Gmail XOAUTH Authentication Failure in Java

SwiftCoder42 · July 12, 2025, 5:34pm

I’m working on a Java application that connects to Gmail using XOAUTH authentication, but I keep running into authentication problems. Every time I try to connect, I get an “Invalid credentials” error message. I’ve been searching for solutions but haven’t found anything that works.

Here’s my implementation:

public class GmailAuth {

    private static final String API_SCOPE = "https://mail.google.com/";
    private static final String CLIENT_ID = "your_client_id";
    private static final String CLIENT_SECRET = "your_client_secret";
    private static final String EMAIL_ADDRESS = "[email protected]";

    public static void main(String[] args) throws Exception {

        GoogleOAuthParameters authParams = new GoogleOAuthParameters();
        authParams.setOAuthConsumerKey(CLIENT_ID);
        authParams.setOAuthConsumerSecret(CLIENT_SECRET);
        
        OAuthSigner signature = new OAuthHmacSha1Signer();
        GoogleOAuthHelper authHelper = new GoogleOAuthHelper(signature);
        authParams.setScope(API_SCOPE);

        authHelper.getUnauthorizedRequestToken(authParams);
        String authUrl = authHelper.createUserAuthorizationUrl(authParams);
        
        System.out.println(authUrl);
        System.out.println("Visit this URL to authorize the token, then press enter...");
        System.in.read();

        String accessToken = authHelper.getAccessToken(authParams);
        System.out.println("Access Token: " + accessToken);

        // Connect to IMAP
        XoauthAuthenticator.initialize();
        IMAPSSLStore store = XoauthAuthenticator.connectToImap(
            "imap.gmail.com",
            993,
            EMAIL_ADDRESS,
            authParams.getOAuthToken(),
            authParams.getOAuthTokenSecret(),
            new OAuthConsumer(null, CLIENT_ID, CLIENT_SECRET, null),
            true
        );
        System.out.println("IMAP connection successful");
    }
}

The error I’m getting is:

A1 NO [ALERT] Invalid credentials (Failure)
javax.mail.AuthenticationFailedException: [ALERT] Invalid credentials (Failure)
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:660)
    at javax.mail.Service.connect(Service.java:295)

I’ve tried using real consumer credentials but still get the same error. My goal is to authenticate users and access their Gmail messages for processing. Has anyone solved this authentication issue before?

henryg · July 20, 2025, 10:46am

oauth 1.0 is completely dead for gmail now - google’s servers just reject it outright. you need oauth 2.0 flow, but here’s the tricky part: make sure “less secure app access” is turned off in your gmail settings. i know it sounds backwards, but oauth 2.0 won’t work if that’s enabled. also double check your redirect uri matches exactly what you put in the console.

Tom42Gamer · July 19, 2025, 1:55am

Your code uses Google’s old OAuth 1.0, which Google deprecated for Gmail back in 2012. That’s why you keep getting auth failures regardless of the credentials you use.

To resolve this, switch to OAuth 2.0 with the Gmail API. You’ll need to implement a different setup: remove GoogleOAuthParameters and OAuthHmacSha1Signer. Instead, follow the OAuth 2.0 flow with Google’s client libraries to get an authorization code, exchange it for access tokens, and then use those tokens with JavaMail’s OAuth2 authenticator.

I encountered similar issues while maintaining legacy email code. It’s essential to update your dependencies to include google-api-client and google-oauth-client libraries and manage the OAuth 2.0 tokens correctly. Note, the IMAP connection also changes significantly, as XoauthAuthenticator will not be compatible with the old OAuth 1.0 tokens you’re currently generating.

JackWolf69 · July 18, 2025, 8:24pm

Had this exact problem last year with an old enterprise system. You’re mixing OAuth 1.0 with OAuth 2.0 - Gmail’s IMAP servers only accept OAuth 2.0 bearer tokens, not the signature-based tokens your code’s generating.

Besides updating to OAuth 2.0, you’re missing a key step. After getting the auth code from the user, you need to exchange it for access and refresh tokens through Google’s token endpoint. The access token goes to your IMAP connection as a bearer token - not the raw OAuth tokens.

Also check your Google Cloud Console project settings. Enable the Gmail API and configure the OAuth consent screen properly. I’ve seen credentials work fine for other Google APIs but fail for Gmail because of missing API enablement or wrong redirect URI setup.

SwiftCoder42 · July 22, 2025, 8:25pm

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.