Last month i finished working on a GAE app with Python which makes extensive use of various Google APIs for managing the google resources within the company's domain by the google admin. The app was finished!!!, but this month google announced that the EmailSettings API which i am currently implementing is no longer supported and the email settings will migrate to the Gmail API; so far they have migrated some of the settings (i.e. send-as alias, forwarding, vacation responder and signature). On the migration documentation that google put together, they point out the major differences between the two APIs as well as a somewhat vague reference on how to migrate it. Anyhow, i am currently trying to implement the new API to modify send-as settings using a service account. Here's how i am creating the service for the service account (again, this is Python):
scopes = ['https://mail.google.com/', 'https://www.googleapis.com/auth/gmail.settings.basic', 'https://www.googleapis.com/auth/gmail.settings.sharing']
email = "username@domain.bla"
credentials = oauth2.service_account.build_credentials(scope=scopes, user=me)
http = httplib2.Http()
credentials.authorize(http)
service = google_api_helper.build("gmail", "v1", credentials)
body = {'emailAddress':'anotheruser@domain.bla'}
service_2.users().settings().updateAutoForwarding(userId="me", body=body).execute()
In this particular example, i am trying to update the AutoForwarding setting, but it's the same scenario and error as some of the send-as settings. The problem i am having is the following; for the "delicate settings" as google calls them i need to use the scope: 'https://www.googleapis.com/auth/gmail.settings.sharing', which needs a service account to be created for it to work.
Whenever i try to use it though, i get a 500 error message:
HttpError: https://www.googleapis.com/gmail/v1/users/me/settings/autoForwarding?alt=json returned "Backend Error">
Why i am getting this error if i am authenticating the domain-wide access to the service account, is this an API error or is it the way i am currently implementing the oauth2 authentication? I have tried several implementations without success:
Using application Default Authentication:
credentials = GoogleCredentials.get_application_default()
httpauth = credentials.authorize(Http())
service = build("gmail", "v1", http=http_auth)
aliases_2 = service.users().settings().sendAs().list(userId="username@domain.bla").execute()
Using the updated oauth2client library and through a local json file:
credentials_new = ServiceAccountCredentials.from_json_keyfile_name("app/service_account_key.json", scopes)
delegated_credentials = credentials_new.create_delegated(sub="username@domain.bla")
http_auth = delegated_credentials.authorize(Http())
service = build("gmail", "v1", http=http_auth)
Using the outdated oauth2client library and using the SignedJwtAssertionCredentials function which is no longer supported in the new implementation of the library:
credentials = SignedJwtAssertionCredentials(str(settings['oauth2_service_account']['client_email']).encode('utf-8'), settings['oauth2_service_account']['private_key'], scope=scopes, sub="username@domain.bla")
auth2token = OAuth2TokenFromCredentials(credentials)
# With this implementation i was able to provide the google admin account which is supposed to have super admin access to the "sub" parameter, this used to work for the EmailSettings API, but for this new implementation you need to pass the email of the user you are trying to gain access to.
# build service
# call API
With all 3 implementations i was able to make calls to the basic scope, but whenever i tried to make any changes to any settings under the umbrella of the settings.sharing scope, i got the backend error message. This is driving me crazy and i just finished this app!!!! if you have any ideas or if you have ran into this issue before, please let me know!!!!! ...
Update: As of 2016-08-11, this issue should be fixed.
As of 2016-07-27, there is a bug in the authorization backend that is leading to this error, although it only appears to affect certain domains / users. We are working on a fix. Please star this issue to get updates.