OAuth2 Authentication for Google WorkSpace and Office 365
- Connor Banthorpe
- Former user (Deleted)
- Former user (Deleted)
This guide relates to the set up of OAuth 2.0 authentication for the inbox used by RSM InTime to process timesheet approval emails (under System Administration > Email Server Settings). The administrator of your email account should be able to complete the set up of OAuth 2.0 credentials and scopes/permissions. Should you have any queries or issues when completing the email account set up, please contact the relevant provider support as the RSM InTime support team will be unable to assist due to access and visibility restrictions.Â
Important note:- Â Log in to RSM InTime in an incognito window then do the OAuth Email-Client login step from there. This is often needed to avoid signing in accidently with their own account rather than that of the mailbox they wish to grant access to.
Outlook OAuth 2.0 Authentication Guide
You will need to register RSM InTime as an app with the identity platform in Azure Active Directory (Azure AD). Please refer to Microsoft's page on how to register an application which provides more detail on the process below.
Register the Application in Azure
Login to the Azure Portal and select "Azure Active Directory".
Make a note of your Tenant Id and click "App Registrations" on the left.
Click "New registration".
Give the registration a name (this is for your own information only, something like "InTimeMailClient"), choose "Accounts in this organisational directory only" and in the Redirect URI box, select "Web" and add the following redirect URI: https://<your-intime-domain-here>/oauth2Client/callback/Email-Client
Click Save. Make a note of the Application (client) ID and the Directory (tenant) ID (should be the same as noted earlier).
Click "Certificates and secrets" on the left, click "New client secret", enter the descriptive name for this secret and set it to expire in an appropriate period. Click "Add". Note, when the secret expires, you'll have to create a new one and update the RSM InTime configuration.
Make a note of the value in the Value field. This will not be displayed again.
Click "API permissions" on the left. Click "Add a permission" and click "Microsoft Graph"
Then click Delegated Permissions
You''ll then need to add the following permissions sets.
IMAP.AccessAsUser.All
Mail.Read
offline_access
User.Read
You should then have the following permissions setup;
Log in to RSM InTime in an incognito window, go to Settings → Email Server Settings and enter the details shown below, replacing the email address/username with the email address/username of the mailbox you would like RSM InTime to monitor. Click Save, followed by OAuth 2.0 Settings.
You should be on the Integrations page. Click "New".
Click "Create" next to "Email-Client".
Enter your client id and client secret that you noted earlier. The rest of the page should be entered as shown below, replacing "<your-tenant-id>" with the tenant id you noted previously. Be sure to enter the scopes exactly as shown below. Click "Save, then "Back".
Click "Log In".Â
You will be redirected to Microsoft to authenticate and consent, then redirected back to RSM InTime, where the status will show as "Authorised". Now return to Settings → Email Server Settings and confirm that RSM InTime can access your mailbox.
Gmail OAuth 2.0 Authentication Guide
Gmail Email Account Set Up
- Set up a Gmail account or use an existing account. This account needs to be the account you intend to use for RSM InTime's email approval feature.
- Login to the Google API Console (here)
- Navigate to the Cloud Resource Centre (here)
- Create a new project
- Project Name: InTime
- Location: Select the relevant organization
Click "Create"
Configure OAuth consent screen
Access the API and Services dashboard (here)
Click "Create Credentials" which is located below.
- Select - OAuth client ID
Click "Configure Consent Screen"
Select Internal user type and click "Create"
App Name - enter 'InTime'
User support email - add the email address you wish to be used for any queries on the OAuth 2.0 consent (this could be the email administrator)
App logo - not required
Authorised domains -Â enter your InTime domain hereÂ
Developer contact information - enter support@in-time.co.uk
Adding Scopes
- Click Add or Remove Scopes
- Under 'Enter property name or value' enter 'https://mail.google.com/'
- If not available, click the blue "Google API Library" in the text above the list.
- Search for "Gmail API", select the result "Gmail API" and click "Enable"
- On the left hand menu, click "OAuth consent Screen" and click Edit App
- Scroll to the bottom and click "Save and Continue"
- Click "Add or Remove Scopes"
- Search again for "https://mail.google.com/"
- If not available, click the blue "Google API Library" in the text above the list.
- Tick the result and click " Update"
The scope should now be shown under "Your restricted scopes"
Adding OAuth2 CredentialsÂ
- In the Google API Console, go to Credentials
- Click on Create Credentials and select OAuth client ID
- From Application Type, pick Web application
- Enter 'InTime' under the Name field
- In the Authorized redirect URIs field - Enter your InTime URL along with "oauth2Client/callback?app=Email-Client" - Make a note of this, as you will need this later on.
- Example - https://demo.in-time.co.uk/oauth2Client/callback?app=Email-Client
Click Create.
Within the Credentials tab on the left-hand side, you'll now see your Client ID - InTime. - Click the name.
Make a note of the Client ID and Client Secret in the top right of the screen.
RSM InTime OAuth 2.0 Integration Set Up
Once OAuth credentials and scopes have been enabled on your email account, you need to configure the integration within RSM InTime.
- In RSM InTime, go to System Administration > System > Email Server Settings
- From the Authentication Method dropdown, select 'OAuth 2.0'
- Click on 'OAuth 2.0 Settings', this will direct you to the OAuth Integrations screen
- Click on New and click Create next to 'Email-Client'
Enter the following information
- Client ID: Found within Credentials area of the Google API Console.
- Client Secret: Found within Credentials area of the Google API Console
- Response Type: code
- Strict SSL:Â Ticked
- Basic Authentication: Ticked
- Auth Server: https://accounts.google.com/o/oauth2/auth
- Redirect URI: As entered previously.
- Token Server: https://oauth2.googleapis.com/token
- Permitted Scopes: - GMAIL - Â https://mail.google.com/
- Permitted Scopes - OUTLOOK - https://outlook.office.com/mail.read
Click Save and then Back
Click Log In
Log into Gmail/Outlook using the email account credentials, allow permission for the app to access the inbox.
Finally within RSM InTime, go to System Administration > System > Email Server Settings
- Authentication Method: OAuth 2.0
- Email Server: imap.gmail.com
- Protocol: imap
- Port: 993
- SSL Required: Yes
- Email Address: Email address to be used for Email Approval within RSM InTime
- Username: Re-enter email address from above.
- Password: Enter the password for the email account.
Click Save
Your RSM InTime instance will now be connected to your email server account using OAuth 2.0 authentication.Â