... sill work in progress ...
For the "Allow Mail" functionality implemented "Gmail API" integration via "OAuth2 Google Cloud authentication" using a "Google Service Account" for "impersonation" with "Domain Wide Delegation" for any Email send-out from the farmerswife (fw) Server app!
Background: Gmail has deprecated "basic" authentication in Q3 2024!
The previously working "Gmail > App Password" no longer works!
Requires:
- You need to use a "Google Business" account in order to be able to use the "Google API" in combination with "Google Service Accounts", "Impersonation" and "OAuth2 Google Cloud authentication" and "Domain Wide Delegation".
These features are not available in a free Gmail account. - Before you get started, ensure your Google user has a "Super Admin" Google Cloud Permission level!
- Ensure you can sign in with this user on these to platforms:
Step 1: Create a New Project
Open a web browser and go to the Google Cloud Console: https://cloud.google.com/
At the top click on the "Select a resource" selector and and click on the "NEW PROJECT" button:
Give your Project a unique and recognizable name; e.g. "farmerswifeAllowMailGmailAPI" and click on "CREATE":
Step 2: Create a Service Account
If not already still there, go to the Google Cloud Console: https://console.cloud.google.com
Make sure you're inside the correct Project you created in the previous step, here called "farmerswifeAllowMailGmailAPI".
In the navigation menu on the left and select: IAM & Admin > Service Accounts.
Click on the CREATE SERVICE ACCOUNT button.
Give your Service Account a descriptive name, e.g. "fwAllowMailGmailAPI-ServiceAccount" .
Use the "CREATE AND CONTINUE" button.
Step 2: Grant Service Account access to the Project
Now on "Grant this service account access to project" for "fwAllowMailGmailAPI-ServiceAccount".
Click on the Select a role selector field:
Click on the search bar and write "Service Account User":
Select the role "Service Account User".
This grants basic permissions for the service account to act on your Google Cloud Project's resources.
Click the CONTINUE button. ???
+ added "yourdomainname.com" on "Grant users access to this service account (optional)" on both role options ???
Use the DONE button.
Step 3: Grant user access to the Service Account
Grant users access to this service account (optional)
Before: Generate and Download JSON Private Key
Click on your Service Account.
Go to the KEYS tab of your service account.
Click the ADD KEY button and select Create new key:
Choose the Key type as JSON.
Click CREATE:
A JSON file containing the private key will be downloaded to your local computer.
Save this file securely as it will be used to authenticate your application with Google Cloud!
Keep the JSON private key confidential. Do not share it publicly or embed it directly in your code. Consider storing it securely using Google Cloud Secret Manager.
Step 4: Grant Impersonation Access (Optional)
For your Service Account to impersonate a specific user for Gmail access, you'll need to perform this additional step.
Go to the IAM & Admin > IAM section on your Project.
In the search bar, type the email address of the user you want the service account to impersonate.
Click on the user's email address.
Click the Add another role button.
Search for the role "Roles/iam.serviceAccountUser".
Select the role and click the Save button.
Important info (DH: the links are not really good, remove ?!? ):
Enable the Gmail API in the Google Cloud Console for your project before using the service account for Gmail access. (https://www.youtube.com/watch?v=1EOV3AvJ2-s)
Also refer to the official Google documentation for detailed instructions and code samples for using service accounts with the Gmail API: https://support.google.com/mail/answer/138350?hl=en
By following these steps, you'll have a Google Cloud Platform Service Account with the necessary permissions and private key for integrating with the Gmail API using impersonation and OAuth2 authentication.
Remember to prioritize security by properly managing the service account credentials.
Please feel free to send us feedback; you might have an even better way, on how to configure this.
Step 5: Applying the configuratoin on the fw Server app
After you have created a Google Cloud Platform Service Account within a Project, granted the needed Permissions and downloaded the JSON private key via "Google Cloud IAM & Admin" continue by saving and renaming the generated private JSON file to "google-service-private-key.json" and upload it to your fw Server app's "system" folder.
You need to use the optional farmerswife Server-side "server.cfg" (more info here) file and modify these 2 new variables:
GMAIL_OAUTH2_ENABLED 1
GMAIL_OAUTH2_IMPERSONATIONEMAIL example@farmerswife.com
In fw Server > Setup > General >
Allow Mail: Yes
Outgoing Mail Server (SMTP):
Sub-menu > Use TLS: No ... it is not in use.
Port: 0