scimgateway 5.0.13 → 5.0.14

package/README.md

@@ -16,6 +16,7 @@ Validated through IdP's:
 
 Latest news:  
 
+- Email, onError and sendMail() supports modern REST OAuth for Microsoft Exchange Online (ExO) and Google Workspace Gmail, alongside traditional SMTP Auth for all mail systems. HelperRest supports a wide range of common authentication methods, including basicAuth, bearerAuth, tokenAuth, oauth, oauthSamlAssertion, oauthJwtAssertion and Auth PassTrough 
 - Major version **v5.0.0** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
 - Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway. E.g., using Entra ID application OAuth
@@ -436,18 +437,18 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
           "2603:1056:2000::/48",
           "2603:1057:2::/48"
         ]
-- **email** - Contains configuration for sending email from plugin or automated error notifications emailOnError. Note, for emailOnError only the first error will be sent until sendInterval have passed
-- **email.host** - Mailserver e.g. "smtp.gmail.com" - mandatory when not using tenantIdGUID (Microsoft)
-- **email.port** - Port used by mailserver e.g. 587, 25 or 465 - mandatory when not using tenantIdGUID (Microsoft)
+- **email** - Contains configuration for sending email from plugin or automated error notifications emailOnError. Note, for emailOnError only the first error will be sent until sendInterval have passed. Supporting both SMTP Auth and modern REST OAuth. For OAuth, currently Microsoft Exchange Online (ExO) and Google Workspace Gmail are supported
 - **email.auth** - Authentication configuration
-- **email.auth.type** - `basic` or `oauth`
-- **email.auth.options** - Authentication configuration options - note, different options for type basic and oauth
-- **email.auth.options.username (basic)** - Mail account for authentication normally same as sender of the email, e.g. "user@gmail.com"
-- **email.auth.options.password (basic)** - Mail account password
-- **email.auth.options.tenantIdGUID (oauth)** - Entra ID tenant id, mandatory/recommended when using Microsoft Exchange Online
-- **email.auth.options.tokenUrl (oauth)** - Token endpoint, mandatory when not using tenantIdGUID (Microsoft Exchange Online)
-- **email.auth.options.clientId (oauth)** - Client ID
-- **email.auth.options.clientSecret (oauth)** - Client Secret
+- **email.auth.type** - `oauth` or `smtp`
+- **email.auth.options** - Authentication options - note, different options for type oauth and smtp
+- **email.auth.options.tenantIdGUID (oauth/ExO)** - Entra ID tenant id, mandatory/recommended when using Microsoft Exchange Online
+- **email.auth.options.clientId (oauth/ExO)** - Client ID
+- **email.auth.options.clientSecret (oauth/ExO)** - Client Secret
+- **email.auth.options.serviceAccountKeyFile (oauth/Gmail)** - Google Service Account key json-file name located in the `package-root>\config\certs` directory unless absolute path being defined
+- **email.auth.options.host (smtp)** - Mailserver e.g. "smtp.gmail.com" - mandatory for smtp
+- **email.auth.options.port (smtp)** - Port used by mailserver e.g. 587, 25 or 465 - mandatory for smtp
+- **email.auth.options.username (smtp)** - Mail account for authentication normally same as sender of the email, e.g. "user@gmail.com"
+- **email.auth.options.password (smtp)** - Mail account password
 - **email.proxy** - Proxy configuration if using mailproxy
 - **email.proxy.host** - Proxy host e.g. `http://proxy-host:1234`
 - **email.proxy.username** - username if authentication is required
@@ -455,12 +456,12 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - **email.emailOnError** - Contains configuration for sending error notifications by email. Note, only the first error will be sent until sendInterval have passed
 - **email.emailOnError.enabled** - true or false, value set to true will enable email notifications
 - **email.emailOnError.sendInterval** - Default 15. Mail notifications on error are deferred until sendInterval **minutes** have passed since the last notification.
-- **email.emailOnError.from** - Sender email addresses e.g: "noreply@example.com", note must correspond with email.auth.options being used and mailserver configuration
+- **email.emailOnError.from** - Sender email addresses e.g: "noreply@example.com". **Mandatory for oauth**. For smtp email.auth.options.username will be used
 - **email.emailOnError.to** - Comma separated list of recipients email addresses e.g: "someone@example.com"
 - **email.emailOnError.cc** - Optional comma separated list of cc mail addresses
 - **email.emailOnError.subject** - Optional mail subject, default `SCIM Gateway error message`
 
