scimgateway 5.0.13 → 5.0.15

package/README.md

@@ -16,6 +16,7 @@ Validated through IdP's:
 
 Latest news:  
 
+- Email, onError and sendMail() supports more secure RESTful OAuth for Microsoft Exchange Online (ExO) and Google Workspace Gmail, alongside traditional SMTP Auth for all mail systems. HelperRest supports a wide range of common authentication methods, including basicAuth, bearerAuth, tokenAuth, oauth, oauthSamlBearer, oauthJwtBearer and Auth PassTrough 
 - Major version **v5.0.0** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
 - Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway. E.g., using Entra ID application OAuth
@@ -436,18 +437,18 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
           "2603:1056:2000::/48",
           "2603:1057:2::/48"
         ]
-- **email** - Contains configuration for sending email from plugin or automated error notifications emailOnError. Note, for emailOnError only the first error will be sent until sendInterval have passed
-- **email.host** - Mailserver e.g. "smtp.gmail.com" - mandatory when not using tenantIdGUID (Microsoft)
-- **email.port** - Port used by mailserver e.g. 587, 25 or 465 - mandatory when not using tenantIdGUID (Microsoft)
+- **email** - Sending email from plugin or automated error notifications emailOnError. For emailOnError only the first error will be sent until sendInterval have passed. Supporting both SMTP Auth and modern REST OAuth. For OAuth, currently Microsoft Exchange Online (ExO) and Google Workspace Gmail are supported - see configuration notes
 - **email.auth** - Authentication configuration
-- **email.auth.type** - `basic` or `oauth`
-- **email.auth.options** - Authentication configuration options - note, different options for type basic and oauth
-- **email.auth.options.username (basic)** - Mail account for authentication normally same as sender of the email, e.g. "user@gmail.com"
-- **email.auth.options.password (basic)** - Mail account password
-- **email.auth.options.tenantIdGUID (oauth)** - Entra ID tenant id, mandatory/recommended when using Microsoft Exchange Online
-- **email.auth.options.tokenUrl (oauth)** - Token endpoint, mandatory when not using tenantIdGUID (Microsoft Exchange Online)
-- **email.auth.options.clientId (oauth)** - Client ID
-- **email.auth.options.clientSecret (oauth)** - Client Secret
+- **email.auth.type** - `oauth` or `smtp`
+- **email.auth.options** - Authentication options - note, different options for type oauth and smtp
+- **email.auth.options.tenantIdGUID (oauth/ExO)** - Entra ID tenant id, mandatory/recommended when using Microsoft Exchange Online
+- **email.auth.options.clientId (oauth/ExO)** - Client ID
+- **email.auth.options.clientSecret (oauth/ExO)** - Client Secret
+- **email.auth.options.serviceAccountKeyFile (oauth/Gmail)** - Google Service Account key json-file name located in the `package-root>\config\certs` directory unless absolute path being defined
+- **email.auth.options.host (smtp)** - Mailserver e.g. "smtp.gmail.com" - mandatory for smtp
+- **email.auth.options.port (smtp)** - Port used by mailserver e.g. 587, 25 or 465 - mandatory for smtp
+- **email.auth.options.username (smtp)** - Mail account for authentication normally same as sender of the email, e.g. "user@gmail.com"
+- **email.auth.options.password (smtp)** - Mail account password
 - **email.proxy** - Proxy configuration if using mailproxy
 - **email.proxy.host** - Proxy host e.g. `http://proxy-host:1234`
 - **email.proxy.username** - username if authentication is required
@@ -455,29 +456,14 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - **email.emailOnError** - Contains configuration for sending error notifications by email. Note, only the first error will be sent until sendInterval have passed
 - **email.emailOnError.enabled** - true or false, value set to true will enable email notifications
 - **email.emailOnError.sendInterval** - Default 15. Mail notifications on error are deferred until sendInterval **minutes** have passed since the last notification.
-- **email.emailOnError.from** - Sender email addresses e.g: "noreply@example.com", note must correspond with email.auth.options being used and mailserver configuration
+- **email.emailOnError.from** - Sender email addresses e.g: "noreply@example.com". **Mandatory for oauth**. For smtp email.auth.options.username will be used
 - **email.emailOnError.to** - Comma separated list of recipients email addresses e.g: "someone@example.com"
 - **email.emailOnError.cc** - Optional comma separated list of cc mail addresses
 - **email.emailOnError.subject** - Optional mail subject, default `SCIM Gateway error message`
 
-	Configuration notes when using default configuration oauth and tenantIdGUID - Microsoft Exchange Online (ExO):
-
-	- Entra ID application must have application permissions `Mail.Send`  
-	- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.  
-	
-		First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
-		Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
-		  
-			##Connect to Exchange
-			Install-Module -Name ExchangeOnlineManagement
-			Connect-ExchangeOnline
-			 
-			##Create ApplicationAccessPolicy
-			New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
-
 - **stream** - See [SCIM Stream](https://elshaug.xyz/docs/scim-stream) for configuration details
 
-- **endpoint** - Contains endpoint specific configuration according to our **plugin code**. 
+- **endpoint** - Contains endpoint specific configuration according to customized **plugin code**. 
 
