'Client is unauthorized to retrieve access tokens using this method Gmail API C#
I am getting the following error when i tried to authorize gmail api using service account
"Client is unauthorized to retrieve access tokens using this method"
static async Task MainAsync()
{
sstageEntities db = new sstageEntities();
//UserCredential credential;
Dictionary<string, string> dictionary = new Dictionary<string, string>();
String serviceAccountEmail =
"xxx.iam.gserviceaccount.com";
var certificate = new X509Certificate2(
AppDomain.CurrentDomain.BaseDirectory +
"xxx-8c7a4169631a.p12",
"notasecret",
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
//string userEmail = "[email protected]";
ServiceAccountCredential credential = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
User = "[email protected]",
Scopes = new[] { "https://mail.google.com/" }
}.FromCertificate(certificate)
);
// Create Gmail API service.
var gmailService = new GmailService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = ApplicationName,
});
// Define parameters of request.
var emailListRequest = gmailService.Users.Messages.List("[email protected]");
emailListRequest.LabelIds = "INBOX";
emailListRequest.IncludeSpamTrash = true;
emailListRequest.Q = "from:[email protected] is:unread";
//Get our emails
var emailListResponse = await emailListRequest.ExecuteAsync();
I am using the p12 key which i got while creating service account.But when i run my console app the following error occurs.Any help would be really appreciated.
Thanks in advance !
Solution 1:[1]
The service account needs to be authorized or it cant access the emails for the domain.
"Client is unauthorized to retrieve access tokens using this method"
Means that you have not authorized it properly check Delegating domain-wide authority to the service account
Solution 2:[2]
FWIW, since I'm too new to comment, DalmTo and Shane's answers pointed me in the right direction for my problem, which was that new functionality that I had added to an existing script (PHP) needed authorization of additional scopes for the service account. In my case, I'm working with the GMail API.
Besides the path mentioned in the Google documentation page that Shane cited, you can also go to https://admin.google.com/ac/owl/domainwidedelegation, where you can manage domain-wide delegation in a slightly different interface (I actually prefer it). I got to that page via Security > API Permissions, then clicking on the notice about those settings moving to App Access Control, where there's a "Manage Domain Wide Delegation" link at the bottom.
Solution 3:[3]
I had the same issue and it took me a while to realise what I was missing. I had already set Domain-wide authority in the service account setting. However, I had not added the clientid and API scope (e.g https://www.googleapis.com/auth/gmail.send, or https://mail.google.com/) in the Domain security settings, as per the link and screenshot below.
https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
Specifically, these steps:
Solution 4:[4]
In my case authorization was given to an old client id in https://admin.google.com/
After providing the scopes with correct client ID it started to work. (Use the guide link mentioned by DalmTo in above answer.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | DaImTo |
| Solution 2 | |
| Solution 3 | Shane |
| Solution 4 | antonD |