Open frank4040 opened 2 months ago
Davilarek
commented
2 months ago I'm experiencing a similar issue. I also enabled logging to see what's going on.
C: A00000001 AUTHENTICATE XOAUTH2
S: +
C:
S: +
C:
S: +
C:
S: +
C:
S: +
C:
S: +
C:
S: +
C:
S: +
C:
S: +
C:
S: * BYE Too many commands before auth Looks like MailKit "forgets" to actually send the authentication info and the connection cuts by the server.
jstedfast
commented
2 months ago @Davilarek If I were to guess, you are trying to reuse a SaslMechanismOAuth2 instance without first resetting it.
If you are going to reuse a SaslMechanism instance, you MUST call SaslMechanism.Reset() first.
@frank4040 it might help if you could get a protocol log - the server response might contain useful info (the base64 encoded blob that it sends back after a failed authentication).
Odds are high that I'm not going to be able to help you, though, because OAuth2 is impossible to debug from the client side. You will likely need to reach out to Google for assistance.
frank4040
commented
2 months ago @jstedfast, this is the log I get:
Connected to imaps://imap.gmail.com:993/ S: OK Gimap ready for requests from aaa.bbb.ccc.ddd cf29mb85450632edb C: A00000000 CAPABILITY S: CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER S: A00000000 OK Thats all she wrote! cf29mb85450632edb C: A00000001 AUTHENTICATE XOAUTH2 **** S: + eyJzdGF0dXMiOiI0MDAiLCJzY2hlbWVzIjoiQmVhcmVyIiwic2NvcGUiOiJodHRwczovL21haWwuZ29vZ2xlLmNvbS8ifQ== C: S: A00000001 NO Lookup failed cf29mb85450632edb C: A00000002 LOGOUT S: * BYE Logout Requested cf29mb85450632edb S: A00000002 OK Quoth the raven, nevermore... cf29mb85450632edb
Of course it's possible my service account is not set up correctly. But if i would know the correct Google cloud settings (in terms of roles, rights, permissions, keys, or whatever) then I can easily set that up since I have full control in the cloud console.
Just a simple roadmap to have the basics working is essentially all I need. Already gone through your page at https://github.com/jstedfast/MailKit/blob/master/GMailOAuth2.md, but there is no service account section.
Hope this logging helps in getting me out of the dirt!
frank4040
commented
2 months ago @jstedfast Decoded the base64 and it says: {"status":"400","schemes":"Bearer","scope":"https://mail/google.com"}
Above log was btw with the service account, this is the log using the real google account. (that should be used in the SaslMechanismOAuth2 instead of the service account, as you stated in some other posts about this subject)
Connected to imaps://imap.gmail.com:993/ S: OK Gimap ready for requests from a.b.c.d h10mb26400215ede C: A00000000 CAPABILITY S: CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER S: A00000000 OK Thats all she wrote! h10mb26400215ede C: A00000001 AUTHENTICATE XOAUTH2 **** S: + eyJzdGF0dXMiOiI0MDAiLCJzY2hlbWVzIjoiQmVhcmVyIiwic2NvcGUiOiJodHRwczovL21haWwuZ29vZ2xlLmNvbS8ifQ== C: S: A00000001 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure) C: A00000002 LOGOUT S: * BYE Logout Requested h10mb26400215ede S: A00000002 OK Quoth the raven, nevermore... h10mb26400215ede
Slightly different, but still failing. However, hope this gives some new clues. The returned base64 has the same content: {"status":"400","schemes":"Bearer","scope":"https://mail/google.com"}
jstedfast
commented
2 months ago You could try using credential.ClientEmail. Perhaps that's what it wants.
frank4040
commented
2 months ago @jstedfast In the Google's 'ServiceAccountCredential' object there is no member by that name. There is a "client_email" in the json structure, but that is the service account (SERVICEACCOUNTNAME@PROJECTID.iam.gserviceaccount.com) which I already tried.
So taking one step back... I already receive an accesstoken from google, so that leads me to think that google at least 'opens the gate' for me (sort-a-speak). I guess the 'client.Authenticate(oauth2)' step is where MailKit basically asks google: 'can I please use the inbox for IMAP access with this useraccount and this accesstoken that you previously supplied'. And that is where it seems to go wrong.