 #### Configuration notes
 
@@ -536,6 +522,45 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		}  
 
 
+- Email, using Microsoft Exchange Online (ExO)
+
+	- Entra ID application must have application permissions `Mail.Send`  
+	- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.  
+	
+		First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
+		Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
+		  
+			##Connect to Exchange
+			Install-Module -Name ExchangeOnlineManagement
+			Connect-ExchangeOnline
+			 
+			##Create ApplicationAccessPolicy
+			New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+
+- Email, using Google Workspace Gmail
+
+	- https://console.cloud.google.com
+		- IAM & Admin > Service Accounts > Create Service Account
+			- Name=email-sender  
+			- Create and Continue
+			- Grant this service account access to project - not needed
+			- Grant users access to this service - not needed  
+		- IAM & Admin > Service Accounts > "email-sender" account > Keys    
+			- Add Key > Create new key > JSON
+			- download json Service Account Key file, refere to configuration `email.auth.options.serviceAccountKeyFile`
+
+	- https://admin.google.com
+		- Security > Access and data control > API controls
+			- Manage Domain Wide Delegation > Add new
+			- Client ID = id of service account created
+			- OAuth scope = `https://www.googleapis.com/auth/gmail.send`  
+	 
+	- https://admin.google.com
+		- Billing > Subscriptions - verify Google Workspace license
+		- Directory > Users > "user"
+		- Licenses > Edit > enable Google Workspace license  
+		`email.emailOnError.from` mail address must have Google Workspace license
+
 
 ## Manual startup    
 
@@ -984,17 +1009,17 @@ For JavaScript coding editor you may use [Visual Studio Code](https://code.visua
 
 Preparation:
 
-* Copy "best matching" example plugin e.g. `lib\plugin-mssql.ts` and `config\plugin-mssql.json` and rename both copies to your plugin name prefix e.g. plugin-mine.ts and plugin-mine.json (for SOAP Webservice endpoint we might use plugin-soap as a template) 
+* Copy "best matching" example plugin e.g. `lib\plugin-mssql.ts` and `config\plugin-mssql.json` and rename both copies to your plugin name prefix e.g. plugin-mine.ts and plugin-mine.json 
 * Edit plugin-mine.json and define a unique port number for the gateway setting  
 * Edit index.ts and include your plugin in the startup e.g. `const plugins = ['mine']');`  
-* Start SCIM Gateway and verify. If using CA Provisioning you could setup a SCIM endpoint using the port number you defined  
+* Start SCIM Gateway and verify using using your own SCIM API requests or your IdP/IGA system.  
 
 Now we are ready for custom coding by editing plugin-mine.ts
-Coding should be done step by step and each step should be verified and tested before starting the next (they are all highlighted by comments in existing code).  
+Coding should be done step by step and each step should be verified and tested before starting the next 
 
-1. **Turn off group functionality** - getGroups to return empty response  
+1. **Turn off group functionality** - getGroups to return empty response (gateway automatically use getGroups for some of the methods if groups not included)  
 Please see plugin-saphana that do not use groups.
-2. **getUsers** (test provisioning retrieve accounts)
+2. **getUsers** (test provisioning retrieve all accounts and single account)
 4. **createUser** (test provisioning new account)
 5. **deleteUser** (test provisioning delete account)
 6. **modifyUser** (test provisioning modify account)
@@ -1111,6 +1136,21 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v5.0.15
+
+[Improved]
+
+- HelperRest, auth.type=oauthSamlAssertion and auth.type=oauthJwtAssertion have been updated to `oauthSamlBearer` and `oauthJwtBearer` for consistency
+
+### v5.0.14
+
+[Improved]
+
+- email now supports Google Workspace Gmail using REST OAuth
+- email workaround for ExO national characters introduced in v5.0.7 not needed anymore - ExO/GraphApi seems to have been fixed
+- some minor cosmetics on email message layout formatting when using plain text message
+- HelperRest now includes authentication type `oauthJwtAssertion`
+
 ### v5.0.13
 
