-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PHP setOAuth() now wants a OAuthTokenProvider? What does that mean? #2850
Comments
No, it's not a built-in. It means that what you pass in as the |
But the example shows pseudos values. Do you know how to construct the values?
|
Yes, exactly the same question! How do you construct the values? Preferably without using files.
My credentials and tokens come from a database entry, so do I have to write them to files in order to use this option (seems a bit backward). Or is there an option to create this oauthTokenProvider using variables? Cheers |
It wasn't clear which example you were referring to, however I see that you are talking about the wiki article that shows how to use Google's client library instead of the PHP League one. The If you want to avoid the external file approach, I recommend using the default League classes, which operate entirely on literal strings, not external files. |
Don’t get too hung up on class GoogleOauthClient: you write it, and it itself is whatever you want it to be, with the only restriction that the ‘implements OAuthTokenProvider’ interface will force your class to contain the getOauth64() public method that is used by PHPMailer’s SMTP. Your GoogleOauthClient is functionally replacing: by The implementation of OAuthTokenProvider we use internally accepts either literal strings (ClientID value and so on) or a single record php-imploded string file containing these that is automatically generated as part of the initial offline refresh-token creation. Horses for courses. But it also supports MSFT OAuth2 as well as Google, and a file is useful for storing the new MSFT refresh token created with each access token (MSFT refresh tokens expire after 90 days or less; Google’s last forever, and MSFT client_secrets also expire) One advantage of the Google-supplied client is that, unlike TheLeague’s oauth2-google client, it supports Google service accounts (aka client_credentials) as well as authorization_code grant flow, and to provide this we intend to replace TheLeague’s oauth2-google client by Google’s google-api-php-client library. |
Thanks for the responses. I rolled my own MyOAuthTokenProvider class to implement OAuthTokenProvider.
PS I removed parts of the encoded strings so they aren't copies of the originals From other posts in this group I can see this is a security issue at the google end, but it would be nice if google provided a bit more information about why it couldn't authenticate. While we include a username (email) there is no password, it's not relevant with XOAUTH2 - so the message is unhelpful. I will post this question to google, but if you have anything to add please do so. Cheers |
What scopes have you specified in the OAuth Consent screen App Registration in Google Cloud Console? |
I only ask because Pete Scopes’ document ‘Gmail XOAUTH2 Using Google API Client’ (7th June 2022) contains: If you have a more restrictive scope setting in the OAuth Consent screen, you will either get your access token request bounced or, as in your case, get an access token with the more restrictive setting that will be bounced when presented to Gmail for authentication. This is Inconsistent with the returned ‘Username and Password not accepted‘ message perhaps, but since XOAUTH2-type authorisation has (vide your diagnostics) been accepted in principle, the message is spurious anyway: a legacy of ‘basic’ LOGIN authentication perhaps. Unlike MSFT access tokens, Google ones are opaque, but Google's tokeninfo endpoint will decode it for you: Finally, it's worth checking that the envelope and header 'From' email address fields are consistent with the Gmail account registration: your token has '[email protected]' as bearer |
I saw some stuff about scope, and only the generic gmail scope was found to be working by others. I've got a bit of time so I'm checking this with the gmail developer support. I'm also pushing the verification team to make some comment about whether this error is due to an unverified app. I'll post again when I get some responses. |
RFC 6749 is clear about what should happen if your client asked for more permissive scopes than was registered: |
One obvious point worth remembering that when an access token is issued, it has not yet been presented to the resource (Gmail) for authentication. So the token can be quite valid (it will be, assuming Google stick to RFC 6749) ) but inappropriate for what you want to use it for. When it is presented to Gmail as the resource, Gmail (perhaps with a sideways glance at the token server) will check that your intended use (SMTP outbound) is consistent with the token’s scopes, expiration date, audience and so on. It may also check the bearer ‘user’ prefix email address (the bit starting dXNlc…): Google won’t let you send from an arbitrary address. Your SMTP server’s return is (in UTF-8): |
I do this:
I followed this example from nearly everywhere but i always get this error:
Uncaught TypeError: Argument 1 passed to PHPMailer\PHPMailer\PHPMailer::setOAuth() must be an instance of PHPMailer\PHPMailer\OAuthTokenProvider, instance of OAuth given
The text was updated successfully, but these errors were encountered: