- OAuth 2.0 with Gmail over IMAP for web applications (Google.Apis)
- OAuth 2.0 with Gmail over IMAP for web applications (DotNetOpenAuth)
- OAuth 2.0 with Gmail over IMAP for installed applications (Google.Apis)
- OAuth 2.0 with Gmail over IMAP for installed applications (DotNetOpenAuth)
- OAuth 2.0 with Gmail over IMAP for service account (Google.Apis)
- OAuth 2.0 with Gmail over IMAP for service account (DotNetOpenAuth)
OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.
This article describes using OAuth 2.0 to access Gmail IMAP and SMTP servers using .NET IMAP component in installed applications scenario. You can also use OAuth 2.0 for web applications.
Google.Apis
Use Nuget to download “Google.Apis.Auth” package.
Import namespaces:
// c# using Google.Apis.Auth.OAuth2; using Google.Apis.Auth.OAuth2.Flows; using Google.Apis.Auth.OAuth2.Requests; using Google.Apis.Auth.OAuth2.Responses;
' VB.NET Imports Google.Apis.Auth.OAuth2 Imports Google.Apis.Auth.OAuth2.Flows Imports Google.Apis.Auth.OAuth2.Requests Imports Google.Apis.Auth.OAuth2.Responses
Register Application
Before you can use OAuth 2.0, you must register your application using the Google Developers Console.
At least product name must be specified:
Now create credentials:
After you’ve registered, copy the “Client ID” and “Client secret” values, which you’ll need later:
Now we can define clientID, clientSecret and scope variables, as well as Google OAuth 2.0 server addresses. Scope basically specifies what services we want to have access to. In our case it is user’s email address and IMAP/SMTP access:
string clientID = "XXX.apps.googleusercontent.com";
string clientSecret = "IxBs0g5sdaSDUz4Ea7Ix-Ua";
var clientSecrets = new ClientSecrets
{
ClientId = clientID,
ClientSecret = clientSecret
};
var credential = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
{
ClientSecrets = clientSecrets,
Scopes = new[] { GoogleScope.ImapAndSmtp.Name, GoogleScope.EmailScope.Name}
});
Turn on Google+ API
Remember to turn on Google+ API:
It is required to obtain email address of the user.
Obtain an OAuth 2.0 access token
Now we’ll create authorization url:
AuthorizationCodeRequestUrl url = credential.CreateAuthorizationCodeRequest("urn:ietf:wg:oauth:2.0:oob");
Process.Start(url.Build().ToString());
We are using Process.Start here, but you can also embed WebBrowser control in your application.
At this point user is redirected to Google to authorize the access:
After this step user is presented a code that needs to be pasted to your application:
Please note that this code also appears in the title of the browser:
- It is possible to monitor processes on your machine and act automatically when it is there.
- If you use embedded WebBrowser control in your application, you can monitor the HTML document title after any redirect.
Following is a code that reads this code and contacts Google to exchange it for a refresh-token and an access-token:
string authCode = Console.ReadLine();
TokenResponse token = await credential.ExchangeCodeForTokenAsync("", authCode, "urn:ietf:wg:oauth:2.0:oob", CancellationToken.None);
string accessToken = token.AccessToken;
An access token is usually valid for a maximum of one hour, and allows you to access the user’s data. You also received a refresh token. A refresh token can be used to request a new access token once the previous expired.
Access IMAP/SMTP server
Finally we’ll ask Google for user’s email and use LoginOAUTH2 method to access Gmail’s IMAP server:
GoogleApi api = new GoogleApi(accessToken);
string user = api.GetEmailPlus();
using (Imap imap = new Imap())
{
imap.ConnectSSL("imap.gmail.com");
imap.LoginOAUTH2(user, accessToken);
imap.SelectInbox();
List<long> uids = imap.Search(Flag.Unseen);
foreach (long uid in uids)
{
var eml = imap.GetMessageByUID(uid);
IMail email = new MailBuilder().CreateFromEml(eml);
Console.WriteLine(email.Subject);
}
imap.Close();
}
Refreshing access token
An access token is usually short lived and valid for a maximum of one hour. The main reason behind this is security and prevention of replay attacks. This means that for long-lived applications you need to refresh the access token.
Your refresh token will be sent only once – don’t loose it!
We recommend storing entire TokenResponse object received from GoogleAuthorizationCodeFlow.ExchangeCodeForTokenAsync method call. This object contains both: refresh token and access token, along with its expiration time.
The process of refreshing access token is simple:
TokenResponse refreshed = await credential.RefreshTokenAsync("", token.RefreshToken, CancellationToken.None);