Skip to Content

Authentication prerequisites for the Gmail (Beta) connector in Jitterbit Studio

Introduction

These are the prerequisites for authenticating with the Gmail (Beta) connector using either a 3-legged OAuth 2.0 (3LO) client credential or a Google Cloud service account with domain-wide authority delegation.

Note

This connector is currently in beta. To provide feedback, contact the Jitterbit Product Team.

Both authorization methods require Google Cloud Console access for configuration.

Agent version 10.83 / 11.21 or later is required to use 3-legged OAuth 2.0 authentication.

3-legged OAuth 2.0 (3LO)

Follow these steps to configure a 3-legged OAuth 2.0 (3LO) client:

  1. In the Google Cloud Console, enable the Gmail API using Google's Gmail API setup tool.

  2. Navigate to APIs & Services > Credentials and click Create credentials > OAuth client ID to open the Create OAuth client ID configuration page:

    1. Select Web application for Application type.

    2. Enter any name for Name.

    3. Add one of the following URLs (depending on your organization's region) to the Authorized redirect URIs list:

      Region URL
      APAC https://apps.apac-southeast.jitterbit.com/design-studio/api/v1/oauth/authcode
      EMEA https://apps.emea-west.jitterbit.com/design-studio/api/v1/oauth/authcode
      NA https://apps.na-east.jitterbit.com/design-studio/api/v1/oauth/authcode

  3. Click Create to generate the OAuth client and its credential file.

  4. When complete, an OAuth client created appears. Click Download JSON to download the JSON credential file containing the Client ID and Client secret for later use:

    Example JSON credential file
    {
    "web": {
        "client_id": "...",
        "project_id": "gmail-123456",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_secret": "...",
        "redirect_uris": [
            "https://apps.my-region.jitterbit.com/design-studio/api/v1/oauth/authcode"
        ]
    }
}

  5. Click OK to close the dialog. The newly generated credential is now shown under OAuth 2.0 Client IDs.

Configure an app registration in the Management Console

Follow these steps to configure required values for a Management Console private application app registration:

  1. Gather the required information from the JSON credential file downloaded when configuring the Gmail OAuth client above:

    • Client ID (client_id)
    • Client secret (client_secret)
    • Authorization URL (auth_uri)
    • Access token URL and refresh token URL (token_uri)

  2. In the app registration's configuration, enter these Gmail scopes:

    Scope Activity
    https://mail.google.com/ All
    https://www.googleapis.com/auth/gmail.modify All
    https://www.googleapis.com/auth/gmail.compose Send
    https://www.googleapis.com/auth/gmail.send Send
    https://www.googleapis.com/auth/gmail.readonly Read
    https://www.googleapis.com/auth/gmail.metadata Read

  3. Set the app's Client ID to the client_id value in your credential file.

  4. Set the app's Client Secret to the client_secret value in your credential file.

  5. Set the app's Authentication URL to the auth_uri value in your credential file. For example, https://accounts.google.com/o/oauth2/auth.

  6. Set the app's Access token URL and Refresh token URL to the token_uri value in your credential file. For example, https://oauth2.googleapis.com/token.

  7. Go to Advanced options. In the Authentication request tab, create these key-value pairs under Parameters:

    Key Value Send in
    response_type code Request URL
    access_type offline Request URL

Once the private application is registered on the App Registrations page, it is available to be selected in the OAuth Application menu in the Gmail (Beta) connection when using the Authorization Code Grant authentication option.

Service account with domain-wide authority delegation

Important

You must be a super administrator in your Google Workspace domain to delegate domain-wide authority to a service account.

Follow these steps to configure a service account with domain-wide authority delegation for authentication:

  1. Follow Google's guide to Create a service account. Retain the service account's generated email address and private key for later use in the Gmail (Beta) connection.

  2. Consider the list of Gmail scopes required for the integration prior to domain-wide authority delegation:

    Scope Activity
    https://mail.google.com/ All
    https://www.googleapis.com/auth/gmail.modify All
    https://www.googleapis.com/auth/gmail.compose Send
    https://www.googleapis.com/auth/gmail.send Send
    https://www.googleapis.com/auth/gmail.readonly Read
    https://www.googleapis.com/auth/gmail.metadata Read

  3. Follow Google's guide to Delegate domain-wide authority to the service account.

Once the service account is configured, it is possible to authenticate with it in the Gmail (Beta) connection when using the Service Account authentication option.