SMTP with XOAUTH2

[murraycollingwood]

Please help

I've been struggling for months to find the correct solution to using XOAUTH2 authentication when sending emails via SMTP. The only complication is that some of the emails are generated by overnight (eg batch) processes, so we can't use a redirect_uri ever.

I've found examples that work with IMAP (like this one) but nothing that works with SMTP that can be navigated completely via an API without any human intervention.

a) Is this possible? b) Does this exist? Where?

Any pointers to some sample code would be helpful.

Cheers Murray

[junyer]

The only complication is that some of the emails are generated by overnight (eg batch) processes, so we can't use a redirect_uri ever.

Is it not "just" a case of obtaining a refresh token once and then providing that to whatever needs to use it?

I've found examples that work with IMAP (like this one) but nothing that works with SMTP that can be navigated completely via an API without any human intervention.

It's unclear where you were looking? In this repository, there's Java code and Python code that uses both IMAP and SMTP as well as Go code that uses SMTP.

[murraycollingwood]

The only complication is that some of the emails are generated by overnight (eg batch) processes, so we can't use a redirect_uri ever.

Is it not "just" a case of obtaining a refresh token once and then providing that to whatever needs to use it?

In this example (https://oauth2-client.thephpleague.com/usage/) we retrieve a provider using an API call that requires a "redirect_url". I couldn't find any examples where this wasn't the case.

I've found examples that work with IMAP (like this one) but nothing that

works with SMTP that can be navigated completely via an API without any human intervention.

It's unclear where you were looking? In this repository, there's Java code and Python code that uses both IMAP and SMTP as well as Go code that uses SMTP.

Sorry, I'm only reading the php - I assumed php would have the same functionality as the others.

Cheers Murray

—

Reply to this email directly, view it on GitHub https://github.com/google/gmail-oauth2-tools/issues/65#issuecomment-1802670791, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMKQKELUX7J2H4GIKEDT73YDPXUNAVCNFSM6AAAAAA7DPMIHGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBSGY3TANZZGE . You are receiving this because you authored the thread.Message ID: @.***>

-- Murray Collingwood Focus Computing

Australia ph 07 3175 0575 New Zealand ph 03 928 1699

http://www.focus-computing.com.au

[junyer]

In this example (https://oauth2-client.thephpleague.com/usage/) we retrieve a provider using an API call that requires a "redirect_url". I couldn't find any examples where this wasn't the case.

As per https://developers.google.com/identity/protocols/oauth2/resources/oob-migration, Google no longer supports the use of the OAuth2 OOB flow, so a redirect URI will always be required. However, https://github.com/thephpleague/oauth2-google does cover obtaining a refresh token once and subsequently exchanging it as needed for an access token, at which point the redirect URI shouldn't be involved. I'm completely unfamiliar with the PHP ecosystem, alas, so I don't have recommendations regarding SMTP libraries that support OAuth2.

[murraycollingwood]

Hi Paul

Thanks for your help so far. Unfortunately I haven't got very far....

I'm setting up the connection using google, it looks a bit like this: use League\OAuth2\Client\Provider\Google;

$provider = new Google([ 'clientId' => $smtp["clientId"], 'clientSecret' => $smtp["secretKey"], 'access_type' => "offline", 'redirect_uri' => "https://sobs.com.au/ui/xoauth2config.php?schoolid=15" ]); // If we don't have an authorization code then get one $authUrl = $provider->getAuthorizationUrl(); $_SESSION['oauth2state'] = $provider->getState();

error_log("authUrl: authUrl = $authUrl"); // We never get here!!!

header('Location: ' . $authUrl); exit;

Something has gone terribly wrong. We get to the top of this code but never to the error_log.

Do you have any pointers as to where I should be looking? Are there any debug options with the Google library?

Cheers Murray

On Fri, 10 Nov 2023 at 03:09, Paul Wankadia @.***> wrote:

In this example (https://oauth2-client.thephpleague.com/usage/) we retrieve a provider using an API call that requires a "redirect_url". I couldn't find any examples where this wasn't the case.

As per https://developers.google.com/identity/protocols/oauth2/resources/oob-migration, Google no longer supports the use of the OAuth2 OOB flow, so a redirect URI will always be required. However, https://github.com/thephpleague/oauth2-google does cover obtaining a refresh token once and subsequently exchanging it as needed for an access token, at which point the redirect URI shouldn't be involved. I'm completely unfamiliar with the PHP ecosystem, alas, so I don't have recommendations regarding SMTP libraries that support OAuth2.