-	Configuration notes when using default configuration oauth and tenantIdGUID - Microsoft Exchange Online (ExO):
+	**Configuration notes for Microsoft Exchange Online (ExO):**
 
 	- Entra ID application must have application permissions `Mail.Send`  
 	- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.  
@@ -475,9 +476,33 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 			##Create ApplicationAccessPolicy
 			New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
 
+	**Configuration notes for Google Workspace Gmail:**
+
+	- https://console.cloud.google.com
+		- IAM & Admin > Service Accounts > Create Service Account
+			- Name=email-sender  
+			- Create and Continue
+			- Grant this service account access to project - not needed
+			- Grant users access to this service - not needed  
+		- IAM & Admin > Service Accounts > "email-sender" account > Keys    
+			- Add Key > Create new key > JSON
+			- download json `serviceAccountKeyFile` file, refere to configuration `email.auth.options.serviceAccountKeyFile`
+
+	- https://admin.google.com
+		- Security > Access and data control > API controls
+			- Manage Domain Wide Delegation > Add new
+			- Client ID = id of service account created
+			- OAuth scope = https://www.googleapis.com/auth/gmail.send  
+	 
+	- https://admin.google.com
+		- Billing > Subscriptions - verify Google Workspace license
+		- Directory > Users > "user"
+		- Licenses > Edit > enable Google Workspace license  
+		`email.onerror.from` mail address must have Google Workspace Business license
+
 - **stream** - See [SCIM Stream](https://elshaug.xyz/docs/scim-stream) for configuration details
 
-- **endpoint** - Contains endpoint specific configuration according to our **plugin code**. 
+- **endpoint** - Contains endpoint specific configuration according to customized **plugin code**. 
 
 #### Configuration notes
 
@@ -1111,6 +1136,15 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v5.0.14
+
+[Improved]
+
+- email now supports Google Workspace Gmail using REST OAuth
+- email workaround for ExO national characters introduced in v5.0.7 not needed anymore - ExO/GraphApi seems to have been fixed
+- some minor cosmetics on email message layout formatting when using plain text message
+- HelperRest now includes authentication type `oauthJwtAssertion`
+
 ### v5.0.13
 
 [Improved]  

package/lib/helper-rest.ts

@@ -2,6 +2,7 @@ import { HttpsProxyAgent } from 'https-proxy-agent'
 import { URL } from 'url'
 import { Buffer } from 'node:buffer'
 import { samlAssertion } from './samlAssertion.ts' // prereq: saml
+import { sign as jwtSign } from 'jsonwebtoken'
 import fs from 'node:fs'
 import querystring from 'querystring'
 import * as utils from './utils.ts'
@@ -16,6 +17,7 @@ export class HelperRest {
   private scimgateway: any
   private idleTimeout: number
   private graphUrl = 'https://graph.microsoft.com/beta' // beta instead of 'v1.0' gives all user attributes when no $select
+  private googleUrl = 'https://www.googleapis.com'
 
   constructor(scimgateway: any, optionalEntities?: Record<string, any>) {
     if (!scimgateway || !scimgateway.gwName) throw new Error('HelperRest initialization error: argument scimgateway is not of type ScimGateway')
@@ -33,6 +35,11 @@ export class HelperRest {
           if (this.config_entity[baseEntity]?.connection?.auth?.type === 'oauth') {
             this.config_entity[baseEntity].connection.baseUrls = [this.graphUrl]
           }
+        } else if (this.config_entity[baseEntity]?.connection?.auth?.options?.serviceAccountKeyFile) { // Google, setting baseUrls to googleapis
+          const type = this.config_entity[baseEntity]?.connection?.auth?.type
+          if (type === 'oauthJwtAssertion' || type === 'oauth') { // includes oauth because of email.auth.type
+            this.config_entity[baseEntity].connection.baseUrls = [this.googleUrl]
+          }
         }
         connectionFound = true
       }
@@ -107,13 +114,57 @@ export class HelperRest {
         const audience = `scimgateway/${this.scimgateway.pluginName}`
         const delay = 1
 
