GMail API Super Admin access other users accounts via API?

5.7k views Asked by At

My institution is currently running Google Apps for Education since early 2009. I’m responsible for creating, deleting, modifying, etc. , student email accounts. I’ve converted all my existing C# applications from the GData to the new Admin SDK - life is good.

Last week one of the departments sent out an email to roughly 800 students that contained an error. I was asked if it’s possible to create a quick application that is able to remove the email for the 800 students inbox.

Using my “Super Admin” domain account I was able to create an application using the Gmail API to go into my inbox and select particular emails that matched a specific criteria; example: from:[email protected] AND is:unread AND subject:test I was able to return a collection of message id’s which then I can delete them from the inbox – GREAT!

Since I was able to do this on my inbox I figured I’d conduct another test and plug in one of those 800 email addresses and get the same result. Unfortunately I received this error message:

Error: Google.Apis.Requests.RequestError Delegation denied for [email protected] [403] Errors [ Message[Delegation denied for [email protected]] Location[ - ] Reason[forbidden] Domain[global] ]

I did read something on account delegation but that would require a request being sent from my “Super Admin” account and the student accepting it.

Could it be that the “Super Admin” of the domain doesn’t have these permissions on any inbox except for their own? I’ve tried reading posts and Google’s documentation but I cannot seem to find an answer on this topic.

The Gmail API is enabled in the developers console for this desktop application.

The service account I’m using is authorized and in the C# application is using the correct Scopes:

Scopes = new[] { 
                        "https://mail.google.com",
                    GmailService.Scope.GmailCompose,
                    GmailService.Scope.GmailInsert,
                    GmailService.Scope.GmailLabels,
                    GmailService.Scope.GmailModify,
                    GmailService.Scope.GmailReadonly,
                    GmailService.Scope.MailGoogleCom,
                    "https://www.googleapis.com/auth/userinfo.email",
                    "https://www.googleapis.com/auth/userinfo.profile"},

My C# Code:

List<Google.Apis.Gmail.v1.Data.Message> result = new List<Google.Apis.Gmail.v1.Data.Message>();

UsersResource.MessagesResource.ListRequest request = GoogleToken.GoogleService().Users.Messages.List("[email protected]");

request.Q = " from:[email protected] AND is:unread AND subject:test ";

            do
            {
                try
                {
                    ListMessagesResponse response = request.Execute();
                    result.AddRange(response.Messages);
                    request.PageToken = response.NextPageToken;
                }
                catch (Exception eX)
                {
                    Debug.WriteLine("Error: " + eX.Message);
                }
            }
            while (!String.IsNullOrEmpty(request.PageToken));

            Debug.WriteLine("Done");
            Debug.WriteLine(result);
        }
2

There are 2 answers

1
ND003 On

In order to access other users account, each user will have to Authenticate and Authorize your application to access the particular scope.

Once done, you will get an authorization token , which you can use to get a refresh token.

You can then use these refresh tokens and access the accounts unless the users revoke access

However, you cannot avoid that one time activity of each user accepting to provide access to your application.

0
Eric D On

You cannot authenticate as yourself and get access to other mailboxes, even if you are an admin in the domain. HOWEVER, as a domain admin, you can whitelist your app to access all users in the domain. It involves using a service account with domain wide delegation. You need to whitelist your app in the Google Apps Cpanel and use a slightly different auth flow. See: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority

Though really, email mistakes happen, just have them reply with a followup to correct the misinformation. Going and deleting the email from their mailbox, even if it's possible, seems like a really bad idea from a "user trust" perspective (what happens if you have a bug and delete the wrong mail!)--has someone tried reasoning with said person about this idea? :-D Users that have already seen the email may be worried/confused when it just disappears, etc.