 [Improved]  

package/lib/helper-rest.ts

@@ -2,6 +2,7 @@ import { HttpsProxyAgent } from 'https-proxy-agent'
 import { URL } from 'url'
 import { Buffer } from 'node:buffer'
 import { samlAssertion } from './samlAssertion.ts' // prereq: saml
+import { sign as jwtSign } from 'jsonwebtoken'
 import fs from 'node:fs'
 import querystring from 'querystring'
 import * as utils from './utils.ts'
@@ -16,6 +17,7 @@ export class HelperRest {
   private scimgateway: any
   private idleTimeout: number
   private graphUrl = 'https://graph.microsoft.com/beta' // beta instead of 'v1.0' gives all user attributes when no $select
+  private googleUrl = 'https://www.googleapis.com'
 
   constructor(scimgateway: any, optionalEntities?: Record<string, any>) {
     if (!scimgateway || !scimgateway.gwName) throw new Error('HelperRest initialization error: argument scimgateway is not of type ScimGateway')
@@ -33,6 +35,11 @@ export class HelperRest {
           if (this.config_entity[baseEntity]?.connection?.auth?.type === 'oauth') {
             this.config_entity[baseEntity].connection.baseUrls = [this.graphUrl]
           }
+        } else if (this.config_entity[baseEntity]?.connection?.auth?.options?.serviceAccountKeyFile) { // Google, setting baseUrls to googleapis
+          const type = this.config_entity[baseEntity]?.connection?.auth?.type
+          if (type === 'oauthJwtBearer' || type === 'oauth') { // includes oauth because of email.auth.type
+            this.config_entity[baseEntity].connection.baseUrls = [this.googleUrl]
+          }
         }
         connectionFound = true
       }
@@ -92,7 +99,7 @@ export class HelperRest {
         }
         break
 
-      case 'oauthSamlAssertion':
+      case 'oauthSamlBearer':
         tokenUrl = this.config_entity[baseEntity].connection.auth.options.tokenUrl
         const context = null
         const cert = fs.readFileSync(this.config_entity[baseEntity].connection.auth.options.certificate.cert).toString()
@@ -107,13 +114,57 @@ export class HelperRest {
         const audience = `scimgateway/${this.scimgateway.pluginName}`
         const delay = 1
 
-        const assertion = await samlAssertion.run(context, cert, key, issuer, lifetime, clientId, nameId, userIdentifierFormat, tokenEndpoint, audience, delay)
         form = {
           token_url: tokenUrl,
           grant_type: 'urn:ietf:params:oauth:grant-type:saml2-bearer',
           client_id: clientId,
           company_id: this.config_entity[baseEntity].connection.auth.options.companyId,
-          assertion: assertion,
+          assertion: await samlAssertion.run(context, cert, key, issuer, lifetime, clientId, nameId, userIdentifierFormat, tokenEndpoint, audience, delay),
+        }
+        break
+
+      case 'oauthJwtBearer':
+        let privateKey = ''
+        let jwtAttr: Record<string, any> = {}
+        const serviceAccountKeyFile = this.config_entity[baseEntity]?.connection?.auth?.options?.serviceAccountKeyFile
+
+        if (serviceAccountKeyFile) { // Google Service Account key json-file
+          const gkey: Record<string, any> = await (async () => {
+            try {
+              const jsonObject = await import(serviceAccountKeyFile, { assert: { type: 'json' } })
+              return jsonObject.default // access the object via the `default` property
+            } catch (err: any) {
+              throw new Error(`auth type '${this.config_entity[baseEntity]?.connection?.auth?.type}' - serviceAccountKeyFile error: ${err.message}`)
+            }
+          })()
+
+          tokenUrl = gkey.token_uri // https://oauth2.googleapis.com/token
+          privateKey = gkey.private_key
+          jwtAttr = {
+            scope: this.config_entity[baseEntity]?.connection?.auth?.options?.scope, // https://www.googleapis.com/auth/gmail.send
+            sub: this.config_entity[baseEntity]?.connection?.auth?.options?.subject, // firstname.lastname@mycompany.com
+            iss: gkey.client_email, // service account email/user
+            aud: gkey.token_uri,
+            iat: Math.floor(Date.now() / 1000), // issued at
+            exp: Math.floor(Date.now() / 1000) + (60 * 60), // expiration time
+          }
+        } else { // standard JWT requires all configuation set
+          tokenUrl = this.config_entity[baseEntity]?.connection?.auth?.options?.tokenUrl
+          const privateKeyFile = this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key
+          if (privateKeyFile) privateKey = fs.readFileSync(privateKeyFile).toString()
+          jwtAttr = {
+            scope: this.config_entity[baseEntity]?.connection?.auth?.options?.scope,
+            sub: this.config_entity[baseEntity]?.connection?.auth?.options?.subject,
+            iss: this.config_entity[baseEntity]?.connection?.auth?.options?.issuer,
+            aud: this.config_entity[baseEntity]?.connection?.auth?.options?.audience,
+            iat: Math.floor(Date.now() / 1000),
+            exp: Math.floor(Date.now() / 1000) + (60 * 60),
+          }
+        }
+
+        form = {
+          grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          assertion: jwtSign(jwtAttr, privateKey, { algorithm: 'RS256' }),
         }
         break
 
