wms.34 - gsmtp'
challenge = b'{"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"}'
smtplib.SMTPAuthenticationError: (535, b'5.7.8 Username and Password not accepted. For more information, go to\n5.7.8 https://support.google.com/mail/?p=BadCredentials j32-20020a05600c1c2000b0040ecd453e8esm5687929wms.34 - gsmtp')
@rmeyer, thank you for creating/updating the amazing document on configuring the Connected App. It helped me a lot. I have now managed to use the Connected App with an Email Account successfully with the following additional steps:
Once the Connected App is saved, we should see a Connect to GMail button. Clicking on it creates a Token.
Now open the Email Account you wish to set up.
Select OAuth from the Method dropdown.
Untick the “Authenticate as Service Principle” if it is ticked.
Select the Connected App from the dropdown.
Select the Connected User. IMPORTANT: 1. The email account used to set up the Connected App must belong to this user, and 2. You must be logged in as the same user otherwise on save, you will get this error OAuth Error: Please Authorize OAuth for Email Account Notifications
Once saved, the ** Authorised API Access ** button will appear under the ** Method ** dropdown. Click on it. NOTE: It may happen that the button does not appear. In that case, try to untick the Enable Outgoing and Enable Incoming options and save it.
Once Authorised API Access succeded, it is all set.