0

I want to create ticket in our system when somebody sends email to support@mydomain.com. I'm using GmailAPI to read new messages from that gmail account.

Currently I'm using service account and domain wide delegation (DWD) for authentication.

The problem is that with DWD I can access all user accounts from my organization and this is what I want to avoid.

Is it possible configure service account this way, so that it has access to only one user account? Or can I generate and use private key for single user account instead of service account with DWD?

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
AnnaW
  • 21
  • 1
  • Service accounts are all or nothing. – Linda Lawton - DaImTo Mar 08 '22 at 09:51
  • Can I use GmailAPI without service account? Without any user interaction - this is server to server communication. – AnnaW Mar 08 '22 at 10:12
  • No you will need to authorize the user at least once. This is private user data the user must consent to your access. if you have a workspace domain account this is done buy the admin whey they configure DWD. – Linda Lawton - DaImTo Mar 08 '22 at 13:17
  • @DaImTo what do you mean by "at least once"? If I do this once, how can I get new token when this one expires? I guess I need to authorize the user once again, am I right? If yes - I need user interaction every time when token expires? – AnnaW Mar 14 '22 at 08:44
  • If this is a standard gmail account you will need to use Oauth2 you can get a refresh token back and use the refresh token to request a new access token. This can be done by requesting consent from the user once. The refresh token will not expire in your production application unless the user revokes access. If you have a workspace account then you could set up a service account which would not require any user interaction. – Linda Lawton - DaImTo Mar 14 '22 at 08:58

0 Answers0