Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth2 rejected but OAuth2 works on account that created clientId #6

Closed
eddyparkinson opened this issue Nov 14, 2014 · 5 comments

Comments

@eddyparkinson
Copy link

@eddyparkinson eddyparkinson commented Nov 14, 2014

nodemailer.createTransport only works with the account that created the clientID

x-posted on
http://stackoverflow.com/questions/26901445/oauth2-rejected-but-oauth2-works-on-account-that-created-clientid-with-gmail-no

Code - Nodejs - Nodemailer and xoauth2

var nodemailer = require("nodemailer");

var generator = require('xoauth2').createXOAuth2Generator({
    user: "", // Your gmail address.

    clientId: "",
    clientSecret: "",
    refreshToken: "",
});



// listen for token updates
// you probably want to store these to a db
generator.on('token', function(token){
    console.log('New token for %s: %s', token.user, token.accessToken);
});


// login
var smtpTransport = nodemailer.createTransport({
    service: 'gmail',
    auth: {
        xoauth2: generator
    }
});


var mailOptions = {
    to: "",
    subject: 'Hello ', // Subject line
    text: 'Hello world ', // plaintext body
    html: '<b>Hello world </b>' // html body
};


smtpTransport.sendMail(mailOptions, function(error, info) {
  if (error) {
    console.log(error);
  } else {
    console.log('Message sent: ' + info.response);
  }
  smtpTransport.close();
});

issues:

  • I tested 3 accounts, and only the account that create the ClientId is working.
  • I used Google OAuth2 playground to create the tokens, https://developers.google.com/oauthplayground/
  • It looks to grab a valid accessToken ok, using the refreshToken, (i.e. it prints the new access token on the screen.) No errors until it tries to send the email.
  • I added the optional accessToken: but got the same error. ( "Username and Password not accepted")
  • I am not 100% sure about the "username", the docs say it needs a "user" email address - I guess the email of the account that created to token, but is not 100% clear. I have tried several things and none worked. (both email addresses, just the user name, the googleID)
  • I have searched the options on the gmail accounts, did not find anything that looks wrong.
  • Also, when I did this with Java, it needed the google userID rather than the email address, not sure why this is using the email address and the Java is using the UserId. I am able to send email using Java+OAuth2

Hope I have not made a silly mistake, but this looks like a bug.

@andris9

This comment has been minimized.

Copy link
Owner

@andris9 andris9 commented Nov 14, 2014

In a nutshell, this is how oauth2 works –clientId identifies the app (clientSecret is like a password for it). The app sends the user to oauth2 authentication page where the user gives the app (eg. clientId) access to asked resources/scope (scope must include https://mail.google.com/ to allow the app to send mail in the name of user), and the oauth2 provider (gmail) returns refreshToken and temporary accessToken which is the actual login token to the app. Once the temporary accessToken is expired, the app can generate a new one using refreshToken.

If the user has not allowed access to clientId to use the scope https://mail.google.com/ then you can not use oauth2.

@andris9 andris9 closed this Nov 14, 2014
@eddyparkinson

This comment has been minimized.

Copy link
Author

@eddyparkinson eddyparkinson commented Nov 14, 2014

nodemailer fails with a "compose" scope

The problem was the scope, not who created the client ID.
scope https://www.googleapis.com/auth/gmail.compose fails
but works ok if I use the scope https://mail.google.com/

Thanks.

@andris9

This comment has been minimized.

Copy link
Owner

@andris9 andris9 commented Nov 15, 2014

yeah, the scopes are the usual subject if something doesn't work. "gmail.compose" is for http based Gmail API. Nodemailer uses SMTP and thus requires full access (https://developers.google.com/gmail/xoauth2_protocol#oauth_20_scopes)

@eddyparkinson

This comment has been minimized.

Copy link
Author

@eddyparkinson eddyparkinson commented Nov 15, 2014

Not sure how you let people know they should check scope if they get the error "Username and Password not accepted", Maybe put something in the docs, or add something to the error message.

@andris9

This comment has been minimized.

Copy link
Owner

@andris9 andris9 commented Nov 17, 2014

The returned error object should include all available information about why the sending failed. See properties code, response and responseCode of the error object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.