GMail API set non-primary send as signature return error 403

Question

I'm making an application that should set the signature for every user in the domain. When I try to set the signature on primary aliases this work fine, but this solution is not working for other aliases (non-primary aliases).

I use a domain wide delegation that is working fine since I can set the signature for all primary send as aliases in the domain. To do so I use the request : 'www.googleapis.com/gmail/v1/users/<email_address>/settings/sendAs/<alias_address>'. When I do the exact same thing for non-primary aliases I receive an error 403 with a message telling i'm missing the scope 'www.googleapis.com/auth/gmail.settings.sharing'.

Missing required scope "https://www.googleapis.com/auth/gmail.settings.sharing" for modifying non-primary SendAs

These are the scopes I use in my code :

"oauthScopes": [
    "https://www.googleapis.com/auth/gmail.settings.basic",
    "https://www.googleapis.com/auth/gmail.settings.sharing",
    "https://www.googleapis.com/auth/script.external_request",
    "https://www.googleapis.com/auth/documents",
    "https://www.googleapis.com/auth/admin.directory.user.readonly",
    "https://www.googleapis.com/auth/drive.readonly"
  ]

As you can see the scope 'sharing' is present.

// The service that allow me to list send as alias
var serviceListe = getDomainWideDelegationService('Gmail: ', 'https://www.googleapis.com/auth/gmail.settings.basic', user.primaryEmail)

// THe service that allow me to edit send as signature
var serviceModif = getDomainWideDelegationService('Gmail: ', 'https://www.googleapis.com/auth/gmail.settings.sharing', user.primaryEmail)

The code that returns the domain-wide delegation :

function getDomainWideDelegationService(serviceName, scope, email) {
  return OAuth2.createService(serviceName + email)
      // Set the endpoint URL.
      .setTokenUrl('https://oauth2.googleapis.com/token')

      // Set the private key and issuer.
      .setPrivateKey(OAUTH2_SERVICE_ACCOUNT_PRIVATE_KEY)
      .setIssuer(OAUTH2_SERVICE_ACCOUNT_CLIENT_EMAIL)

      // Set the name of the user to impersonate. This will only work for
      // Google Apps for Work/EDU accounts whose admin has setup domain-wide
      // delegation:
      // https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
      .setSubject(email)

      // Set the property store where authorized tokens should be persisted.
      .setPropertyStore(PropertiesService.getScriptProperties())

      // Set the scope. This must match one of the scopes configured during the
      // setup of domain-wide delegation.
      .setScope(scope);
}

Answer 1

According to the documentation here:

scope - this field specifies a space-delimited list of access scopes that correspond to the resources that your application could access on the user's behalf. These values inform the consent screen that Google displays to the user.

Taking this into account, I suggest you separate the scopes using spaces and not commas.

Reference

• OAuth 2.0 for Client-side Web Applications.