@@ -232,19 +283,28 @@ export class HelperRest {
           },
         }
 
-        // Supporting  no auth, header based auth (e.g., config {"options":{"headers":{"APIkey":"123"}}}),
-        // basicAuth, bearerAuth, oauth, tokenAuth, oauthSamlAssertion and auth PassTrough using request header authorization
+        // Support  no auth, header based auth (e.g., config {"options":{"headers":{"APIkey":"123"}}}),
+        // basicAuth, bearerAuth, oauth, tokenAuth, oauthSamlBearer, oauthJwtBearer and auth PassTrough using request header authorization
+
+        let orgConnection: any
+        if (opt?.connection) { // allow overriding/extending configuration connection by caller argument opt.connection
+          let org = this.config_entity[baseEntity]?.connection
+          orgConnection = utils.copyObj(org)
+          if (!org) org = {}
+          org = utils.extendObj(org, opt.connection)
+        }
+
         switch (this.config_entity[baseEntity]?.connection?.auth?.type) {
           case 'basic':
             if (!this.config_entity[baseEntity]?.connection?.auth?.options?.username || !this.config_entity[baseEntity]?.connection?.auth?.options?.password) {
-              const err = new Error(`auth type 'basic' - missing configuration entity.${baseEntity}.connection.auth.options.username/password`)
+              const err = new Error(`auth.type 'basic' - missing configuration entity.${baseEntity}.connection.auth.options.username/password`)
               throw err
             }
             param.options.headers['Authorization'] = 'Basic ' + Buffer.from(`${this.config_entity[baseEntity].connection.auth.options.username}:${this.config_entity[baseEntity].connection.auth.options.password}`).toString('base64')
             break
           case 'oauth':
             if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.clientSecret) {
-              const err = new Error(`auth type 'oauth' - missing configuration entity.${baseEntity}.connection.auth.options.clientId/clientSecret`)
+              const err = new Error(`auth.type 'oauth' - missing configuration entity.${baseEntity}.connection.auth.options.clientId/clientSecret`)
               throw err
             }
             param.accessToken = await this.getAccessToken(baseEntity, ctx)
@@ -265,19 +325,45 @@ export class HelperRest {
             }
             param.options.headers['Authorization'] = 'Bearer ' + Buffer.from(this.config_entity[baseEntity].connection.auth.options.token).toString('base64')
             break
-          case 'oauthSamlAssertion':
+          case 'oauthSamlBearer':
             if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.companyId
               || !this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key) {
-              const err = new Error(`auth type 'oauthSamlAssertion' - missing configuration entity.${baseEntity}.connection.auth.options...`)
+              const err = new Error(`auth.type 'oauthSamlBearer' - missing configuration entity.${baseEntity}.connection.auth.options...`)
+              throw err
+            }
+            param.accessToken = await this.getAccessToken(baseEntity, ctx)
+            param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
+            break
+          case 'oauthJwtBearer':
+            if (this.config_entity[baseEntity]?.connection?.auth?.options?.serviceAccountKeyFile) { // Google Service Account
+              if (!this.config_entity[baseEntity]?.connection?.auth?.options?.scope || !this.config_entity[baseEntity]?.connection?.auth?.options?.subject) {
+                const err = new Error(`auth.type 'oauthJwtBearer' - using auth.options 'serviceAccountKeyFile' also requires mandatory configuration entity.${baseEntity}.connection.auth.options.scope/subject`)
+                throw err
+              }
+            } else if (!this.config_entity[baseEntity]?.connection?.auth?.options?.tokenUrl
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.scope
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.subject
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.issuer
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.audience
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key
+            ) {
+              const err = new Error(`auth.type 'oauthJwtBearer' - when not using auth.options 'serviceAccountKeyFile' which is related to Google, following auth.options is mandatory: tokenUrl, scope, subject, issuer, audience, certificate.key`)
               throw err
             }
+
             param.accessToken = await this.getAccessToken(baseEntity, ctx)
             param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
             break
+
           default:
             // no auth or PassTrough
         }
 
