I'm writing a desktop application that can access GMail via IMAP. But I'm not sure if I implemented OAuth correctly.
MailKit says I should use a Service Account (https://github.com/jstedfast/MailKit/blob/master/FAQ.md#GMailOAuth2)
But Google says a Service Account should only be used if a Service wants to access it's own data, not the data of the user. Also I don't know how a different user can login in my application then.
I also found this tutorial and it's working for me (https://www.limilabs.com/blog/oauth2-gmail-imap-installed-applications)
But I don't know if it's a good practice. I can't hide the "ClientSecret" if I want do deploy my application. How to solve this? Also the user has to copy the auth key manually from the browser into the application.
Can someone suggest a quick, but state of the art solution? I'd like to build a Mail application and not an Oauth application ):
Related
How do third party mailapps like samsung email and many others get access to exchange data without being registred as a application in the azure ad?
Every guide about exchange authentification (OAuth) i found online had the requirement to register your application in the azure active directory before it can be used to read mails etc. But if that's the case, how do widespreaded mailapps like samsung deal with this problem? They are never listed as an registerted application, yet they have full access on your mails, calendar etc. In real-time too.
I try to solve this with an app that is written in c# using the .net framework. I dont know if that is already a problem in that regard.
How do third party mailapps like samsung email and many others get
access to exchange data without being registered as a application in
the azure ad?
Samsung have their own Azure Application registration that must be consented to its generally done once by the tenant admin.
There is a good reason for the consent framework to allow both control of what applications can access data but also to allow for the correct auditing of the access. If you want to know what App registration a particular mail client is using just look at the Azure Signin logs. Another recent case was around this Apple's mail app see https://practical365.com/microsoft-auto-update-apple-mail-app-profiles/
I have a Windows Service which currently sends emails of office 365 users using their email and password via the older smtp method.
Microsoft is turning this ability off very soon.
Currently I use mailkit and c# within a windows service
The only details I have are the users smtp username and password
My app has no user interaction ability as it runs on another box
I have read many ways about how to send email with oauth2 and ms and it seems a lot of people do it differently, and their is no clear path. I have seen such as using ms azure registered applications and different azure library's.
So my question is, what is the easiest route to take regarding a new non user inactive service being able to still send email on behalf of a user.
Most of the users I deal with are not able to setup up azure and it's products as their are small companies with limited it support.
I feel like I have perhaps gone down the wrong path of trying to use azure graph
So what is the correct, most similar to smtp and simple route to recreate a simple email sending windows service using c#
Thank you for your time in reading this
As far as I know Microsoft usually recommends the use of the GraphApi for this stuff.
The preferred way would be to use delegated permissions, i.e. your application has the permission to send an email in the name of the logged in user. If I understood you correctly that is not an option for you because you want to send the mails from a non-interactive background service.
That means that you application itself needs the permission to send an email in any users name. Obviously this is a much broader permission and you should think about if you really want to do it this way. Also, if you are in some kind of corporate context, you might also have to involve and get consent from the data protection officer or the like.
On the technical side such a permission is called an "application permission" thus you need the Mail.Send application permission which requires admin consent i.e. not the individual users of your application decide if they what to give you permission to send mail in their name (this would be delegate permissions) but an AAD admin has to consent for all of them at once.
See https://learn.microsoft.com/en-us/graph/api/user-sendmail?view=graph-rest-1.0&tabs=http#permissions
and https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-38
I've read some related questions, but they are not 100% related, as the requirements vary a bit.
I have a .NET5 web application, some kind of custom CRM for the company I work in.
We have multiple users (employees, my colleagues), which can create quotations, etc.
Also, they can send these quotations to customers. Every user has its email account name attached to it.
The current way this application works is that I've created and enabled Gmail API for each email account, and authorized it, by myself, manually.
The problem is that every time we need to add a new user (new employee for instance) - I need to enable Gmail API of his email account (company's one, but it doesn't matter), add the credential file and token manually to the server, authenticate it, and only then - the application can use the email.
I know that there are many sites (like Monday, etc) - that have automations and integrations with Gmail, and any time I want some integration - I get notified with the OAuth screen, and approve it. I want the same thing in my application.
I understand that I have to create some kind on "Gmail global credential", which will be "added" with account tokens or something like that (every app user will oauth and allow access)?
Just can't find the correct documentation for it.
My backend is written in Blazor Server, .NET5.
I would appreciate if one could explain the main stages of this procedure.
Thanks!
I am looking to integrate Gmail API in our .Net project (Both Windows & Web) so that user can send email or read users inbox, their list of folders (i.e. labels) and their respective mail to import in to our system.
During my initial research through google api documentation; Below are couple of questions come across:
For OAuth 2.0; OAuth credential needs to be created for type of application in google api console. I wanted to create wrapper around Gmail API (i.e. MyGmailAPIClass) so that same class can be shared between my windows & web projects along with common OAuth mechanism.
a. Do I need to create separate OAuth credential for Windows & Web and hence the OAuth implementation will differ based on type of application?
b. Can we use the same OAuth Credential for different types of application like windows, web or mobile apps? If yes; how can we achieve that?
I came across Service Account Credential stuff; Can we use that for application to access users email for sending and retrieving? How can we achieve that?
For Access and Refresh token; if we don’t store in some file or database; user consent screen will be prompted every time when user come to our application next time? I am not able to figure out valid use case for storing in file or database. The reason why I asked this because when In .net console sample; I turned off that mechanism after first successful sign-in when I again run the console sample again it will not show consent screen for granting permission?
Please suggest how should i proceed !! It would be good if someone can give any direction and also reference some working example.
I'm trying to use the Office 365 api inside a Windows Service to link e-mails to in-house projects.
I've been able to authenticate myself using the Office 365 API documentation
Although I have some problems/questions.
First problem:
await outlookClient.Me.Folders["inbox"].Messages.ExecuteAsync();
Isn't working for me, I don't get any response, even after 5 min...
Another question is:
Is it possible to never ask for the office365 credentials when starting the program?
Because this is running in a windows Service.
Did anybody successfully implement this?
If so: Is it possible to get a full working example?
I've been trying different things now, but much examples are for asp.net of other where an authentication is always required.
I haven't done a service specifically, but it should work if you use the client credential auth flow.
That flow would give you the unattended scenario you want for a service. However, there does have to be consent at some point. The way it works with client credential flow is you would have a signup web page. An administrator from the Office 365 org would go that page and login and grant consent to your app. This would be a onetime thing. Your app would then be able to get a token silently that grants access to all mailboxes in the organization.