-        const assertion = await samlAssertion.run(context, cert, key, issuer, lifetime, clientId, nameId, userIdentifierFormat, tokenEndpoint, audience, delay)
         form = {
           token_url: tokenUrl,
           grant_type: 'urn:ietf:params:oauth:grant-type:saml2-bearer',
           client_id: clientId,
           company_id: this.config_entity[baseEntity].connection.auth.options.companyId,
-          assertion: assertion,
+          assertion: await samlAssertion.run(context, cert, key, issuer, lifetime, clientId, nameId, userIdentifierFormat, tokenEndpoint, audience, delay),
+        }
+        break
+
+      case 'oauthJwtAssertion':
+        let privateKey = ''
+        let jwtAttr: Record<string, any> = {}
+        const serviceAccountKeyFile = this.config_entity[baseEntity]?.connection?.auth?.options?.serviceAccountKeyFile
+
+        if (serviceAccountKeyFile) { // Google Service Account key json-file
+          const gkey: Record<string, any> = await (async () => {
+            try {
+              const jsonObject = await import(serviceAccountKeyFile, { assert: { type: 'json' } })
+              return jsonObject.default // access the object via the `default` property
+            } catch (err: any) {
+              throw new Error(`auth type '${this.config_entity[baseEntity]?.connection?.auth?.type}' - serviceAccountKeyFile error: ${err.message}`)
+            }
+          })()
+
+          tokenUrl = gkey.token_uri // https://oauth2.googleapis.com/token
+          privateKey = gkey.private_key
+          jwtAttr = {
+            scope: this.config_entity[baseEntity]?.connection?.auth?.options?.scope, // https://www.googleapis.com/auth/gmail.send
+            sub: this.config_entity[baseEntity]?.connection?.auth?.options?.subject, // firstname.lastname@mycompany.com
+            iss: gkey.client_email, // service account email/user
+            aud: gkey.token_uri,
+            iat: Math.floor(Date.now() / 1000), // issued at
+            exp: Math.floor(Date.now() / 1000) + (60 * 60), // expiration time
+          }
+        } else { // standard JWT requires all configuation set
+          tokenUrl = this.config_entity[baseEntity]?.connection?.auth?.options?.tokenUrl
+          const privateKeyFile = this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key
+          if (privateKeyFile) privateKey = fs.readFileSync(privateKeyFile).toString()
+          jwtAttr = {
+            scope: this.config_entity[baseEntity]?.connection?.auth?.options?.scope,
+            sub: this.config_entity[baseEntity]?.connection?.auth?.options?.subject,
+            iss: this.config_entity[baseEntity]?.connection?.auth?.options?.issuer,
+            aud: this.config_entity[baseEntity]?.connection?.auth?.options?.audience,
+            iat: Math.floor(Date.now() / 1000),
+            exp: Math.floor(Date.now() / 1000) + (60 * 60),
+          }
+        }
+
+        form = {
+          grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          assertion: jwtSign(jwtAttr, privateKey, { algorithm: 'RS256' }),
         }
         break
 
