Google App Engine Server to Server OAuth Python

Question

I can't find a solution to authorize server-to-server authentication using Google SDK + Python + MAC OSx + GMAIL API.

I would like testing GMail API integration in my local environment, before publishing my application in GAE, but until now I have no results using samples that I have found in GMail API or OAuth API documentation. During all tests I received the same error "403-Insufficient Permission" when my application was using GCP Service Account, but if I convert the application to use User Account everything was fine.

Answer 1

A service account isn't you its it's own user. Even if you could access Gmail with a service account which I doubt you would only be accessing the service accounts GMail account (Which I don't think it has) and not your own.

To my knowledge the only way to access Gmail API is with Oauth2.

Service accounts can be used to access some of the Google APIs for example Google drive. The service account his its own Google drive account files will be uploaded to its drive account. I can give it permission to upload to my google drive account by adding it as a user on a folder in Google drive.

You cant give another user permission to read your Gmail Account so again the only way to access the Gmail API will be to use Oauth2.

Answer 2

I suggest you go for thre-legged OAUTH 2.0 . For more information on this, please visit my answer here

The related term "three-legged OAuth" refers to scenarios in which your application calls Google APIs on behalf of end users, and in which user consent is sometimes required.

I think you have to use three-legged OAUTH 2.0, two-legged OAUTH 2.0 will not work in your case

Please read this from developers.google.com

Recommendation: Your application can complete these tasks either by using the Google APIs client library for your language, or by directly interacting with the OAuth 2.0 system using HTTP. However, the mechanics of server-to-server authentication interactions require applications to create and cryptographically sign JSON Web Tokens (JWTs), and it's easy to make serious errors that can have a severe impact on the security of your application.

For this reason, we strongly encourage you to use libraries, such as the Google APIs client libraries, that abstract the cryptography away from your application code.