Integrating Google OAuth 2.0 User Authentication into Your App

Emphasizing the pivotal role of user authentication in modern applications, it introduces Google OAuth 2.0 as a secure and reliable solution for integrating email into your app.

Understanding Google OAuth 2.0

Google OAuth 2.0 is an advanced authentication protocol that addresses the limitations of traditional username and password authentication. It allows applications to access user data stored on Google’s servers securely, without requiring users to share their passwords.

Access and refresh tokens are key components of Google OAuth 2.0. Access tokens provide temporary authorization for applications to access specific user resources, while refresh tokens enable the renewal of access tokens without the need for users to re-enter their credentials. Understanding these tokens is crucial for building secure authentication systems within applications.

Authenticate Google Accounts for Email Integration into Your Software

Learn the process of authenticating Google accounts to seamlessly integrate email functionality into your application

 

enable gmail api

Setting Up OAuth Credentials

Accessing the Google API Console: Steps to navigate and set up your project in the Google API Console.
Enabling APIs: Guidance on enabling the Gmail API, for integrating email functionality into your project.
Creating Authorization Credentials: Detailed instructions for creating the required authorization credentials.

Understanding Access Tokens

Access tokens serve as unique identifiers granting access to user data and functionalities across various Google APIs. These tokens are versatile, capable of providing varying degrees of access to multiple APIs. The scope of access tokens is determined by the permissions granted to them, ensuring restricted access to specific resources and operations based on the authorized scopes.

Managing Scopes

Scopes dictate the extent of data and functionalities accessible by a user’s access token. Upon logging in with their Google account, users are prompted to consent to the scopes requested by your app. If permissions are granted, the Google authorization server issues an access token to your app, specifying the scopes it encompasses. This consent process allows users to control the level of access granted to their data, ensuring privacy and security.

API Requests and Refresh Token Management

Upon acquiring an access token, your application gains the ability to send HTTP requests to relevant Google APIs, typically transmitted in the HTTP request header as a bearer token, as recommended by Google. However, access tokens have finite lifespans, prompting the need for refresh tokens to extend access beyond the initial token’s expiration. Refresh tokens should be securely stored for prolonged usage and can be utilized to obtain new access tokens when needed. In the subsequent section, we delve into the diverse OAuth authentication flows supported by Google APIs.

Unipile Google Integration Made Effortless

Unipile simplifies the process of integrating with Gmail. With Unipile, you can swiftly establish a comprehensive email integration, significantly reducing development time compared to direct integrations with Google APIs.

unipile hosted Auth
send email

Redirect to Unipile Hosted Auth
Your app redirects the user to Unipile Hosted Auth and specifies the desired permissions for emails.

send email

Automatic Provider Detection
Unipile automatically detects the email provider and initiates the appropriate authentication process. For Google accounts, this starts the Google OAuth consent procedure.

send email

Retrieval of Authentication Credentials
After the user logs into their account, Unipile redirects them back to your app with the proper OAuth credentials.

send email

Use of Access Tokens
Your app uses the access tokens to make requests to Unipile’s Email APIs on behalf of the user.

Top Advantages of Choosing Unipile’s Hosted Auth for Email Integration

Unipile’s Hosted Auth offers a frictionless, secure, and adaptable email integration experience, enhancing both developer and user efficiency.

One Link Hosted Auth vs. Full OAuth Flow

Hosted Auth with Unipile streamlines the email integration by automating provider detection and authentication, which significantly reduces development complexity and saves time. This modern approach not only simplifies the initial setup but also ensures continuous connection reliability and security, freeing developers to focus on creating a better user experience rather than managing backend intricacies.

import { UnipileClient } from "unipile-node-sdk";
const client = new UnipileClient('https://{YOUR_DSN}', '{YOUR_ACCESS_TOKEN}');

await client.account.connectGmail({'*****'});

const messages = await client.messaging.getAllMessages();
  

Security

Enhance data protection as Unipile’s Hosted Auth manages sensitive credentials, reducing the security burden on your system.

