Implementing OAuth2 authentication for Gmail API in Java server application instead of username/password

I’m working as a Google Workspace admin and our organization uses Gmail for email services. I have a backend Java application that needs to send emails from a specific Gmail account like “[email protected]”. Currently, my app uses basic username and password authentication for SMTP.

Since Google is removing support for password-based authentication and moving to OAuth2, I need to update my implementation. The key thing is that my server application sends emails automatically without any user interaction. No real users will be authenticating through my app.

I found Google’s documentation about sending emails through Gmail API and there’s a Java sample called SendMessage.java. I think this might be what I need for my server-side email sending.

Is this the right approach for automated email sending from a server?

I’m confused about the OAuth setup process. From what I understand:

1. Create a new project in Google API Console
2. Generate OAuth credentials and download the client_secret.json file
3. Use these credentials in my Java code

I have two main questions:

First, when creating OAuth credentials, it asks for a redirect URI. Since my use case doesn’t involve user interaction, do I still need to provide this?

Second, the sample code uses GoogleCredentials.getApplicationDefault() which reads from an environment variable. Is this the same file as the client_secret.json I download during setup?

Here’s my current email sending method that uses password authentication:

public void dispatchEmail(String targetAddress, String emailSubject, String messageBody) throws Exception {
    String userPassword = config.getProperty(SMTP_AUTH_PASSWORD);
    MimeMessage emailMessage = createEmailMessage(targetAddress, emailSubject, messageBody);
    String smtpServer = config.getProperty(SMTP_SERVER_HOST);
    try {
        this.mailTransport.connect(smtpServer, this.fromAddress, userPassword);
        this.mailTransport.sendMessage(emailMessage, emailMessage.getAllRecipients());
    }

Any guidance on migrating this to OAuth2 would be helpful.

You’re on the right track with Gmail API for server-side sending. I switched our corporate system from SMTP to Gmail API last year when Google killed basic auth. For OAuth setup - yeah, you still need a redirect URI even for server apps. Just use ‘http://localhost’ or ‘urn:ietf:wg:oauth:2.0:oob’ since there’s no actual web interface. Here’s the thing though - that ‘client_secret.json’ file isn’t what ‘GoogleCredentials.getApplicationDefault()’ wants. That method expects service account credentials, not OAuth client stuff. For automated server sending without user clicks, create a service account in Google Cloud Console instead. Skip the OAuth client credentials entirely. Download the service account JSON, then point your ‘GOOGLE_APPLICATION_CREDENTIALS’ environment variable to it. Now ‘GoogleCredentials.getApplicationDefault()’ will work. One last step - enable domain-wide delegation for the service account in your Google Workspace admin console so it can send emails as your support account.

Went through this exact migration 6 months ago. You’re right about using Gmail API for automated server emails, but there’s a key difference between OAuth2 client credentials and service accounts that wasn’t fully explained.

For automated sending, skip the traditional OAuth2 flow completely. Don’t create OAuth2 client credentials - create a service account in Google Cloud Console instead. You’ll get a JSON key file with everything needed for server-to-server auth. No redirect URIs or consent screens.

With the service account JSON, migrating from SMTP becomes way cleaner. Swap out your password auth for Gmail API calls using the service account credentials. Best part: service accounts can impersonate domain users through domain-wide delegation, so your automated emails still come from [email protected].

Just enable Gmail API in your Google Cloud project and set up domain-wide delegation in Workspace admin console. Users won’t see any auth flow, and it’s much more secure than password-based SMTP.

oauth2 setup is diff for server apps than user apps. for service accounts, skip the redirect uri or just use localhost. also, client_secret.json is not the same as application default creds. u gotta create service account creds and set GOOGLE_APPLICATION_CREDENTIALS env var to that json file. then GoogleCredentials.getApplicationDefault() will work for ur auto sending.

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.