Used Zammad version: 6.5.0-1754288942.d6c15a31.noble
Used Zammad installation type: package
Operating system: 24.04.3 LTS
Browser + version: Chrome and Firefox
Expected behavior:
Adding a new Gmail account should not replace a separate existing accounts client secret.
Actual behavior:
Adding a new Gmail account breaks an existing account’s client secret. We are trying to add a 3rd separate Gmail account, each with its own client IDs and secrets, but adding the 3rd account breaks one of the existing accounts, as it’s not retaining its own client secret and trying to use the new account’s secret.
Reauthenticating does not fix the issue because Configure App needs to be set, creating the issue loop.
Steps to reproduce the behavior:
Add new Gmail account → Configure App → Add account.
Separate existing account throws error:
Can’t use Channel::Driver::Imap: #<RuntimeError: Failed to refresh XOAUTH2 access_token of provider ‘google’: Request failed! ERROR: invalid_client (Unauthorized)>
Production log shows that the existing Gmail account is trying to use the new account’s client secret.
Notes:
It seems like there is a bug that is sharing secrets between accounts with the global Configure App and Add Account. It would be nice if Configure App were separate for each account so it cannot interfere with existing accounts and make Reauth work correctly. What is interesting is that our 2nd separate Gmail channel is not having these issues; only the 1st and 3rd accounts are fighting over each other’s client secret (client ID is maintained correctly). I will try upgrading Zammad soon.
We have been running 2 different Oauth Gmail accounts in Zammad for a few years without issues. How is that working if this is not possible? How can I view stored client IDs and secrets?
Right. I am talking about the app with its secrets. You can authenticate as many Google channels against a single Google app that you want. If the app secret is rotated and no longer valid, you’ll have to re-authenticate the channel.
Invalid client indicates that something is no longer okay with the google app.
I get what you’re saying and what’s officially supported, but that’s not how our Google channel has successfully been working. The 2 accounts shown are using different client IDs and secrets. They have worked perfectly for months. They were migrated when the Google Email channel came along due to basic auth going away. Is it possible that’s how they are working outside of what’s supported?
The invalid client comes after adding a 3rd app/account. Once added, the new app works correctly, but breaks the top account shown; no impact to the middle account..Production log shows that Zammad tries to use the 3rd apps client secret for the top app, but retains its client ID. Interesting behavior!
How can I view what client IDs and secrets are stored?
As I said. Zammad supports one app with it’s client id, secret etc. Exactly as outlined in the documentation. You add all your accounts via that one app. Anything is well outside application scope and definitely not supported by it.
The problem is that all the accounts have to reside in the same Google cloud/workspace, correct? We’re currently working on using an alias as a workaround, and we may submit a feature request to Zammad to allow support for Gmail accounts from different workspaces/apps.
Also, it seems that the documentation is still missing a step, as discussed in this post: Zammad Community Post.
Thanks, and wishing you the best on your new adventures as I’m just noticing you’re no longer with Zammad
Your statement is only correct if the app type is internal. As we’re talking about about Zammads mail channel in a very defined and (closed) way that only admins have access to, external should be very well good enough.
At least I don’t see any bad vectors that might get your rear here.
Not really no. While this part was adjusted, technically it was there before too.
Thanks for pointing out the external option. I initially thought it was for testing and had some security concerns, but I will take another look. It appears that this may be the route we’ll need to take since the alias option isn’t using the From address as we had hoped. It seems to still be limited by the group sending email address, rather than the Gmail settings for “Send mail as” and “When replying to a message - Reply from the same address the message was sent to”.
If anyone encounters a similar Google issue, we had to go with the external audience option. This required an additional step for enabling the Gmail API, as mentioned in this thread. The production log pointed us to the exact link where we needed to enable it, which was really helpful! It appears to be different from what is described in the documentation concerning scopes. A possible feature request would be the ability to have a client secret per Google account.
Shoutout to Marcel, the Zammad support legend! Keep the great YouTubes coming!