— Reply to this email directly, view it on GitHub https://github.com/google/gmail-oauth2-tools/issues/65#issuecomment-1803904009, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMKQKHDMU5E56F5AJRCGDDYDTP2NAVCNFSM6AAAAAA7DPMIHGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBTHEYDIMBQHE . You are receiving this because you authored the thread.Message ID: @.***>

-- Murray Collingwood Focus Computing

Australia ph 07 3175 0575 New Zealand ph 03 928 1699

http://www.focus-computing.com.au

[junyer]

'access_type' => "offline", 'redirect_uri' => "https://sobs.com.au/ui/xoauth2config.php?schoolid=15"

Those keys should be accessType and redirectUri, respectively, I believe?

Do you have any pointers as to where I should be looking? Are there any debug options with the Google library?

Sorry, I know nothing about https://github.com/thephpleague/oauth2-google beyond what I saw in their README.md file. (And the only reason I know of it is because you had linked to their documentation previously.) I suggest asking for some help over on their issue tracker? I note that @shadowhand landed a few commits yesterday, so it's evidently still actively maintained. :)

[murraycollingwood]

Hi Paul

We're starting to make some progress - I now have an accessToken, a refreshToken and an expiry date/time. The expiry isn't clear, is it an expiry for the accessToken or the refreshToken or both? Does the refreshToken actually expire???

I ran it again and the second time I only received an accessToken, no refreshToken. Are there some rules around issuing refreshTokens???

Cheers Murray

On Thu, 16 Nov 2023 at 01:30, Paul Wankadia @.***> wrote:

'access_type' => "offline", 'redirect_uri' => "https://sobs.com.au/ui/xoauth2config.php?schoolid=15"

Those keys should be accessType and redirectUri, respectively, I believe?

Do you have any pointers as to where I should be looking? Are there any debug options with the Google library?

Sorry, I know nothing about https://github.com/thephpleague/oauth2-google beyond what I saw in their README.md file. (And the only reason I know of it is because you had linked to their documentation previously.) I suggest asking for some help over on their issue tracker? I note that @shadowhand https://github.com/shadowhand landed a few commits yesterday, so it's evidently still actively maintained. :)

— Reply to this email directly, view it on GitHub https://github.com/google/gmail-oauth2-tools/issues/65#issuecomment-1812454408, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMKQKGN2O4LIBDVHTTBBTDYESYWFAVCNFSM6AAAAAA7DPMIHGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJSGQ2TINBQHA . You are receiving this because you authored the thread.Message ID: @.***>

-- Murray Collingwood Focus Computing

Australia ph 07 3175 0575 New Zealand ph 03 928 1699

http://www.focus-computing.com.au

[junyer]

The expiry isn't clear, is it an expiry for the accessToken or the refreshToken or both? Does the refreshToken actually expire???

A refresh token doesn't expire (AFAIK) whereas an access token does expire. The refresh token will be revoked, I think, when either the user's password is changed or the application's access is removed.

I ran it again and the second time I only received an accessToken, no refreshToken. Are there some rules around issuing refreshTokens???

I'm not sure, TBH, but setting prompt to consent in addition to setting accessType to offline may or may not help here.

[murraycollingwood]

Thanks Paul

The access tokens and refresh tokens are now working. The prompt=consent was required to get the refresh token to be returned.

Now I'm trying to work out how to pass the access token to the PHP Mailer - not that easy, but that's a problem for another group.

Thanks again for your help.

Cheers Murray

On Thu, 16 Nov 2023 at 06:10, Paul Wankadia @.***> wrote:

The expiry isn't clear, is it an expiry for the accessToken or the refreshToken or both? Does the refreshToken actually expire???

A refresh token doesn't expire (AFAIK) whereas an access token does expire. The refresh token will be revoked, I think, when either the user's password is changed or the application's access is removed.

I ran it again and the second time I only received an accessToken, no refreshToken. Are there some rules around issuing refreshTokens???

I'm not sure, TBH, but setting prompt to consent in addition to setting accessType to offline may or may not help here.

— Reply to this email directly, view it on GitHub https://github.com/google/gmail-oauth2-tools/issues/65#issuecomment-1812934027, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMKQKHTC7JTXT772YHPOFDYETZQLAVCNFSM6AAAAAA7DPMIHGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJSHEZTIMBSG4 . You are receiving this because you authored the thread.Message ID: @.***>

-- Murray Collingwood Focus Computing

Australia ph 07 3175 0575 New Zealand ph 03 928 1699

http://www.focus-computing.com.au

[junyer]

You're welcome. Glad to help. :)