{"id":5304,"date":"2016-03-13T17:19:15","date_gmt":"2016-03-13T15:19:15","guid":{"rendered":"https:\/\/www.limilabs.com\/blog\/?p=5304"},"modified":"2022-05-04T14:14:39","modified_gmt":"2022-05-04T12:14:39","slug":"oauth2-gmail-imap-web-applications-dotnetopenauth","status":"publish","type":"post","link":"https:\/\/www.limilabs.com\/blog\/oauth2-gmail-imap-web-applications-dotnetopenauth","title":{"rendered":"OAuth 2.0 with Gmail over IMAP for web applications (DotNetOpenAuth)"},"content":{"rendered":"\n
Consider using Google.Apis version for desktop applications<\/a> instead of DotNetOpenAuth version.<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

OAuth <\/strong> is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.<\/p>\n\n\n\n

This article describes using OAuth 2.0 to access Gmail IMAP and SMTP servers using .NET IMAP component<\/a> in web application scenario (ASP.NET\/ASP.NET MVC). You can also use OAuth 2.0 for installed applications.<\/a><\/p>\n\n\n\n

DotNetOpenAuth<\/h2>\n\n\n\n

First download the latest version of DotNetOpenAuth – it’s free, open source library that implements OAuth 2.0: http:\/\/www.dotnetopenauth.net<\/a><\/p>\n\n\n\n

