There are two ways to connect to Gmail -- with your login credentials or with OAuth. You will first need to enable client access to Gmail over IMAP.
Enable IMAP
The provider communicates with Gmail through the IMAP protocol. IMAP enables all your client client devices to work with the same, remote data, instead of individual copies. Follow the steps below to enable access to Gmail over IMAP:
- Open the Gmail Web interface and click the Settings button (the icon is a gear).
- On the Forwarding and POP/IMAP tab, select Enable IMAP.
- Save your changes.
Login Authentication
This approach is suitable if you will be accessing your own data. Set the User and Password properties, under the Authentication section, to valid Gmail user credentials.
OAuth Authentication
Use the OAuth authentication standard to connect to Gmail. You can authenticate with a user account or with a service account. A service account is required to grant organization-wide access scopes to the provider. The provider facilitates these authentication flows as described below.
Authenticate with a User Account
This approach is suitable if other users will be accessing their own data through the provider as, instead of providing the Password, you can use the OAuth authentication standard. See Using OAuth Authentication in Getting Started for an authentication guide.
Authenticate with a Service Account
Service accounts have silent authentication, without user authentication in the browser. You can also use a service account to delegate enterprise-wide access scopes to the provider.
You need to create an OAuth application in this flow. See Creating a Custom OAuth App in the Getting Started section to create and authorize an app. You can then connect to Gmail data that the service account has permission to access.
After setting the following connection properties, you are ready to connect:
- InitiateOAuth: Set this to GETANDREFRESH.
- OAuthClientId: Set this to the Client Id in your app settings.
- OAuthClientSecret: Set this to the Client Secret in your app settings.
- OAuthJWTCertType: Set this to "PEMKEY_FILE".
- OAuthJWTCert: Set this to the path to the .pem file you generated.
- OAuthJWTCertPassword: Set this to the password of the .pem file.
- OAuthJWTCertSubject: Set this to "*" to pick the first certificate in the certificate store.
- OAuthJWTSubject: Set this to the email address of the user for whom the application is requesting delegate access. Note that delegate access must be granted by an administrator.
- User: Set this to the user of the Gmail account you are connecting to.
When you connect the provider completes the OAuth flow for a service account.
- Creates and signs the JWT with the claim set required by the provider.
- Exchanges the JWT for the access token.
- Saves OAuth values in OAuthSettingsLocation to be persisted across connections.
- Submits the JWT for a new access token when the token expires.
Using OAuth Authentication
You can use the OAuth authentication standard as an alternative to authentication with your user login credentials. OAuth provides authentication flows for user accounts or service accounts. The add-in facilitates this as described below.
Using a User Account to Authenticate to Gmail
The user account flow requires the authenticating user to interact with Gmail via the browser.
Embedded Credentials
See Embedded Credentials to connect with the add-in's embedded credentials and skip creating a custom OAuth app.
Custom Credentials
Instead of connecting with the add-in's embedded credentials, you can register an app to obtain the OAuthClientId and OAuthClientSecret.
When to Create a Custom OAuth App
Creating a custom OAuth app is optional as the add-in is already registered with Gmail and you can connect with its embedded credentials. You might want to create a custom OAuth app to change the information displayed when users log into the Gmail OAuth endpoint to grant permissions to the add-in.
Using a Service Account to Connect to Gmail
Service accounts have silent authentication, without user authentication in the browser. You can also use a service account to delegate enterprise-wide access scopes to the add-in.
You need to create an OAuth application in this flow. You can then connect to Gmail data that the service account has permission to access. See Custom Credentials for an authentication guide.
Creating a Custom OAuth App
See Creating a Custom OAuth App for a procedure.
Create an OAuth App for User Account Authentication
Follow the procedure below to register an app and obtain the OAuthClientId and OAuthClientSecret.
Create a Custom OAuth App: Desktop
Follow the steps below to obtain the OAuthClientId, OAuthClientSecret.
- Log into the Google API Console.
- Click Create Project or select an existing project.
- In the API Manager, click Credentials -> Create Credentials -> OAuth Client Id.
- Select the application type. If you are making a desktop application, select Other.
- Click Create. The OAuthClientId and OAuthClientSecret are displayed.