Honestly, I think it is entirely possible that I am missing some project setting in the google cloud console, like a hidden checkbox somewhere that needs ticked, a missing permission, etc.
So is there a general/practical usecase where MailKit has actually worked with a google service account? And if so, what should be the settings (if any) in the google cloud console?
At this point I don't really care about security, just functionality. So I have no problem setting everything 'open' to the world, as long as I can read mails. Al the finetunings can come later.
jstedfast
commented
2 months ago In the Google's 'ServiceAccountCredential' object there is no member by that name. There is a "client_email" in the json structure, but that is the service account (SERVICEACCOUNTNAME@PROJECTID.iam.gserviceaccount.com) which I already tried.
👍
So is there a general/practical usecase where MailKit has actually worked with a google service account? And if so, what should be the settings (if any) in the google cloud console?
There's nothing that I know of that I can just point to, unfortunately, because of the nature of open source (kinda can't go checking-in code with credentials into a public repo).
I know for sure that I have personally gotten it to work in the past and I'm pretty sure I just used the normal email address for my account, but this was probably going on 4-5 years ago at this point and is what I based some of my original documentation on.
The best I can suggest to you is to go back to the docs and reread them and follow the steps to make sure you didn't miss anything.
Verify that you set the proper scope (https://mail.google.com and not SMTP.Send or whatever they called it).
You could also try setting up an app-specific password (not sure if that is still an option, but it used to be) to bypass OAuth altogether.
I truly hate OAuth. I get so many questions every week from people who are struggling with setting it up and I can never help them because all I can say is "RTFM". There's absolutely nothing I can do from my end or MailKit's end. It's all up to you to properly configure it. I don't even know what options are available in Google's configuration screens anymore.
FWIW, Both Google and Microsoft essentially consider IMAP/SMTP/etc to be "dead" and don't really want you using those protocols anyway. They want you to use their HTTP REST APIs:
frank4040
commented
2 months ago Yeah... 2 years ago I already had to implement MS Graph support, which succeeded by the way. I was able to create a flow where I read mail messages in a stream and directly pass it to my good old parsing routine wich uses a MimeKit object for all content parsing (message = MimeKit.MimeMessage.Load(stream)). So luckily I could get away with just some fetching logic.
In this case, I at least already found a way to extract a simular format (.eml) using the Google API GmailService(), so in that regard I can hopefully blend it in smoothly, using this Google API (again) for just the fetching part.
The only wall I keep hitting is that even Google's own API does not seem to accept a service account, only a standard 'OAuth Client ID' which gives me a browser page for consent.
And although that works in my simple console testapp (I can fetch mails after the consent), this cannot be used in our production env because we use a Windows Service to fetch mails and store them in a database, all in the background, fully unattended, for numerous mailboxes. And this service (obviously) has no user interface, plus no one is logged into the server where this service runs. And even when someone would occasionally log in, it wil never be under the same username as the service. So no one will ever be able to see a consent screen (I think, didn't try. But is unacceptable anyway, I guess the service would even get stuck immediately and stops processing altogether, waiting for a response that never comes).
It's all very frustrating, since most Google docs seem out of date or broken. Links don't work like they should, most info and code is obsolete, it's a real mess.
In about a month time it becomes mandatory to use Oath when fetching mails from gmail, so I hope I will find a solution before then (fingers crossed).
But thanks for everything!
(When I find a solution, I will post it here for others)
gdetra
commented
3 weeks ago Hi I have the same problem! Simeone found solutions to that?
I am really having trouble getting through the 'Authenticate' step in MailKit. I need to use a Google Service Account since I read all mails in the background from a Windows Service without any user interface. I can already get a token, but the final 'Authenticate' step still fails. Tried about a thousand things, to no avail. In the Google Cloud console, I created a new custom Role with these permissions: iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt (I selected about all that could even remotely be associated with tokens and service accounts)
Then I added this role to the Service Account, both the gserviceaccount.com as my own. I created a KEY and downloaded the JSON file. The content of that is in my JSONdata variabele. Like this (a bit scrambled here and there)
And this is basically what I have so far:
`
`
Output:
I even took these steps with both my personal gmail account as wel as my corporate account, but same results.
It's really driving me crazy, I already spent several days on this. What am I doing wrong here? Hope someone can help!