Integration

Enjoy seamless integration with various email providers through Unipile’s universal compatibility, regardless of domain or service.

Maintenance

Reduce ongoing maintenance efforts since Unipile’s Hosted Auth automatically adapts to provider changes or updates.

Efficiency

Accelerate development with Unipile’s one-click Hosted Auth, bypassing the complex setup of traditional OAuth flows.

Usability

Provide a user-friendly authentication experience with a single link, avoiding multiple redirect steps for users.

Optimize Your Email Feature Set with Google OAuth Integration

Explore Unipile’s Premier Feature Set

send email

List Email
Retrieve email lists from various addresses seamlessly for app integration.

send email

Start New Email
Easily initiate the composition of new emails, complete with attachments, directly from your application.

send email

List and Get Label
Manage Gmail labels effectively with the ‘List’ and ‘Get’ functions to organize emails better.

send email

Webhook Notifications
Implement webhooks to receive automatic alerts for specific events, ensuring your application stays in sync and scalable.

Google OAuth Setup for Unipile

1. Google's New OAuth Verification Process Overview

Google has a OAuth Verification process, mandating third-party applications to submit an application to Google for verifying their use of Google user data. You need to undergo Google’s app verification process, application whitelisting, and/or a security assessment.
While not experts in building and configuring Google Projects, we aim to assist you based on our experience in supporting other Unipile clients through the verification process
Feel free to reach out for guidance as you navigate through the ever-changing terrain of Google’s requirements and ensure a seamless integration of Google APIs into your application via Unipile.

To begin your development, you must complete the initial phase, which involves “Creating a Google Developers Console Account and Project”. Once your development is complete, you can then proceed to the second phase: “Generate your Demonstration Video”. Following that, you can move on to “Whitelisting & Security Review for Restricted Scopes”.

2. Create Google Developers Console Account and Project

Sign up on the Google Developers Console and either create a new project or use an existing Google project.

3. Navigation Menu - APIs & Services - 'Credentials'

Navigate to the ‘Credentials’ section in the Google Developers Console.
Create ‘OAuth Client ID’ credentials to gain access to your enabled APIs:
Application type: Web application
Name: Your internal name
Add 2 Authorised redirect URIs:
https://{{YOUR_DSN}}/api/v1/hosted/google_auth_request_callback (you can find your DSN in top right of Unipile Dashboard, example https://api1.unipile.com:13211/api/v1/hosted/google_auth_request_callback
https://{{YOUR_DSN less port}}/api/v1/hosted/google_auth_request_callback/port{{YOUR_DSN less domain}} (you can find your DSN in top right of Unipile Dashboard, example https://api1.unipile.com/api/v1/hosted/google_auth_request_callback/port13211

Click “CREATE”
Add Client ID and Client Secret to Unipile Dashboard > Settings > Google OAuth

4. Navigation Menu - APIs & Services - Library

Go to the ‘Library’ section in the Google Developers Console.
Enable Required API Libraries:
Search for and enable all API Libraries that your application will need: Gmail API

6. Navigation Menu - APIs & Services - OAuth Consent Screen

Throughout the implementation, you may keep your Google Project in different states:

‘User Type’ as ‘Internal’: In this mode, your app is limited to Google Workspace users within your organization.
‘User Type’ as ‘External’ & ‘Publishing Status’ as ‘In Testing’:
Note: While ‘In Testing,’ you need to add Test Users. Tokens expire in 7 days and require users to re-authenticate.
For more information on Publishing Status, click here.
For details on User Types, click here.

Ensure that you select the appropriate User Type and Publishing Status based on your project’s testing and deployment phase.