- Click Library -> Gmail API -> Enable API.
Create an OAuth App for Service Account Authentication
Follow the steps below to create an OAuth application and create a private key:
- Log into the Google API Console.
- Click Create Project or select an existing project.
- In the API Manager, click Credentials -> Create Credentials -> Service Account Key. In the Service Account menu, select New Service Account or select an existing service account. In the Key Type section, select the P12 key type.
- Click Create. The key pair is downloaded and the private key's password is displayed.
- Click Library -> Gmail API -> Enable API.
Embedded Credentials
Enable IMAP
The add-in communicates with Gmail through the IMAP protocol. IMAP enables all your client client devices to work with the same, remote data, instead of individual copies. Follow the steps below to enable access to Gmail over IMAP:
- Open the Gmail Web interface and click the Settings button (the icon is a gear).
- On the Forwarding and POP/IMAP tab, select Enable IMAP.
- Save your changes.
Authenticate using the Embedded OAuth Credentials
Desktop Authentication with the Embedded OAuth App
After setting the following, you are ready to connect:
- User: Set this to the user of the Gmail account.
Authenticate with a User Account
Desktop Authentication with a Custom OAuth App
Follow the steps below to authenticate with the credentials for a custom OAuth app. See Creating a Custom OAuth App.Get and Refresh the OAuth Access Token
After setting the following, you are ready to connect:
- OAuthClientId: Set this to the client Id assigned when you registered your app.
- OAuthClientSecret: Set this to the client secret assigned when you registered your app.
- User: Set this to the user of the Gmail account.
Authenticate with a Service Account
Service accounts have silent authentication, without user authentication in the browser. You can also use a service account to delegate enterprise-wide access scopes to the add-in.
You need to create an OAuth application in this flow. See Creating a Custom OAuth App to create and authorize an app. You can then connect to Gmail data that the service account has permission to access.
After setting the following connection properties, you are ready to connect:
- OAuthClientId: Set this to the Client Id in your app settings.
- OAuthClientSecret: Set this to the Client Secret in your app settings.
- OAuthJWTCertType: Set this to "PEMKEY_FILE".
- OAuthJWTCert: Set this to the path to the .pem file you generated.
- OAuthJWTCertPassword: Set this to the password of the .pem file.
- OAuthJWTCertSubject: Set this to "*" to pick the first certificate in the certificate store.
- OAuthJWTSubject: Set this to the email address of the user for whom the application is requesting delegate access. Note that delegate access must be granted by an administrator.
- User: Set this to the user of the Gmail account you are connecting to.
Customizing the SSL Configuration
Connecting Through a Firewall or Proxy
HTTP Proxies
In addition, to authenticate to an HTTP proxy, set ProxyAuthScheme, ProxyUser, and ProxyPassword, in addition to ProxyServer and ProxyPort.
Other Proxies
Set the following properties:
- To use a proxy-based firewall, set FirewallType, FirewallServer, and FirewallPort.
- To tunnel the connection, set FirewallType to TUNNEL.
- To authenticate, specify FirewallUser and FirewallPassword.
- To authenticate to a SOCKS proxy, additionally set FirewallType to SOCKS5.
Troubleshooting the Connection
To show add-in activity from query execution to network traffic, use Logfile and Verbosity. The examples of common connection errors below show how to use these properties to get more context. Contact the support team for help tracing the source of an error or circumventing a performance issue.
- Authentication errors: Typically, recording a Logfile at Verbosity 4 is necessary to get full details on an authentication error.
- Queries time out: A server that takes too long to respond will exceed the add-in's client-side timeout. Often, setting the Timeout property to a higher value will avoid a connection error. Another option is to disable the timeout by setting the property to 0. Setting Verbosity to 2 will show where the time is being spent.
- The certificate presented by the server cannot be validated: This error indicates that the add-in cannot validate the server's certificate through the chain of trust. If you are using a self-signed certificate, there is only one certificate in the chain.
To resolve this error, you must verify yourself that the certificate can be trusted and specify to the add-in that you trust the certificate. One way you can specify that you trust a certificate is to add the certificate to the trusted system store; another is to set SSLServerCert.