Add it as a reference and import namespaces:<\/p>\n\n\n

\n\/\/ c#\n\nusing DotNetOpenAuth.OAuth2;\nusing DotNetOpenAuth.OAuth2.Messages;\nusing DotNetOpenAuth.Messaging;\n<\/pre><\/div>\n\n
\n' VB.NET \n\nImports DotNetOpenAuth.OAuth2\nImports DotNetOpenAuth.OAuth2.Messages\nImports DotNetOpenAuth.Messaging\n<\/pre><\/div>\n\n\n
Register Application<\/h2>\n\n\n\n
Before you can use OAuth 2.0, you must register your application using the Google Developers Console<\/a>. After you’ve registered, go to the API Access tab and copy the “Client ID<\/strong>” and “Client secret<\/strong>” values and specify “Redirect URI<\/strong>“, which you’ll need later.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
At least product name must be specified:<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Now create credentials:<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Specify redirect URI:<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
After you\u2019ve registered, copy the “Client ID<\/strong>” and “Client secret<\/strong>” values, which you\u2019ll need later:<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Now we can define clientID, clientSecret, redirect url and scope variables, as well as Google OAuth 2.0 server addresses. Scope basically specifies what services we want to have access to. In our case it is user’s email address and IMAP\/SMTP access:<\/p>\n\n\n
\nconst string clientID = "12345.apps.googleusercontent.com";\nconst string clientSecret = "XXXYYY111";\nconst string redirectUri = "http:\/\/www.yourdomain.com\/oauth2callback";\n\nAuthorizationServerDescription server = new AuthorizationServerDescription\n    {\n        AuthorizationEndpoint = new Uri("https:\/\/accounts.google.com\/o\/oauth2\/auth"),\n        TokenEndpoint = new Uri("https:\/\/oauth2.googleapis.com\/token"),\n        ProtocolVersion = ProtocolVersion.V20,\n    };\nList<string> scope = new List<string>\n    {\n        GoogleScope.ImapAndSmtp.Name,\n        GoogleScope.UserInfoEmailScope.Name\n    };\n<\/pre><\/div>\n\n\n
Obtain an OAuth 2.0 access token<\/h2>\n\n\n\n
As we are using ASP.NET<\/strong> we’ll use WebServerClient<\/em> class:<\/p>\n\n\n
\nWebServerClient consumer = new WebServerClient(server, clientID, clientSecret);\n\n\/\/ Here redirect to authorization site occurs\nconsumer.RequestUserAuthorization(scope, new Uri(redirectUri));\n<\/pre><\/div>\n\n\n
If you use ASP.NET MVC<\/strong> the last line is different:<\/p>\n\n\n
\n\/\/ Here redirect to authorization site occurs\nOutgoingWebResponse response = consumer.PrepareRequestUserAuthorization(\n    scope, new Uri(redirectUri));\n\nreturn response.AsActionResult();\n<\/pre><\/div>\n\n\n
At this point user is redirected to Google to authorize the access:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
After this step user is redirected back to your website (http:\/\/www.yourdomain.com\/oauth2callback). Following is this callback code. Its purpose is to get a refresh-token and an access-token:<\/p>\n\n\n
\nWebServerClient consumer= new WebServerClient(server, clientID, clientSecret);\nconsumer.ClientCredentialApplicator =\n    ClientCredentialApplicator.PostParameter(clientSecret);\nIAuthorizationState grantedAccess = consumer.ProcessUserAuthorization(null);\n\nstring accessToken = grantedAccess.AccessToken;\n<\/pre><\/div>\n\n\n
An access token is usually valid for a maximum of one hour, and allows you to access the user’s data. You also received a refresh token. A refresh token can be used to request a new access token once the previous expired.<\/p>\n\n\n\n
Access IMAP\/SMTP server<\/h2>\n\n\n\n
Finally we’ll ask Google for user’s email and use LoginOAUTH2<\/em> method to access Gmail’s IMAP server:<\/p>\n\n\n
\nGoogleApi api = new GoogleApi(accessToken);\nstring user = api.GetEmail();\n\nusing (Imap imap = new Imap())\n{\n    imap.ConnectSSL("imap.gmail.com");\n    imap.LoginOAUTH2(user, accessToken);\n\n    imap.SelectInbox();\n    List<long> uids = imap.Search(Flag.Unseen);\n\n    foreach (long uid in uids)\n    {\n        var eml = imap.GetMessageByUID(uid);\n        IMail email = new MailBuilder().CreateFromEml(eml);\n        Console.WriteLine(email.Subject);\n    }\n    imap.Close();\n}\n<\/pre><\/div>\n\n\n
Refreshing access token<\/h2>\n\n\n\n
An access token is usually short lived<\/strong> and valid for a maximum of one hour<\/strong>. The main reason behind this is security and prevention of replay attacks. This means that for long-lived applications you need to refresh the access token.<\/p>\n\n\n\n
In most cases web applications don’t need to refresh access token (they request new one every time), thus when using WebServerClient<\/em> refresh token is not sent. To force sending refresh token you need to set access_type<\/code> url parameter to offline<\/code>:<\/p>\n\n\n
\nAuthorizationServerDescription authServer = new AuthorizationServerDescription\n{\n    AuthorizationEndpoint =\n        new Uri(\"https:\/\/accounts.google.com\/o\/oauth2\/auth?access_type=offline\"),\n    ...\n};\n<\/pre><\/div>\n\n\n
Your refresh token will be sent only once – don’t loose it!<\/strong><\/p>\n\n\n\n
We recommend storing entire IAuthorizationState<\/em> object received from WebServerClient.ProcessUserAuthorization<\/em> method call. This object contains both: refresh token and access token, along with its expiration time.<\/p>\n\n\n\n
The process of refreshing access token is simple:<\/p>\n\n\n
\nIAuthorizationState grantedAccess = ...\nconsumer.RefreshAuthorization(grantedAccess, TimeSpan.FromMinutes(20));\n<\/pre><\/div>\n\n\n
In the example above the access token will not be refreshed if its remaining lifetime exceeds 20 minutes.<\/p>\n\n\n\n
Retrieving lost refresh token<\/h2>\n\n\n\n
When your application receives a refresh token, it is important to store that refresh token for future use. If your application loses the refresh token, it will have to re-prompt the user for consent before obtaining another refresh token.<\/p>\n\n\n\n
You’ll need to add approval_prompt=force<\/code> to your parameters:<\/p>\n\n\n
\nAuthorizationServerDescription authServer = new AuthorizationServerDescription\n {\n     AuthorizationEndpoint =\n          new Uri(\"https:\/\/accounts.google.com\/o\/oauth2\/auth?access_type=offline&approval_prompt=force\"),\n     ...\n };\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"
Consider using Google.Apis version for desktop applications instead of DotNetOpenAuth version. OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications. This article describes using OAuth 2.0 to access Gmail IMAP and SMTP servers using .NET IMAP component in web application scenario (ASP.NET\/ASP.NET MVC). […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5304","post","type-post","status-publish","format-standard","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/5304"}],"collection":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/comments?post=5304"}],"version-history":[{"count":13,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/5304\/revisions"}],"predecessor-version":[{"id":6206,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/5304\/revisions\/6206"}],"wp:attachment":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/media?parent=5304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/categories?post=5304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/tags?post=5304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}