5. Navigation Menu - APIs & Services - Enabled APIS and Services

Access the ‘Enabled APIS and Services’ section in the Google Developers Console.
Check Enabled APIs: Review and verify the full list of APIs you have enabled within your Google Project.
The Dashboard provides an overview of all the enabled APIs, allowing you to confirm the status of your selected APIs for your project. Use this section to ensure that the necessary APIs are enabled for a seamless integration with your application.

 

7. OAuth Consent Screen Section - App Information

Ensure the following information is provided:

Enter Your Application Name: Specify your application name.
User Support Email: Include an email address for users to contact with questions about their consent. Recommend using an alias or distribution list with relevant parties included.
Add Your App Logo: Upload your application logo for visual identification.

Completing this information in the OAuth consent screen section is essential for users to understand and trust your application during the consent process. Include accurate details and branding elements for a smooth user experience.

8. OAuth consent screen section - App Domain

Provide the following information under the App Domain section:

Application Homepage URL: Add the URL for your application’s homepage.
Ensure that it is a true homepage and not just a ‘login’ page.
Application Privacy Policy Link: Include a link to your application’s Privacy Policy.
Important: Ensure your legal team reviews the Privacy Policy to meet Google’s specific requirements, particularly from the ‘Limited Use’ section of the provided document.
Application Terms of Service Link: Add a link to your application’s Terms of Service.

9. OAuth consent screen section - Authorized Domains

Follow these steps to add authorized domains:

  • Add your app domain utilized in your Google Project. Ensure your domain is the production-level one, not the dev/staging domain.
  • Add unipile.com domain

10. OAuth consent screen section - Developer Contact Information
  • Enter an Email Address:
    • Provide an email address for developer contact information.
    • Important: This should be a distribution list email address, ensuring all relevant parties receive Google Verification-related emails and notifications about any changes to your project. Keep this distribution list up-to-date as team members come and go.
  • Post-Verification Monitoring:
    • After submission for verification, closely monitor the Google project for any action items from Google.
    • Note: Google sends emails to this address, but they may end up in spam folders or be blocked by servers. Regularly check for updates to avoid missing important communications.

Make sure to enter an actively monitored and regularly checked email address to stay informed about your Google project’s status and any required actions post-verification.

11. Scopes section
Follow these steps to add required scopes:

  • Click on the ‘ADD OR REMOVE SCOPE ‘ button to access the menu.
  • Add the following scopes (if they don’t appear in the list, refresh the page) :
    ./auth/gmail.send
    ./auth/gmail.labels
    ./auth/gmail.readonly
    ./auth/gmail.modify (not needed if you dont want move or delete email. You will have to demonstrate to Google you really use it. Inform us to remove it on your Unipile account manually)

    12. Generate your Demonstration Video

    You may proceed with this step only once your integration is fully completed and operational in production.

    Produce and host a demonstration video that adheres to Google’s stipulations. To validate your app with Google, you must also submit a video showcasing your app’s functionality. This video should be uploaded as an ‘Unlisted’ YouTube video for verification purposes, and only one video link is permissible.

    Before crafting the video

    • Your app and OAuth flow are presented in English, as indicated in Google documentation under “Apps requesting sensitive scopes” and “Apps requesting restricted scopes.”
    • The demonstration is conducted in a production-level domain.
    • In your Google Project settings, navigate to Navigation Menu -> APIs & Services -> OAuth Consent Screen and confirm the following:
      • Publishing status is set to “In Production.”
      • User Type is designated as “External.”
    Authentication
    • Display your application’s homepage with the complete URL, emphasizing its production status.
    • Illustrate how a Google customer can connect their account emphasizing the use of the official Google sign-in button.
    • During the authentication flow, when presenting the OAuth process screen, highlight the URL and drag across to reveal the CLIENT ID in the URL.
    Functionality
    • Sequentially showcase each set of scopes being requested, tailoring them to your specific use case.
    • Demonstrate bi-directional functionality by showing synchronization between your application and Gmail. Use separate tabs to toggle between your application and each relevant section of Gmail. For example, sending an email through your application, illustrating how changes are synced in Sent mail list on Gmail, and in the other way displaying the receipt of an incoming email within your app.

