Gmail API - has something changed permissions wise for government accounts?
We've had tens of thousands of users using our app that integrates with the Gmail API for 7 years or so, however in the past week or so we've suddenly seen widespread failures (401 responses), but only for government customers based in the US.
I've managed to obtain a trace from one of our customers of the HTTP traffic between our app and the Gmail server:
Request
I have abbreviated the access token here for brevity / security, but I have confirmed the actual value in the header matches the access token received from Google. I have also abbreviated the multipart MIME message and changed the customer's email address.
POST https://www.googleapis.com/upload/gmail/v1/users/me/drafts?uploadType=multipart HTTP/1.1
Content-Type: multipart/related; boundary="f31e2e89cedf4242be6fcbe5e793173e"
User-Agent: Affixa Enterprise 1.2021.3.15
Authorization: Bearer ya29.A0ARrdaM8v6BZrUpbTJb...N2wbiX8Ej9vY
Host: www.googleapis.com
Content-Length: 8249
Expect: 100-continue
--f31e2e89cedf4242be6fcbe5e793173e
Content-Type: application/json; charset=UTF-8
{}
--f31e2e89cedf4242be6fcbe5e793173e
Content-Type: message/rfc822
MIME-Version: 1.0
X-Mailer: Affixa Enterprise 1.2021.3.15
From: [email protected]
Subject: LogCrossSearchResult_22A0XSR5009663_2022-03-23-15-13.csv
Date: Thu, 31 Mar 2022 10:39:19 -0500
Message-ID: <[email protected]>
Content-Type: multipart/mixed;
boundary="----=_NextPart_001_2C7F_AA3B1314.8E6FEB65"
------=_NextPart_001_2C7F_AA3B1314.8E6FEB65
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_1462_A4B24415.C610B984"
------=_NextPart_000_1462_A4B24415.C610B984
Content-Type: text/plain;
charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Response
HTTP/1.1 401 Unauthorized
X-GUploader-UploadID: ADPycdsnG_KOSQm3Cok7zCHHavR5wr0elW-o3cMbzRCP2OGTULeAdvCIbIQ7xFF6MCf7EAsBrjzNI-TBVa_5spdFcnLGQyFNPQ
WWW-Authenticate: Bearer realm="https://accounts.google.com/"
Vary: Origin
Vary: X-Origin
Vary: Referer
Content-Type: application/json; charset=UTF-8
Content-Length: 507
Date: Thu, 31 Mar 2022 15:39:19 GMT
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Invalid Credentials",
"domain": "global",
"reason": "authError",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
Nothing has changed in the software or with our application's registration in the Google Developer Console.
FWIW, our application hasn't been reviewed by Google, however neither does it need to be as business-facing application that's installed from the Workspace Marketplace. The application can only be used by an entire Workspace organisation and installed by an Admin; it can't be installed on a per-user basis.
The customer has confirmed that all the required scopes are still granted:
Has something changed that I'm not aware of?
I've now figured out the problem - and it's nothing to do with what the 401 error message suggests.
Our application is written in C# and is attempting to use TLS 1.0 by default. When we force it to use TLS 1.2, it works absolutely fine.
So the real problem is the cryptography ciphers used in the HTTPS connection and is nothing to do with the Authorization header, etc.
I'm guessing non-governmental accounts are still OK with TLS 1.0 for the moment?
- How to use @media (prefers-color-scheme) in responsive email in Gmail?
- Sending an email via Gmail SMTP using .NET Core
- Google Apps Scripts Update Subject, Content , CC , BCC etc
- How to send email drafts via IMAP without downloading attachments?
- Gmail ignores RTL direction directives
- Looking for guidelines for Creating Gmail Summary Cards for Order Emails
- SMTP server for sending thousands of mail notification on daily basis
- Error: Invalid login: 535-5.7.8 Username and Password not accepted
- POP3 access settings
- How to download .rar file(Attachment) containing .exe file in gmail
- How to get attachments in Gmail with Google Apps Script that are only attached to the messege itself
- Send Mail after Form Submit to Google Sheet
- Sending a reply with Gmail API Python
- Emailing : Gmail change my text in link
- Create hyperlink in Mail Merge Google Sheet
- Get Gmail Messages under the label without Threads using Google Apps Script
- GmailApp.sendEmail: is it possible to schedule send an email?
- Remove an attachment of a Gmail email with Google Apps Script
- how does users.watch (in gmail google api) listen for notifications?
- How to use MailKit with Google after May 30, 2022?
- Net::SMTPAuthenticationError when sending email from Rails app (on staging environment)
- Sending Email with Cakephp 3
- Email Signature Spacing Issue Sending email from Outlook to Gmail
- Configuring GSuite to work with route 53 - "MX record doesn't have 2 fields" error
- Connection Error SMTP python: smtplib.SMTPServerDisconnected: please run connect() first
- Gmail - Encrypt all emails with S/MIME
- Removing dots and plus from gmail address
- HTML formatted email not showing up at all in Gmail but is in other mail clients
- How to use python gmail API to (effectively) insert a hyperlink into an existing email (via insert/delete API functions) without it getting mangled?
- Google Apps Script MailApp change Sender Name