How to access gmail API?

Question

I generate my JWT, if my token is correct why dont work ? in Google Developers Console i enabled gmail plus youtube and other API, in credentials generate and download json

{
  "private_key_id": "22dcf",
  "private_key": "-----BEGIN PRIVATE KEY-----(remove)-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "jc6.apps.googleusercontent.com",
  "type": "service_account"
} 

first generate token

 var sHead=JSON.stringify({"alg":"RS256","typ":"JWT"});    
           var iat=timeStampf();
           var exp=iat+3600;
           var sPayload=JSON.stringify({
                      "iss":client_email,
                      "scope":scope,//gmail scope  https://mail.google.com/                
                      "aud":"https://www.googleapis.com/oauth2/v3/token",
                      "exp":exp,
                      "iat":iat
                    });           
          var sJWS = KJUR.jws.JWS.sign("RS256", sHead,sPayload, private_key);
          var paramstoken="grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-ty

pe%3Ajwt-bearer&assertion="+sJWS   



   getToken("POST","/oauth2/v3/token",paramstoken,jsonData,replier);
 /*rest petition  return 200 OK 
       {
      "access_token" : "1bHLl5EOtu1pxz3fmmetKx9W8CV4t79M",
      "token_type" : "Bearer",
      "expires_in" : 3600
    }*/

next i test my token

function testToken(accessToken,replier)
{
 //  /gmail/v1/users/me/messages    /plus/v1/people/me
    var client = vertx.createHttpClient().host(urlbase).port(443).ssl(true).maxPoolSize(10);    
    var request = client.request("GET", "/gmail/v1/users/me/messages", function(resp) {
        console.log('server returned status code: ' + resp.statusCode());
        console.log('server returned status message: ' + resp.statusMessage());
        resp.bodyHandler(function(body) {           
            replier(JSON.parse(body.toString()));
        });
    });
    request.headers()
    .set("Content-type", contentType)
    .set("Authorization", "Bearer "+accessToken);
    request.end();
    client.close();
}

if i use google+ scope and this petition the answer is 200 ok

     https://www.googleapis.com/auth/plus.me /plus/v1/people/me
    {
"kind":"plus#person",
"etag":"\"LR9iFZQGXELLHS07eQ\"",
"objectType":"person","id":"1149981343","displayName":"","name":{"familyName":"","givenName":""},"image":{"url":"https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg?sz=50","isDefault":true},"isPlusUser":false,"language":"en_US","circledByCount":0,"verified":false}

but if i try with gmail

{"error":{"errors":[{"domain":"global","reason":"failedPrecondition","message":"Bad Request"}],"code":400,"message":"Bad Request"}}

Answer 1

In case of GMail, you are accessing a particular user's data, so when creating the JWT, you need to specify the user whom you are trying to impersonate, i.e. the user whose mailbox you want to access.

You can do this using the sub:"User's email address parameter" when forming the JWT Claim set

var sPayload=JSON.stringify({
                  "iss":client_email,
                  "sub":USER_EMAIL_ADDRESS
                  "scope":scope,//gmail scope  https://mail.google.com/                
                  "aud":"https://www.googleapis.com/oauth2/v3/token",
                  "exp":exp,
                  "iat":iat
                });