Setting Up Google OAuth2 for your Gmail account for Email to Print

“Google is switching off their basic authentications for third party apps! What now?” What’s happening at Google Google is switching off its support for basic authentication methods for Gmail accounts used on third-party applications. This means, for example, if you want to use a Gmail account to do email printing on PaperCut MF/NG, printing will no longer work with an email address and a password. App passwords are still supported, but Google discourages using them and will likely deprecate those in the near future. Similar things are happening at Microsoft as well. Basic authentication with a username and a password is now regarded as not secure. OAuth(2) is fast becoming the industry standard. What now? Version 22.0.3 of PaperCut MF/NG includes support for Google OAuth2 for both free-tier and Google Workspace Gmail users. This allows your PaperCut server to securely access your service email account through the Gmail API to enable Email to Print functionality. Prerequisites Before you jump in, you want to make sure you already have already run through our Gmail API Configuration for Email-Enabled Features guide which covers the configuration required on Google’s end to get this feature working. If you’ve already set up System Email Notifications using the Gmail with OAuth, then you should already have this completed and can reuse the client ID and client secret created for that. Using the client details to configure Email to Print You’ll want to have the Client ID and Client Secret on hand from the OAuth 2.0 client we configured earlier. If you already have system notifications set up, you likely already have the OAuth 2.0 client configured that we can reuse. You can either copy that information from the corresponding fields under Options > Notifications > SMTP Server Options, or log into Google Cloud Console and use the download icon next to the client name to view the Client ID and Client Secret. It’s perhaps best practice for information security to delete and recreate the OAuth 2.0 client every 6 months and set up a new one. Just be mindful that once you delete a client from the Google Cloud Platform console, it can be no longer used to access the Gmail API, so you’ll need to reconfigure this to preserve functionality. On the PaperCut web admin UI, click Email Printing > Mobile & BYOD and scroll down to Email to Print. Click Enable Email to Print. For the Protocol select ‘Gmail OAuth2’. The fields change into what is required for Google OAuth. For Username, type the service email address. This email address should have been added as one of the “test users” in the steps above. Copy and paste your Client ID and Client Secret into their respective boxes. A message will appear telling you that because the details of these fields have changed, you need to authorize via Google. Click the Authorize via Google button next to the message to complete the authorization process. Note that this will take you away from the PaperCut MF/NG web admin UI momentarily. Complete the log in and authorization process with Google. You’ll be automatically returned to the PaperCut MF/NG page. To check the progress of the authentication, under the black Email to Print status box, click Refresh. With everything done correctly, you’ll see the Status: OK message pretty soon. Should anything go wrong and lead the email printing service to an error state, the refresh button will clear up previously filled information. Use these instructions to set up a printer with Email to Print and test to ensure that this is all working. Note By this stage you may have noticed that every time you change any of the 3 fields related to the Google API client on this page, the message will show up to warn you that the information has been changed and you will need to re-authorise the PaperCut MF/NG application. This is because different email addresses (Google regards it as user ID) or different client details would of course affect the authentication and authorization processes. Warning A likely mistake in this process is that you put in one email address for the username on PaperCut MF/NG’s admin UI while picking another email account outside PaperCut MF/NG during Google’s log in and authorization process. We all have a few email accounts for daily dev work and receiving merchant promotions! Be extra careful while you click through the account picker with Google where you see a list of your accounts in the browser. Make sure you choose the account you would like to use for email printing service. Otherwise the token will have been issued for an account other than the one PaperCut MF/NG is going to try to pull emails from, which of course would lead to an error. If this is the first time you set up the OAuth2 protocol for Gmail, you’ll be taken to Google’s consent screen, which you set up yourself earlier on the Google Cloud Print console. It also means, without the consent of the email address owner, PaperCut MF/NG cannot access the content of that email address. If you change other details on this page while having Google OAuth as the email to print protocol, you will not be prompted to log in or authorize PaperCut MF/NG again. Hope this article has been helpful! Still have questions? Let us know! We love chatting about what’s going on under the hood. Feel free to leave a comment below or visit our Support Portal for further assistance.