GSuite - Gmail Activity Unauthorized client error

Hello,

I am having issues with the Gmail, send email activity under Gsuite. I am encountering this error:

image

I used service account key with service account role.

1 Like

Hi @wonderingnoname

It seems like you are not properly authorized. I found this article on stack exchange that might help here.

There is a user there who states:

Service accounts only work with GSuite because you have to be able to preauthorize the service account and grant it access to the users account. There is no way to preauthorize a normal user Gmail account. So no you cant use a service account with a normal users gmail account.

1 Like

Hi guys, indeed the only way you can use Gmail with a service account is if you check the UseDomainAdminAccess checkbox on the scope and impersonate a user by entering the user’s email address in the User field.
However, this is not recommended in most cases. It should perhaps be used when you want to do a mass migrate so there are no users left on the domain and you just transfer their data.

In conclusion, you need to use OAuth2 Client Id to use Gmail.

2 Likes

Please make sure the setting in your gmail accounts is allowed or enable pop or imap setting.

Hi @loginerror
Followed the article on stack exchange, but still got Source: Read Range Error:“unauthorized_client”, can you help me where is missing?
What I have done:
Input AuthenticationType: ServiceAccountKey Services: Gmail, Sheets
HasDomainWideAccess: checked
KeyPath: the same JSON file was used which was successfully “Read Range” when Sheets is the only Service.
UserEmail: "samuel@mubie.com" (the admin of domain)

Manage API client access

Client Name: Unique ID of Service account
One or More API Scopes: https://www.googleapis.com/auth/gmail / https://www.googleapis.com/auth/sheets
***Not sure whether this is the problem or not…On the Service account details page, there is a square box to be checked for Enable G Suite Domain-wide Delegation, but can not check
uipath4sam%20%E2%80%93%20IAM%20%26%20admin%20%E2%80%93%20jmall%20%E2%80%93%20Google%20Cloud%20Platform

@MubieSam_Lin
As pointed out previously, to use ServiceAccount authentication with Gmail activities, you need to have Domain-wide Delegation active.

This is a feature that is available for enterprise applications and can be turned on by administrator of G Suite domains. This is not available for personal accounts.

If you are not in a G Suite domain or cannot get the necessary permission to use domain-wide delegation, then it’s probably best to use a different authentication method, like OAuth2.

1 Like

That’s strange, UserEmail: "samuel@mubie.com" (this is the admin of domain mubie.com in G Suite)
I was able to Authorize in Manage API client access, but where is missing?

According to your previous reply, the checkbox for “Enable G Suite Domain-wide Delegation” is disabled. If you manage to enable that, the activities should work as you expect.

that was the question, why I can not check that box, any suggestion where I should look into…

That is a configuration done on G Suite’s side, so unfortunately I cannot help much with it.

According to https://serverfault.com/questions/944094/why-domain-admin-cannot-enable-domain-wide-delegation-for-service-accounts, there can be different kinds of admin, so you might want to check whether your admin account has the necessary permissions.

It’s kind of frustration with all the confusions…

Followed your suggestion, while trying to Perform G Suite Domain-Wide Delegation of Authority, it needs the Client ID, But Service account does not have Client ID, only “Unique ID”.

So this come back to the basic question, which Authentication type should we use…OAuthClientID or ServiceAccountKey ?

From previous replies, OAuthClientID is suggested, but how about this issue?
The OAuth Client ID method works with all GSuite services, however it’s recommended for attended automation because user consent is required before the robot can access to your Google account.

Besides, while trying to Create Credentials OAuth2, What Application type should I choose? Authorized JavaScript origins? Authorized redirect URIs? and what should i put for user inArgurment ?

Your help is highly appreciated.

So this come back to the basic question, which Authentication type should we use…OAuthClientID or ServiceAccountKey ?

When you use Service Account, then the property AuthenticationType should be set to ServiceAccountKey: https://docs.uipath.com/activities/docs/gsuite-application-scope#section-service-account-key
After you set up your Service Account, you’ll be able to download the JSON file that act as the key: https://cloud.google.com/docs/authentication/getting-started#creating_a_service_account

From previous replies, OAuthClientID is suggested, but how about this issue?
The OAuth Client ID method works with all GSuite services, however it’s recommended for attended automation because user consent is required before the robot can access to your Google account.

Yes, when you use OAuth Client ID, the robot will use a user’s account, so the user is prompted to allow that. But it can access any resource available to the user without further configuration necessary.

Besides, while trying to Create Credentials OAuth2, What Application type should I choose? Authorized JavaScript origins? Authorized redirect URIs? and what should i put for user inArgurment ?

For the application type, choose “Other”.

I have created samples showing how use the three kinds of authentication, including detailed instructions on how to setup things on G Suite. Since I did it a few months ago, there might be a few differences, but it should be possible to get the main idea.
GSuiteActivitiesAPIKeySample.zip (3.5 KB)
GSuiteActivitiesOAuthSample.zip (11.2 KB)
GSuiteActivitiesServiceAccountSample.zip (11.4 KB)

6 Likes

@Mateus_Cruz Thanks for the samples, it’s really helpful.

@Mateus_Cruz While following your sample for OAuth, there is an error for “NetworkCredential” undefined.
Assign ClientSecret = new NetworkCredential(string.Empty, Password).Password
Can not find NetworkCredential in Variables in your sample, but there is no error in your sample, how come i will have this error ?

In the “Imports” tab (the one beside “Arguments”), type System.Net and add that namespace.

1 Like

Got it, thanks

Hi @Mateus_Cruz
Got an error on the browser while trying to run the process on Studio, I had AssetName “GsuiteLogin” for the credentials on the Orchestrator. Any idea where I’m missing?

Error: invalid_client
The OAuth client was not found.
access_type=offline
response_type=code
client_id=“3893xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com”
redirect_uri=http://127.0.0.1:54468/authorize/
scope=https://www.googleapis.com/auth/drive https://mail.google.com/ https://www.googleapis.com/auth/spreadsheets

Error message on Studio
19.7.0+Branch.master.Sha.8c253d13718eed5c7db27daef6facd1fe1b0d067
Source: GSuite Application Scope
Message: The client did not complete the token exchange after the default 60 seconds, and as a result the operation was canceled.
Exception Type: System.TimeoutException

RemoteException wrapping System.TimeoutException: The client did not complete the token exchange after the default 60 seconds, and as a result the operation was canceled.
at UiPath.GSuite.Activities.GSuiteApplicationScope.Execute(NativeActivityContext context)
at System.Activities.NativeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager)
at System.Activities.ActivityInstance.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)
at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)

Did you take more than 60 seconds to input your username and password?

The problem is the error on browser, it stopped the process, The OAuth client was not found.
But it should get the credentials from Asset on Orchestrator, right?

Hi @Mateus_Cruz
I used your sample with my asset of credentials, got the same error, any idea where I might be wrong?
Thanks