+        if (orgConnection) {
+          this.config_entity[baseEntity].connection = orgConnection // reset back to original
+          if (opt?.connection) delete opt.connection
+        }
+
         // proxy
         if (this.config_entity[baseEntity]?.connection?.proxy?.host) {
           const agent = new HttpsProxyAgent(this.config_entity[baseEntity].connection.proxy.host)
@@ -334,7 +420,10 @@ export class HelperRest {
       // adding none static
       cli.options.method = method
       cli.options.path = `${urlObj.pathname}${urlObj.search}`
-      if (opt) cli.options = utils.extendObj(cli.options, opt) // merge with argument options
+      if (opt) {
+        if (opt?.connection) delete opt.connection // only used for internal connection options
+        cli.options = utils.extendObj(cli.options, opt) // merge with argument options
+      }
 
       return cli // final client
     }
@@ -564,7 +653,7 @@ export class HelperRest {
   * ```
   * type defines authentication being used  
   * if type not defined, no authentication used  
-  * valid type is: `basic`, `oauth`, `token`, `bearer` or `oauthSamlAssertion`  
+  * valid type is: `basic`, `oauth`, `token`, `bearer` or `oauthSamlBearer`  
   * 
   * for each valid type there are different auth.options  
   * 
@@ -582,9 +671,9 @@ export class HelperRest {
   * ```
   * {
   *   "options": {
-  *     "tenantIdGUID": "<Entra ID tenantIdGUID", // simplified configuration for using Microsoft Graph API
-  *     "tokenUrl": "<tokenUrl>", // not used when tenantIdGUID defined
-  *     "clientId": "<clientId",
+  *     "tenantIdGUID": "<Entra ID tenantIdGUID", // Microsoft Graph API - baseUrls automatically set to [https://graph.microsoft.com/beta]
+  *     "tokenUrl": "<tokenUrl>", // not used when tenantIdGUID defined - baseUrls required
+  *     "clientId": "<clientId>",
   *     "clientSecret": "<clientSecret>"
   *   }
   * }
@@ -610,7 +699,7 @@ export class HelperRest {
   * }
   * ```
   * 
-  * type=**"oauthSamlAssertion"** having auth.options:
+  * type=**"oauthSamlBearer"** having auth.options:
   * ```
   * {
   *   "options": {
@@ -626,6 +715,32 @@ export class HelperRest {
   * }
   * ```
   * 
+  * type=**"oauthJwtBearer"** having auth.options:
+  * ```
+  * // Google API - baseUrls automatically set to [https://www.googleapis.com]
+  * {
+  *   "options": {
+  *     "serviceAccountKeyFile": "<Google Service Account key file name>", // located in ./config/certs
+  *     "scope": "<jwt-scope>"
+  *     "subject": "<jwt-subject>
+  *   }
+  * }
+  * 
+  * // General JWT API - baseUrls required
+  * {
+  *   "options": {
+  *     "tokenUrl":  "<tokenUrl",
+  *     "scope": "<jwt-scope>",
+  *     "subject": "<jwt-subject>",
+  *     "issuer": "<jwt-issuer>",
+  *     "audience": "<jwt-audience>",
+  *     "certificate": {
+  *       "key": "<signing-key-file-name>"
+  *      }
+  *   }
+  * }
+  * ```
+  * 
   * **connection.options** can be set according to web-standard fetch client options  
   * examples:  
   * ```

package/lib/logger.ts

@@ -49,7 +49,7 @@ export class Log {
     )
   }
 
-  private maskSecret = winston.format((info) => {
+  private maskSecret = winston.format((info: any) => {
     // mask json secrets
     let rePattern = new RegExp(this.reJson, 'i')
     let msg: string = info.message

package/lib/scimgateway.ts

@@ -408,41 +408,43 @@ export class ScimGateway {
     if (!this.config.scimgateway.email.auth) this.config.scimgateway.email.auth = {}
     if (!this.config.scimgateway.email.auth.options) this.config.scimgateway.email.auth.options = {}
     if (!this.config.scimgateway.email.emailOnError) this.config.scimgateway.email.emailOnError = {}
+    if (!this.config.scimgateway.email.emailOnError) this.config.scimgateway.email.proxy = {}
 
     if (!this.config.scimgateway.stream) this.config.scimgateway.stream = {}
     if (!this.config.scimgateway.stream.subscriber) this.config.scimgateway.stream.subscriber = {}
     if (!this.config.scimgateway.stream.publisher) this.config.scimgateway.stream.publisher = {}
 