    By following these guidelines, your demo video will effectively convey the authentication process and the functional capabilities of your application in sync with Google services.

    After creating your video demo and ensuring it complies with all the criteria outlined, kindly share the YouTube video URL with your us. We can assist in the review process or you can proceed to submit your app for verification directly.

    Please note the following steps:

    • Add the final video to your Google Project as an ‘unlisted’ YouTube video link.
    • Submit the YouTube video URL to your Customer Success Manager for review.
    • Following the review, proceed with the app verification submission.

    Keep in mind that the verification process duration may vary. After submission, it can take anywhere from 2 to 8 weeks, depending on Google’s submission queue and the number of remediation rounds they deem necessary. Stay informed and coordinate with us throughout the verification process.

    13. Whitelisting & Security Review for Restricted Scopes

    If your application utilizes restricted scopes, additional steps are required. Here’s a brief overview of what to anticipate:

    Google Security Assessment
    To ensure the security of user data, apps requesting access to restricted scope Google user data must undergo a security assessment. This assessment is crucial for verifying that all apps accessing Google user data can handle data securely and delete user data upon request. The detailed assessment process is outlined on the CASA (Cloud Application Security Assessment) site.

    Google categorizes your app as either Tier 2 or Tier 3

    Tier 2 (Self Scanned – Lab Verified) >> Most Common
    Option of Free OR paid (third-party assessor)
    CASA Tier 2 Process
    Tier 3 (Lab Scanned – Lab Verified)
    Paid – Must be completed by a third-party assessor
    After receiving your Tier classification, Google will provide instructions and tools for completing the assessment. Refer to the provided link for Google Security Assessment Information and scroll down to the Security Assessment FAQs for more detailed information. Ensure compliance with this process to demonstrate your app’s capability in handling user data securely when utilizing restricted scopes.

    Google Security Assessment Information

    Yearly Security Re-assessment for Apps with Restricted Scopes
    Apps that access restricted scopes must undergo a yearly re-verification process for compliance and complete a security assessment every 12 months to maintain access to verified restricted scopes. This process ensures ongoing adherence to security standards and safeguards user data.

    If, at any point, you introduce a new restricted scope that hasn’t been previously assessed and approved, your app may require reassessment at that time.

    The Google review team will initiate contact via email when it’s time for your app to recertify. It is crucial to keep your Project Owner and Project Editor information up-to-date in your Cloud Console. This ensures that the right members of your team receive notifications about this annual enforcement, allowing for timely and smooth compliance with the re-assessment requirements. Stay vigilant and promptly respond to communications from Google to uphold the security and compliance of your app. Check Google FAQ for more information.

    Whitelisting Option
    If you prefer an alternative to the standard verification and security review processes, you have the option to have your application whitelisted. This allows you to bypass the usual procedures, but it is important to note that this option is applicable only if your application meets very specific criteria. While most use cases do not fulfill these criteria, we have outlined the requirements below for you to assess whether whitelisting might be suitable for your application.

    Requirements:

    Majority of Customers using Google Workspace:
    The majority of your customers should use Google Workspace (formerly GSuite) accounts, i.e., have email addresses with the format @company.com.
    Whitelisting requires action by end users’ administrators to allow access. You need to provide to your users’ administrators your Google projet Client ID. They have open their Console: https://admin.google.com/ac/owl/list?tab=configuredApps and allow you client_id.
    Limited Personal Gmail Account Usage:
    Fewer than 100 personal Gmail accounts (@gmail.com addresses) should be able to authenticate into this flow.
    Unverified projects have a 100 (lifetime) user limit per project. When whitelisted, Google Workspace accounts do not count against this limit. However, personal Gmail accounts will always count towards this limit.
    Free Trial Users and Whitelisting:
    Free trial users must use their Workspace email address and whitelist the application.
    Keep in mind that whitelisting is a workaround solution and might not be suitable for all use cases. Evaluate these requirements carefully to determine if your application aligns with the criteria for whitelisting. If so, take the necessary steps to meet these requirements and explore this alternative approach.

