How To Use OAuth Authentication In Unattended Mode For Google Workspace Activities?

News Knowledge Base
1

How to use OAuth authentication in Unattended mode for Google Workspace activities?

How can OAuth authentication be used in Unattended mode for Google Workspace (formerly GSuite) activities?

Google Workspace has three authentication methods:

  1. API Key: Works only for Sheets activities
  2. The OAuth Client ID method works with all Google Workspace services; however, it's recommended for attended automation because user consent is required before the robot can access the Google account.
  3. Service account key: A service account key is a special type of Google account that belongs to your application instead of to an individual end-user. Your application calls Google APIs on behalf of the service account, so users aren't directly involved.


The OAuth Client ID method is recommended for Attended automation. However, with an intricate setup, this method can also be used in Unattended mode and by different robots and programs.

When OAuth authentication is used, a prompt for user consent is encountered when the code is executed for the first time. When User Consent is granted, an authorization token is generated which is stored based on the value of DataStoreLocation property of 'GSuite Application Scope' activity. This token is used for future executions of the code and user consent is not asked again (There are some circumstances which can cause the token expiration, making it invalid and requiring the user's authentication and permissions' confirmation again. However, there are a limited amount of refresh tokens per user account. Here is the list with expiration reasons)


The DataStoreLocation property has the following values:

  1. Orchestrator: The authorization token is stored in the modern folder provided in 'OrchestratorFolderPath' property. This token is not encrypted.
  2. Local: The Authorization token is stored in C:\Users\\AppData\Roaming\UiPath\authentication. This token is encrypted using DPAPI
  3. Never store: The Token is not stored and the prompt for User consent is encountered for each execution.


If OAuth needs to be used in Unattended automation and by different programs, then the following setup needs to be used across all programs:

  1. DataStoreLocation = Orchestrator in the GSuite Application Scope activity. The token generated can be accessed by all users with rights to the folder.
  2. OrchestratorFolderPath value should be the same for all the programs.
  3. The following values should be the same in the 'GSuite Application Scope' activity for all the programs using the OAuth token:
    1. Scopes (Manually select the scopes instead of Auto to ensure the scopes are the same)
    2. Client ID-Client Secret
    3. User

In the above setup, when the program is run for the first time, the prompt for User Consent is encountered. When consent is granted, the authorization token will be generated in the Orchestrator folder. All users with rights to the folder will have access to this token.

During subsequent executions, the program searches for an existing token using a hash of the ClientID-ClientSecret and User fields. If a match is found, the user consent prompt is not thrown and the authorization code in the Orchestrator folder is used.

Another available option is using the respective Google connectors in Integration Services:

  1. Gmail Connector
  2. Google Docs Connector
  3. Google Drive Connector
  4. Google Sheets Connector.