My institution is currently running Google Apps for Education since early 2009. I’m responsible for creating, deleting, modifying, etc. , student email accounts. I’ve converted all my existing C# applications from the GData to the new Admin SDK - life is good.
Last week one of the departments sent out an email to roughly 800 students that contained an error. I was asked if it’s possible to create a quick application that is able to remove the email for the 800 students inbox.
Using my “Super Admin” domain account I was able to create an application using the Gmail API to go into my inbox and select particular emails that matched a specific criteria; example: from:[email protected] AND is:unread AND subject:test I was able to return a collection of message id’s which then I can delete them from the inbox – GREAT!
Since I was able to do this on my inbox I figured I’d conduct another test and plug in one of those 800 email addresses and get the same result. Unfortunately I received this error message:
Error: Google.Apis.Requests.RequestError Delegation denied for [email protected] [403] Errors [ Message[Delegation denied for [email protected]] Location[ - ] Reason[forbidden] Domain[global] ]
I did read something on account delegation but that would require a request being sent from my “Super Admin” account and the student accepting it.
Could it be that the “Super Admin” of the domain doesn’t have these permissions on any inbox except for their own? I’ve tried reading posts and Google’s documentation but I cannot seem to find an answer on this topic.
The Gmail API is enabled in the developers console for this desktop application.
The service account I’m using is authorized and in the C# application is using the correct Scopes:
Scopes = new[] {
"https://mail.google.com",
GmailService.Scope.GmailCompose,
GmailService.Scope.GmailInsert,
GmailService.Scope.GmailLabels,
GmailService.Scope.GmailModify,
GmailService.Scope.GmailReadonly,
GmailService.Scope.MailGoogleCom,
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile"},
My C# Code:
List<Google.Apis.Gmail.v1.Data.Message> result = new List<Google.Apis.Gmail.v1.Data.Message>();
UsersResource.MessagesResource.ListRequest request = GoogleToken.GoogleService().Users.Messages.List("[email protected]");
request.Q = " from:[email protected] AND is:unread AND subject:test ";
do
{
try
{
ListMessagesResponse response = request.Execute();
result.AddRange(response.Messages);
request.PageToken = response.NextPageToken;
}
catch (Exception eX)
{
Debug.WriteLine("Error: " + eX.Message);
}
}
while (!String.IsNullOrEmpty(request.PageToken));
Debug.WriteLine("Done");
Debug.WriteLine(result);
}
In order to access other users account, each user will have to Authenticate and Authorize your application to access the particular scope.
Once done, you will get an authorization token , which you can use to get a refresh token.
You can then use these refresh tokens and access the accounts unless the users revoke access
However, you cannot avoid that one time activity of each user accepting to provide access to your application.