google oauth2 impersonate service account with user@gmail.com

Question

I wanted to access some google api services:

• GDrive API
• Contact API
• People API

And I\'m struggeling with the oauth2 impersonat

Answer 1

The short answer is no, it's not possible to perform service-account impersonate of a @gmail.com account. The key reason is that although the service account OAuth flow doesn't involve an authorization screen, at the end of the day someone must still say "I authorize this application to impersonate this user."

In the case of a Google Apps domain that person is the domain administrator, who has the authority to approve apps for all users in the domain. For an @gmail.com account, there is no other authority that can approve this on your behalf. And if you have to ask the user for authorization anyway, they it just makes sense to use the regular 3-legged OAuth flow to prompt the user for authorization, get a refresh token, etc.

Now for a while there was a trick where you could take an @gmail.com user through the regular 3-legged flow, and once they approved it use the service account flow from then on. This lead to some strange problems however, so we've disabled that option. This may be why there was disagreement in the past about if this is possible.