@@ -232,19 +283,28 @@ export class HelperRest {
           },
         }
 
-        // Supporting  no auth, header based auth (e.g., config {"options":{"headers":{"APIkey":"123"}}}),
-        // basicAuth, bearerAuth, oauth, tokenAuth, oauthSamlAssertion and auth PassTrough using request header authorization
+        // Support  no auth, header based auth (e.g., config {"options":{"headers":{"APIkey":"123"}}}),
+        // basicAuth, bearerAuth, oauth, tokenAuth, oauthSamlAssertion, oauthJwtAssertion and auth PassTrough using request header authorization
+
+        let orgConnection: any
+        if (opt?.connection) { // allow overriding/extending configuration connection by caller argument opt.connection
+          let org = this.config_entity[baseEntity]?.connection
+          orgConnection = utils.copyObj(org)
+          if (!org) org = {}
+          org = utils.extendObj(org, opt.connection)
+        }
+
         switch (this.config_entity[baseEntity]?.connection?.auth?.type) {
           case 'basic':
             if (!this.config_entity[baseEntity]?.connection?.auth?.options?.username || !this.config_entity[baseEntity]?.connection?.auth?.options?.password) {
-              const err = new Error(`auth type 'basic' - missing configuration entity.${baseEntity}.connection.auth.options.username/password`)
+              const err = new Error(`auth.type 'basic' - missing configuration entity.${baseEntity}.connection.auth.options.username/password`)
               throw err
             }
             param.options.headers['Authorization'] = 'Basic ' + Buffer.from(`${this.config_entity[baseEntity].connection.auth.options.username}:${this.config_entity[baseEntity].connection.auth.options.password}`).toString('base64')
             break
           case 'oauth':
             if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.clientSecret) {
-              const err = new Error(`auth type 'oauth' - missing configuration entity.${baseEntity}.connection.auth.options.clientId/clientSecret`)
+              const err = new Error(`auth.type 'oauth' - missing configuration entity.${baseEntity}.connection.auth.options.clientId/clientSecret`)
               throw err
             }
             param.accessToken = await this.getAccessToken(baseEntity, ctx)
@@ -268,16 +328,42 @@ export class HelperRest {
           case 'oauthSamlAssertion':
             if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.companyId
               || !this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key) {
-              const err = new Error(`auth type 'oauthSamlAssertion' - missing configuration entity.${baseEntity}.connection.auth.options...`)
+              const err = new Error(`auth.type 'oauthSamlAssertion' - missing configuration entity.${baseEntity}.connection.auth.options...`)
+              throw err
+            }
+            param.accessToken = await this.getAccessToken(baseEntity, ctx)
+            param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
+            break
+          case 'oauthJwtAssertion':
+            if (this.config_entity[baseEntity]?.connection?.auth?.options?.serviceAccountKeyFile) { // Google Service Account
+              if (!this.config_entity[baseEntity]?.connection?.auth?.options?.scope || !this.config_entity[baseEntity]?.connection?.auth?.options?.subject) {
+                const err = new Error(`auth.type 'oauthJwtAssertion' - using auth.options 'serviceAccountKeyFile' also requires mandatory configuration entity.${baseEntity}.connection.auth.options.scope/subject`)
+                throw err
+              }
+            } else if (!this.config_entity[baseEntity]?.connection?.auth?.options?.tokenUrl
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.scope
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.subject
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.issuer
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.audience
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key
+            ) {
+              const err = new Error(`auth.type 'oauthJwtAssertion' - when not using auth.options 'serviceAccountKeyFile' which is related to Google, following auth.options is mandatory: tokenUrl, scope, subject, issuer, audience, certificate.key`)
               throw err
             }
+
             param.accessToken = await this.getAccessToken(baseEntity, ctx)
             param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
             break
+
           default:
             // no auth or PassTrough
         }
 
+        if (orgConnection) {
+          this.config_entity[baseEntity].connection = orgConnection // reset back to original
+          if (opt?.connection) delete opt.connection
+        }
+
         // proxy
         if (this.config_entity[baseEntity]?.connection?.proxy?.host) {
           const agent = new HttpsProxyAgent(this.config_entity[baseEntity].connection.proxy.host)
@@ -334,7 +420,10 @@ export class HelperRest {
       // adding none static
       cli.options.method = method
       cli.options.path = `${urlObj.pathname}${urlObj.search}`
-      if (opt) cli.options = utils.extendObj(cli.options, opt) // merge with argument options
+      if (opt) {
+        if (opt?.connection) delete opt.connection // only used for internal connection options
+        cli.options = utils.extendObj(cli.options, opt) // merge with argument options
+      }
 