     // start - legacy support
-    if (!this.config.scimgateway.emailOnError) this.config.scimgateway.emailOnError = {}
-    if (!this.config.scimgateway.emailOnError.smtp) this.config.scimgateway.emailOnError.smtp = {}
-    if (this.config.scimgateway.emailOnError.smtp.host) {
-      this.config.scimgateway.email.host = this.config.scimgateway.emailOnError.smtp.host
+    if (this.config.scimgateway?.emailOnError?.smtp?.host) {
+      this.config.scimgateway.email.auth.options.host = this.config.scimgateway.emailOnError.smtp.host
     }
-    if (this.config.scimgateway.emailOnError.smtp.port) {
-      this.config.scimgateway.email.port = this.config.scimgateway.emailOnError.smtp.port
+    if (this.config.scimgateway?.emailOnError?.smtp?.port) {
+      this.config.scimgateway.email.auth.options.port = this.config.scimgateway.emailOnError.smtp.port
     }
-    if (this.config.scimgateway.emailOnError.smtp.proxy) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.proxy) {
       this.config.scimgateway.email.proxy = this.config.scimgateway.emailOnError.smtp.proxy
     }
-    if (this.config.scimgateway.emailOnError.smtp.username) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.username) {
       this.config.scimgateway.email.emailOnError.from = this.config.scimgateway.emailOnError.smtp.username
       this.config.scimgateway.email.auth.options.username = this.config.scimgateway.emailOnError.smtp.username
     }
-    if (this.config.scimgateway.emailOnError.smtp.password) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.password) {
       this.config.scimgateway.email.auth.options.password = this.config.scimgateway.emailOnError.smtp.password
-      this.config.scimgateway.email.auth.type = 'basic'
+      this.config.scimgateway.email.auth.type = 'smtp'
     }
-    if (this.config.scimgateway.emailOnError.smtp.enabled) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.enabled) {
       this.config.scimgateway.email.emailOnError.enabled = this.config.scimgateway.emailOnError.smtp.enabled
     }
-    if (this.config.scimgateway.emailOnError.smtp.sendInterval) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.sendInterval) {
       this.config.scimgateway.email.emailOnError.sendInterval = this.config.scimgateway.emailOnError.smtp.sendInterval
     }
-    if (this.config.scimgateway.emailOnError.smtp.to) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.subject) {
+      this.config.scimgateway.email.emailOnError.subject = this.config.scimgateway.emailOnError.smtp.subject
+    }
+    if (this.config.scimgateway?.emailOnError?.smtp?.to) {
       this.config.scimgateway.email.emailOnError.to = this.config.scimgateway.emailOnError.smtp.to
     }
-    if (this.config.scimgateway.emailOnError.smtp.cc) {
+    if (this.config.scimgateway?.emailOnError?.smtp?.cc) {
       this.config.scimgateway.email.emailOnError.cc = this.config.scimgateway.emailOnError.smtp.cc
     }
     // end - legacy support
@@ -2657,12 +2659,8 @@ export class ScimGateway {
       setTimeout(function () { // release lock after "sendInterval" minutes
         isMailLock = false
       }, (this.config.scimgateway.email.emailOnError.sendInterval || 15) * 1000 * 60)
-      const msgHtml = `<html><body> 
-        <p>${msg}</p> 
-        <br> 
-        <p><strong>This is an automatically generated email - please do NOT reply to this email or forward to others</strong></p> 
-        </body></html>`
 