    Explore All of Unipile’s Gmail Integration Features

    Email Features

    Gmail
    Gmail

    Outlook
    Outlook

    IMAP
    IMAP

    Account connection
    Hosted Auth: White label email auth Check Check Check
    Custom auth: Connect user with credentials Check
    Gmail or Microsoft OAuth: Use your App Oauth screen Check Check
    Send/Receive
    Email sending API Check Check Check
    Email listing API Check Check Check
    Organize
    Email deletion API Check Check Check
    Email moving API Check Check Check
    Email folder listing API Check Check Check
    Email folder retrieval API Check Check Check
    Webhooks
    Email webhook for new messages Check Check Check
    Email open and click tracking API Check Check Check

    Explore Further with Microsoft OAuth in Unipile

    Microsoft OAuth

    For integrating Microsoft accounts with Unipile through OAuth, your initial step is to set up your application within Azure Active Directory (AAD). After this, you’ll need to adjust the settings in Unipile to recognize your AAD app ID. Should you face any issues during the Azure AD registration process, please reach out to us for guidance and support!

    microsoft oauth api

    FAQs

    What is Google OAuth 2.0 and why is it important for email integration?

    Google OAuth 2.0 is a modern authentication protocol that allows applications to access user data on Google’s servers securely without needing the user’s password. It’s crucial for email integration because it ensures secure and reliable user authentication, enhancing the app’s security and user trust.

    How does Unipile use Google OAuth 2.0 for seamless email integration?

    Unipile leverages Google OAuth 2.0 to authenticate users and obtain necessary permissions to access their email data. This process includes automatic provider detection and simplified OAuth credential management, significantly reducing integration complexity and development time.

    What are the benefits of using Unipile’s Hosted Auth for integrating email services?

    Unipile’s Hosted Auth provides a frictionless integration process, ensuring security and adaptability while enhancing developer and user efficiency. It simplifies the authentication process, manages sensitive credentials, and supports seamless integration across various email providers.

    How do access tokens and refresh tokens work in Google OAuth 2.0?

    In Google OAuth 2.0, access tokens grant temporary authorization to access user-specific resources, while refresh tokens allow the renewal of these access tokens without requiring the user to re-authenticate. This mechanism ensures continuous access to the user’s data with minimal interruption.

    Can Unipile handle real-time updates in my application?

    Yes, Unipile can integrate webhook notifications to provide real-time updates to your application. These webhooks alert the app automatically when specific events occur, such as receiving new emails, thereby keeping the app in sync with the user’s email activity and ensuring scalable and responsive integration.

    You may also like

    What Are the Benefits of Email API Integration for Developers?

    What Are the Benefits of Email API Integration for Developers?

    Discover the numerous benefits of Email API Integration, a key strategy that allows for a smooth and efficient combination of various email services within your application. What Is Email API Integration?Email API Integration simplifies how developers incorporate email functionality from providers...

    read more
    How to Integrate Multiple Email Services with a Single API?

    How to Integrate Multiple Email Services with a Single API?

    Explore the myriad advantages of integrating an API, as it presents a gateway to unlocking numerous benefits in seamlessly incorporating multiple email services into your application. Introduction to Email API ServicesEmail API Services are at the forefront of modern communication, reshaping the...

    read more
    LinkedIn API: A Comprehensive Guide to Integration

    LinkedIn API: A Comprehensive Guide to Integration

    Unlock the potential of the LinkedIn API with our comprehensive guide. In the realm of HR, software development, or any professional domain, you'll discover valuable insights and practical benefits. From grasping the fundamentals of the LinkedIn API to exploring real-world applications and...

    read more
    en_USEN