       return cli // final client
     }
@@ -582,9 +671,9 @@ export class HelperRest {
   * ```
   * {
   *   "options": {
-  *     "tenantIdGUID": "<Entra ID tenantIdGUID", // simplified configuration for using Microsoft Graph API
-  *     "tokenUrl": "<tokenUrl>", // not used when tenantIdGUID defined
-  *     "clientId": "<clientId",
+  *     "tenantIdGUID": "<Entra ID tenantIdGUID", // Microsoft Graph API - baseUrls automatically set to [https://graph.microsoft.com/beta]
+  *     "tokenUrl": "<tokenUrl>", // not used when tenantIdGUID defined - baseUrls required
+  *     "clientId": "<clientId>",
   *     "clientSecret": "<clientSecret>"
   *   }
   * }
@@ -626,6 +715,32 @@ export class HelperRest {
   * }
   * ```
   * 
+  * type=**"oauthJwtAssertion"** having auth.options:
+  * ```
+  * // Google API - baseUrls automatically set to [https://www.googleapis.com]
+  * {
+  *   "options": {
+  *     "serviceAccountKeyFile": "<Google Service Account key file name>", // located in ./config/certs
+  *     "scope": "<jwt-scope>"
+  *     "subject": "<jwt-subject>
+  *   }
+  * }
+  * 
+  * // General JWT API - baseUrls required
+  * {
+  *   "options": {
+  *     "tokenUrl":  "<tokenUrl",
+  *     "scope": "<jwt-scope>",
+  *     "subject": "<jwt-subject>",
+  *     "issuer": "<jwt-issuer>",
+  *     "audience": "<jwt-audience>",
+  *     "certificate": {
+  *       "key": "<signing-key-file-name>"
+  *      }
+  *   }
+  * }
+  * ```
+  * 
   * **connection.options** can be set according to web-standard fetch client options  
   * examples:  
   * ```

package/lib/scimgateway.ts

@@ -408,41 +408,43 @@ export class ScimGateway {
     if (!this.config.scimgateway.email.auth) this.config.scimgateway.email.auth = {}
     if (!this.config.scimgateway.email.auth.options) this.config.scimgateway.email.auth.options = {}
     if (!this.config.scimgateway.email.emailOnError) this.config.scimgateway.email.emailOnError = {}
+    if (!this.config.scimgateway.email.emailOnError) this.config.scimgateway.email.proxy = {}
 
     if (!this.config.scimgateway.stream) this.config.scimgateway.stream = {}
     if (!this.config.scimgateway.stream.subscriber) this.config.scimgateway.stream.subscriber = {}
     if (!this.config.scimgateway.stream.publisher) this.config.scimgateway.stream.publisher = {}
 
     // start - legacy support
-    if (!this.config.scimgateway.emailOnError) this.config.scimgateway.emailOnError = {}
-    if (!this.config.scimgateway.emailOnError.smtp) this.config.scimgateway.emailOnError.smtp = {}
-    if (this.config.scimgateway.emailOnError.smtp.host) {
-      this.config.scimgateway.email.host = this.config.scimgateway.emailOnError.smtp.host
+    if (this.config.scimgateway?.emailOnError?.smtp?.host) {
+      this.config.scimgateway.email.auth.options.host = this.config.scimgateway.emailOnError.smtp.host
     }
-    if (this.config.scimgateway.emailOnError.smtp.port) {
-      this.config.scimgateway.email.port = this.config.scimgateway.emailOnError.smtp.port
+    if (this.config.scimgateway?.emailOnError?.smtp?.port) {
+      this.config.scimgateway.email.auth.options.port = this.config.scimgateway.emailOnError.smtp.port
     }
-    if (this.config.scimgateway.emailOnError.smtp.proxy) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.proxy) {
       this.config.scimgateway.email.proxy = this.config.scimgateway.emailOnError.smtp.proxy
     }
-    if (this.config.scimgateway.emailOnError.smtp.username) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.username) {
       this.config.scimgateway.email.emailOnError.from = this.config.scimgateway.emailOnError.smtp.username
       this.config.scimgateway.email.auth.options.username = this.config.scimgateway.emailOnError.smtp.username
     }
-    if (this.config.scimgateway.emailOnError.smtp.password) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.password) {
       this.config.scimgateway.email.auth.options.password = this.config.scimgateway.emailOnError.smtp.password
-      this.config.scimgateway.email.auth.type = 'basic'
+      this.config.scimgateway.email.auth.type = 'smtp'
     }
-    if (this.config.scimgateway.emailOnError.smtp.enabled) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.enabled) {
       this.config.scimgateway.email.emailOnError.enabled = this.config.scimgateway.emailOnError.smtp.enabled
     }
-    if (this.config.scimgateway.emailOnError.smtp.sendInterval) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.sendInterval) {
       this.config.scimgateway.email.emailOnError.sendInterval = this.config.scimgateway.emailOnError.smtp.sendInterval
     }