+      const msgHtml = `<html><body><pre style="font-family: monospace; white-space: pre-wrap;">${msg}</pre><br/><p><strong>This is an automatically generated email - please do NOT reply to this email or forward to others</strong></p></body></html>`
       const msgObj = {
         from: this.config.scimgateway.email.emailOnError.from,
         to: this.config.scimgateway.email.emailOnError.to,
@@ -2947,33 +2945,27 @@ export class ScimGateway {
       logger.error(`${gwName}[${pluginName}] sendMail failed: missing or invalid msgObj argument`)
       return
     }
+    if (!isHtml) {
+      isHtml = true
+      msgObj.content = `<html><body><pre style="font-family: monospace; white-space: pre-wrap;">${msgObj.content}</pre></body></html>`
+    }
+    if (!msgObj.to) msgObj.to = ''
+    if (!msgObj.cc) msgObj.cc = ''
+    if (!msgObj.subject) msgObj.subject = 'SCIM Gateway message'
 
     if (authType === 'oauth') {
       if (!this.helperRest) this.helperRest = new HelperRest(this, { entity: { undefined: { connection: this.config.scimgateway.email } } })
       if (this.config.scimgateway.email.auth?.options?.tenantIdGUID) {
-        // Graph API
-        let content: string
-        if (isHtml) { // ExO workaround for national special caracters in html content - require singleValueExtendedProperties being used
-          var enc = new TextEncoder() // utf-8
-          const buf = enc.encode(msgObj.content)
-          content = new TextDecoder('windows-1252').decode(buf)
-        } else content = msgObj.content
-
+        // Microsoft Exchange Online (ExO) - using Graph API
         const emailMessage: Record<string, any> = {
           message: {
-            subject: msgObj.subject ? msgObj.subject : 'SCIM Gateway message',
+            subject: msgObj.subject,
             body: {
-              content,
+              content: msgObj.content,
               contentType: isHtml ? 'HTML' : 'Text',
             },
             toRecipients: [],
             ccRecipients: [],
-            singleValueExtendedProperties: [ // force using ExO header: Content-Type: text/plain; charset="utf-8"
-              {
-                id: 'Integer 0x3fde', // Content-Type header - can be verifed by checking raw mail
-                value: '65001', // text/plain; charset="utf-8"
-              },
-            ],
           },
           saveToSentItems: 'false',
         }
@@ -2983,7 +2975,7 @@ export class ScimGateway {
           for (let i = 0; i < arr.length; i++) {
             emailMessage.message.toRecipients.push({
               emailAddress: {
-                address: arr[i],
+                address: arr[i].trim(),
               },
             })
           }
@@ -2993,7 +2985,7 @@ export class ScimGateway {
           for (let i = 0; i < arr.length; i++) {
             emailMessage.message.ccRecipients.push({
               emailAddress: {
-                address: arr[i],
+                address: arr[i].trim(),
               },
             })
           }
@@ -3004,34 +2996,59 @@ export class ScimGateway {
         const path = `/users/${msgObj.from}/sendMail`
         try {
           await this.helperRest.doRequest('undefined', 'POST', path, emailMessage)
-          logger.debug(`${gwName}[${pluginName}] sendMail subject '${emailMessage.message.subject}' sent to: ${msgObj.to}${(msgObj.cc) ? ',' + msgObj.cc : ''}`)
+          logger.debug(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sent to: ${msgObj.to}${(msgObj.cc) ? ',' + msgObj.cc : ''}`)
+        } catch (err: any) {
+          logger.error(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sending failed: ${err.message}`)
+        }
+        return
+      } else if (this.config.scimgateway.email.auth?.options?.serviceAccountKeyFile) {
+        // Google Workspace Gmail
+        let mimeMessage = `From: ${msgObj.from}
+To: ${msgObj.to}
+Cc: ${msgObj.cc}
+Subject: ${msgObj.subject}
+MIME-Version: 1.0
+Content-Type: text/html; charset="UTF-8"
+Content-Transfer-Encoding: quoted-printable
+
+`
+        mimeMessage += msgObj.content
+        const encodedMessage = btoa(mimeMessage)
+        const emailMessage = { raw: encodedMessage }
+        const path = `/gmail/v1/users/${msgObj.from}/messages/send`
+        try { // using opt connection argument type=oauthJwtBearer and options scope/subject because we want to keep simplified email.auth.type=oauth and options serviceAccountKeyFile
+          await this.helperRest.doRequest('undefined', 'POST', path, emailMessage, null, { connection: { auth: { type: 'oauthJwtBearer', options: { scope: 'https://www.googleapis.com/auth/gmail.send', subject: msgObj.from } } } })
+          logger.debug(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sent to: ${msgObj.to}${(msgObj.cc) ? ',' + msgObj.cc : ''}`)
         } catch (err: any) {
-          logger.error(`${gwName}[${pluginName}] sendMail subject '${emailMessage.message.subject}' sending failed: ${err.message}`)
+          logger.error(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sending failed: ${err.message}`)
         }
         return
       }
+      logger.error(`${gwName}[${pluginName}] sendMail error: type oauth supports only ExO (scimgateway.email.auth.options.tenantIdGUID) or Google Workspace Gmail (scimgateway.email.auth.options.serviceAccountKeyFile)`)
+      return
     }
 
