GSuite - Gmail Activity Unauthorized client error

That’s strange, UserEmail: "samuel@mubie.com" (this is the admin of domain mubie.com in G Suite)
I was able to Authorize in Manage API client access, but where is missing?

According to your previous reply, the checkbox for “Enable G Suite Domain-wide Delegation” is disabled. If you manage to enable that, the activities should work as you expect.

that was the question, why I can not check that box, any suggestion where I should look into…

That is a configuration done on G Suite’s side, so unfortunately I cannot help much with it.

According to https://serverfault.com/questions/944094/why-domain-admin-cannot-enable-domain-wide-delegation-for-service-accounts, there can be different kinds of admin, so you might want to check whether your admin account has the necessary permissions.

It’s kind of frustration with all the confusions…

Followed your suggestion, while trying to Perform G Suite Domain-Wide Delegation of Authority, it needs the Client ID, But Service account does not have Client ID, only “Unique ID”.

So this come back to the basic question, which Authentication type should we use…OAuthClientID or ServiceAccountKey ?

From previous replies, OAuthClientID is suggested, but how about this issue?
The OAuth Client ID method works with all GSuite services, however it’s recommended for attended automation because user consent is required before the robot can access to your Google account.

Besides, while trying to Create Credentials OAuth2, What Application type should I choose? Authorized JavaScript origins? Authorized redirect URIs? and what should i put for user inArgurment ?

Your help is highly appreciated.

So this come back to the basic question, which Authentication type should we use…OAuthClientID or ServiceAccountKey ?

When you use Service Account, then the property AuthenticationType should be set to ServiceAccountKey: https://docs.uipath.com/activities/docs/gsuite-application-scope#section-service-account-key
After you set up your Service Account, you’ll be able to download the JSON file that act as the key: https://cloud.google.com/docs/authentication/getting-started#creating_a_service_account

From previous replies, OAuthClientID is suggested, but how about this issue?
The OAuth Client ID method works with all GSuite services, however it’s recommended for attended automation because user consent is required before the robot can access to your Google account.

Yes, when you use OAuth Client ID, the robot will use a user’s account, so the user is prompted to allow that. But it can access any resource available to the user without further configuration necessary.

Besides, while trying to Create Credentials OAuth2, What Application type should I choose? Authorized JavaScript origins? Authorized redirect URIs? and what should i put for user inArgurment ?

For the application type, choose “Other”.

I have created samples showing how use the three kinds of authentication, including detailed instructions on how to setup things on G Suite. Since I did it a few months ago, there might be a few differences, but it should be possible to get the main idea.
GSuiteActivitiesAPIKeySample.zip (3.5 KB)
GSuiteActivitiesOAuthSample.zip (11.2 KB)
GSuiteActivitiesServiceAccountSample.zip (11.4 KB)

6 Likes

@Mateus_Cruz Thanks for the samples, it’s really helpful.

@Mateus_Cruz While following your sample for OAuth, there is an error for “NetworkCredential” undefined.
Assign ClientSecret = new NetworkCredential(string.Empty, Password).Password
Can not find NetworkCredential in Variables in your sample, but there is no error in your sample, how come i will have this error ?

In the “Imports” tab (the one beside “Arguments”), type System.Net and add that namespace.

1 Like

Got it, thanks

Hi @Mateus_Cruz
Got an error on the browser while trying to run the process on Studio, I had AssetName “GsuiteLogin” for the credentials on the Orchestrator. Any idea where I’m missing?

Error: invalid_client
The OAuth client was not found.
access_type=offline
response_type=code
client_id=“3893xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
redirect_uri=http://127.0.0.1:54468/authorize/
scope=https://www.googleapis.com/auth/drive https://mail.google.com/ https://www.googleapis.com/auth/spreadsheets

Error message on Studio
19.7.0+Branch.master.Sha.8c253d13718eed5c7db27daef6facd1fe1b0d067
Source: GSuite Application Scope
Message: The client did not complete the token exchange after the default 60 seconds, and as a result the operation was canceled.
Exception Type: System.TimeoutException

RemoteException wrapping System.TimeoutException: The client did not complete the token exchange after the default 60 seconds, and as a result the operation was canceled.
at UiPath.GSuite.Activities.GSuiteApplicationScope.Execute(NativeActivityContext context)
at System.Activities.NativeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager)
at System.Activities.ActivityInstance.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)
at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)

Did you take more than 60 seconds to input your username and password?

The problem is the error on browser, it stopped the process, The OAuth client was not found.
But it should get the credentials from Asset on Orchestrator, right?

Hi @Mateus_Cruz
I used your sample with my asset of credentials, got the same error, any idea where I might be wrong?
Thanks

Did you setup the OAuth account as it is written in the workflow’s annotation and then added the credential to Orchestrator?

Yes, I also use your sample with my asset of credentials on orchestrator.
Both have same error.

@MubieSam_Lin
I tried the workflow again using a completely new account and credential created just now, and it worked fine.
Could you please try with a different account to see if it works?

1 Like

Hi @Mateus_Cruz
Finally I got it working with a new account and learned the lesson, thank you very much!
One last question, the only way to make this process via unattended robot (it is not possible now because OAuth verification), is to submit for OAuth consent screen verification, right?

Good to hear you got it working!

OAuth is a bit difficult to be completely unattended because of the consent screen. It doesn’t come up everytime, but if the token expires, then it’ll appear again.
So you might want to keep that in mind when designing your solution.

1 Like

Hi @Mateus_Cruz

Sorry to bother you again. While trying to setup the OAuth client ID for our new project, found that there is no “other” application type any more as you had indicated before in your GSuiteActivitiesOAuthSample.zip

Seems there are some changes in getting GSuite Activities to work, where I can find the updated instruction to setup OAuth, or better to use Service Account if we will use it for gmail and gsheets of the same user only?

Thanks