-    if (this.config.scimgateway.emailOnError.smtp.to) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.subject) {
+      this.config.scimgateway.email.emailOnError.subject = this.config.scimgateway.emailOnError.smtp.subject
+    }
+    if (this.config.scimgateway?.emailOnError?.smtp?.to) {
       this.config.scimgateway.email.emailOnError.to = this.config.scimgateway.emailOnError.smtp.to
     }
-    if (this.config.scimgateway.emailOnError.smtp.cc) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.cc) {
       this.config.scimgateway.email.emailOnError.cc = this.config.scimgateway.emailOnError.smtp.cc
     }
     // end - legacy support
@@ -2657,12 +2659,8 @@ export class ScimGateway {
       setTimeout(function () { // release lock after "sendInterval" minutes
         isMailLock = false
       }, (this.config.scimgateway.email.emailOnError.sendInterval || 15) * 1000 * 60)
-      const msgHtml = `<html><body> 
-        <p>${msg}</p> 
-        <br> 
-        <p><strong>This is an automatically generated email - please do NOT reply to this email or forward to others</strong></p> 
-        </body></html>`
 
+      const msgHtml = `<html><body><pre style="font-family: monospace; white-space: pre-wrap;">${msg}</pre><br/><p><strong>This is an automatically generated email - please do NOT reply to this email or forward to others</strong></p></body></html>`
       const msgObj = {
         from: this.config.scimgateway.email.emailOnError.from,
         to: this.config.scimgateway.email.emailOnError.to,
@@ -2947,33 +2945,24 @@ export class ScimGateway {
       logger.error(`${gwName}[${pluginName}] sendMail failed: missing or invalid msgObj argument`)
       return
     }
+    if (!isHtml) {
+      isHtml = true
+      msgObj.content = `<html><body><pre style="font-family: monospace; white-space: pre-wrap;">${msgObj.content}</pre></body></html>`
+    }
 
     if (authType === 'oauth') {
       if (!this.helperRest) this.helperRest = new HelperRest(this, { entity: { undefined: { connection: this.config.scimgateway.email } } })
       if (this.config.scimgateway.email.auth?.options?.tenantIdGUID) {
-        // Graph API
-        let content: string
-        if (isHtml) { // ExO workaround for national special caracters in html content - require singleValueExtendedProperties being used
-          var enc = new TextEncoder() // utf-8
-          const buf = enc.encode(msgObj.content)
-          content = new TextDecoder('windows-1252').decode(buf)
-        } else content = msgObj.content
-
+        // Microsoft Exchange Online (ExO) - using Graph API
         const emailMessage: Record<string, any> = {
           message: {
             subject: msgObj.subject ? msgObj.subject : 'SCIM Gateway message',
             body: {
-              content,
+              content: msgObj.content,
               contentType: isHtml ? 'HTML' : 'Text',
             },
             toRecipients: [],
             ccRecipients: [],
-            singleValueExtendedProperties: [ // force using ExO header: Content-Type: text/plain; charset="utf-8"
-              {
-                id: 'Integer 0x3fde', // Content-Type header - can be verifed by checking raw mail
-                value: '65001', // text/plain; charset="utf-8"
-              },
-            ],
           },
           saveToSentItems: 'false',
         }
@@ -2983,7 +2972,7 @@ export class ScimGateway {
           for (let i = 0; i < arr.length; i++) {
             emailMessage.message.toRecipients.push({
               emailAddress: {
-                address: arr[i],
+                address: arr[i].trim(),
               },
             })
           }
@@ -2993,7 +2982,7 @@ export class ScimGateway {
           for (let i = 0; i < arr.length; i++) {
             emailMessage.message.ccRecipients.push({
               emailAddress: {
-                address: arr[i],
+                address: arr[i].trim(),
               },
             })
           }
@@ -3009,29 +2998,57 @@ export class ScimGateway {
           logger.error(`${gwName}[${pluginName}] sendMail subject '${emailMessage.message.subject}' sending failed: ${err.message}`)
         }
         return
+      } else if (this.config.scimgateway.email.auth?.options?.serviceAccountKeyFile) {
+        // Google Workspace Gmail
+        if (!msgObj.to) msgObj.to = ''
+        if (!msgObj.cc) msgObj.cc = ''
+
+        let mimeMessage = `From: ${msgObj.from}
+To: ${msgObj.to}
+Cc: ${msgObj.cc}
+Subject: ${msgObj.subject}
+MIME-Version: 1.0
+Content-Type: text/html; charset="UTF-8"
+Content-Transfer-Encoding: quoted-printable
+
+`
+        mimeMessage += msgObj.content