-    // nodemailer
-    if (!this.config.scimgateway?.email?.host) {
-      logger.error(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sending failed: some missing scimgateway.email configuration`)
+    if (authType !== 'smtp') {
+      logger.error(`${gwName}[${pluginName}] sendMail error: configuration scimgateway.email.auth.type must be set to oauth or smtp`)
       return
     }
+
+    // nodemailer - SMTP Auth
     const smtpConfig: { [key: string]: any } = {
-      host: this.config.scimgateway.email.host, // e.g. smtp.office365.com
-      port: this.config.scimgateway.email.port || 587,
-      proxy: this.config.scimgateway.email.proxy || null,
-      secure: (this.config.scimgateway.email.port === 465), // false on 25/587
+      host: this.config.scimgateway?.email?.auth?.options?.host, // e.g. smtp.office365.com
+      port: this.config.scimgateway?.email?.auth?.options?.port || 587,
+      secure: (this.config.scimgateway?.email?.auth?.options?.port === 465), // false on 25/587
       tls: { ciphers: 'TLSv1.2' },
+      proxy: this.config.scimgateway?.email?.proxy,
     }
-    if (authType) {
-      smtpConfig.auth = {}
-      if (authType === 'basic') {
-        smtpConfig.auth.user = this.config.scimgateway.email.auth.options.username
-        smtpConfig.auth.pass = this.config.scimgateway.email.auth.options.password
-      } else if (authType === 'oauth') {
-        smtpConfig.auth.type = 'OAuth2'
-      }
+
+    smtpConfig.auth = {}
+    smtpConfig.auth.user = this.config.scimgateway?.email?.auth?.options?.username
+    smtpConfig.auth.pass = this.config.scimgateway?.email?.auth?.options?.password
+
+    if (!this.config.scimgateway?.email?.auth?.options?.host || !this.config.scimgateway?.email?.auth?.options?.username) {
+      logger.error(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sending error: missing scimgateway.email.options configuration for auth type smtp`)
+      return
     }
 
     const transporter = nodemailer.createTransport(smtpConfig)
@@ -3040,29 +3057,15 @@ export class ScimGateway {
       from: msgObj.from, // sender address
       to: msgObj.to, // list of receivers - comma separated
       cc: msgObj.cc,
-      subject: msgObj.subject ? msgObj.subject : 'SCIM Gateway message',
-    }
-
-    if (authType === 'oauth') {
-      mailOptions.auth = {}
-      mailOptions.auth.user = msgObj.from
-      transporter.set('oauth2_provision_cb', async (user, renew, callback) => {
-        const aObj = await this.helperRest.getAccessToken('undefined')
-        const accessToken = aObj ? aObj?.access_token : null
-        if (!accessToken) {
-          return callback(new Error('missing access token'))
-        } else {
-          return callback(null, accessToken)
-        }
-      })
+      subject: msgObj.subject,
     }
 
     if (isHtml) mailOptions.html = msgObj.content
     else mailOptions.text = msgObj.content
 
     transporter.sendMail(mailOptions, function (err) {
-      if (err != null) logger.error(`${gwName}[${pluginName}] sendMail subject '${mailOptions.subject}' sending failed: ${err.message}`)
-      else logger.debug(`${gwName}[${pluginName}] sendMail subject '${mailOptions.subject}' sent to: ${msgObj.to}${(msgObj.cc) ? ',' + msgObj.cc : ''}`)
+      if (err != null) logger.error(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sending failed: ${err.message}`)
+      else logger.debug(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sent to: ${msgObj.to}${(msgObj.cc) ? ',' + msgObj.cc : ''}`)
     })
   }
 
@@ -3116,6 +3119,12 @@ export class ScimGateway {
         dotConfig[key] = keyFile
         const addKey = key.replace(`.${lastKey}`, '.publicKeyContent')
         dotConfig[addKey] = fs.readFileSync(keyFile)
+      } else if (key.endsWith('.serviceAccountKeyFile')) { // Google Service Account Key json-file
+        let keyFile = path.join(this.configDir, '/certs/', dotConfig[key])
+        if (dotConfig[key].startsWith('/') || dotConfig[key].includes('\\')) {
+          keyFile = dotConfig[key]
+        }
+        dotConfig[key] = keyFile
       }
 
       // process env, file and text

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.0.13",
+  "version": "5.0.15",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",