+        const encodedMessage = btoa(mimeMessage)
+        const emailMessage = { raw: encodedMessage }
+        const path = `/gmail/v1/users/${msgObj.from}/messages/send`
+        try { // using opt connection argument type=oauthJwtAssertion and options scope/subject because we want to keep simplified email.auth.type=oauth and options serviceAccountKeyFile
+          await this.helperRest.doRequest('undefined', 'POST', path, emailMessage, null, { connection: { auth: { type: 'oauthJwtAssertion', options: { scope: 'https://www.googleapis.com/auth/gmail.send', subject: msgObj.from } } } })
+          logger.debug(`${gwName}[${pluginName}] sendMail subject '${emailMessage}' sent to: ${msgObj.to}${(msgObj.cc) ? ',' + msgObj.cc : ''}`)
+        } catch (err: any) {
+          logger.error(`${gwName}[${pluginName}] sendMail subject '${emailMessage}' sending failed: ${err.message}`)
+        }
+        return
       }
+      logger.error(`${gwName}[${pluginName}] sendMail error: type oauth supports only ExO (scimgateway.email.auth.options.tenantIdGUID) or Google Workspace Gmail (scimgateway.email.auth.options.serviceAccountKeyFile)`)
+      return
     }
 
-    // nodemailer
-    if (!this.config.scimgateway?.email?.host) {
-      logger.error(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sending failed: some missing scimgateway.email configuration`)
+    if (authType !== 'smtp') {
+      logger.error(`${gwName}[${pluginName}] sendMail error: configuration scimgateway.email.auth.type must be set to oauth or smtp`)
       return
     }
+
+    // nodemailer - SMTP Auth
     const smtpConfig: { [key: string]: any } = {
-      host: this.config.scimgateway.email.host, // e.g. smtp.office365.com
-      port: this.config.scimgateway.email.port || 587,
-      proxy: this.config.scimgateway.email.proxy || null,
-      secure: (this.config.scimgateway.email.port === 465), // false on 25/587
+      host: this.config.scimgateway?.email?.auth?.options?.host, // e.g. smtp.office365.com
+      port: this.config.scimgateway?.email?.auth?.options?.port || 587,
+      secure: (this.config.scimgateway?.email?.auth?.options?.port === 465), // false on 25/587
       tls: { ciphers: 'TLSv1.2' },
+      proxy: this.config.scimgateway?.email?.proxy,
     }
-    if (authType) {
-      smtpConfig.auth = {}
-      if (authType === 'basic') {
-        smtpConfig.auth.user = this.config.scimgateway.email.auth.options.username
-        smtpConfig.auth.pass = this.config.scimgateway.email.auth.options.password
-      } else if (authType === 'oauth') {
-        smtpConfig.auth.type = 'OAuth2'
-      }
+
+    smtpConfig.auth = {}
+    smtpConfig.auth.user = this.config.scimgateway?.email?.auth?.options?.username
+    smtpConfig.auth.pass = this.config.scimgateway?.email?.auth?.options?.password
+
+    if (!this.config.scimgateway?.email?.auth?.options?.host || !this.config.scimgateway?.email?.auth?.options?.username) {
+      logger.error(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sending error: missing scimgateway.email.options configuration for auth type smtp`)
+      return
     }
 
     const transporter = nodemailer.createTransport(smtpConfig)
@@ -3043,20 +3060,6 @@ export class ScimGateway {
       subject: msgObj.subject ? msgObj.subject : 'SCIM Gateway message',
     }
 
-    if (authType === 'oauth') {
-      mailOptions.auth = {}
-      mailOptions.auth.user = msgObj.from
-      transporter.set('oauth2_provision_cb', async (user, renew, callback) => {
-        const aObj = await this.helperRest.getAccessToken('undefined')
-        const accessToken = aObj ? aObj?.access_token : null
-        if (!accessToken) {
-          return callback(new Error('missing access token'))
-        } else {
-          return callback(null, accessToken)
-        }
-      })
-    }
-
     if (isHtml) mailOptions.html = msgObj.content
     else mailOptions.text = msgObj.content
 
@@ -3116,6 +3119,12 @@ export class ScimGateway {
         dotConfig[key] = keyFile
         const addKey = key.replace(`.${lastKey}`, '.publicKeyContent')
         dotConfig[addKey] = fs.readFileSync(keyFile)
+      } else if (key.endsWith('.serviceAccountKeyFile')) { // Google Service Account Key json-file
+        let keyFile = path.join(this.configDir, '/certs/', dotConfig[key])
+        if (dotConfig[key].startsWith('/') || dotConfig[key].includes('\\')) {
+          keyFile = dotConfig[key]
+        }
+        dotConfig[key] = keyFile
       }
 
       // process env, file and text

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.0.13",
+  "version": "5.0.14",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",