Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ryangurnick's avatar

Gmail App Passwords/Username+Password is no longer an option

Hi

Google appears to have killed off username and password authentication.

What is the recommendation for how to use gmail accounts with the Laravel mailer?

https://support.google.com/mail/answer/7126229?authuser=1&visit_id=01742483783199-4152145739894335854&hl=en&rd=1

(see the header at the top of the linkd page)

I do not see how we could use SSO but that is why I am asking.

0 likes
8 replies
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

To use Gmail with Laravel's mailer now that Google has deprecated the use of username and password authentication, you should use OAuth 2.0 for authentication. Here's a step-by-step guide on how to set this up:

  1. Create a Google Cloud Project:

    • Go to the Google Cloud Console.
    • Create a new project.
    • Navigate to the "Credentials" section.
    • Click on "Create Credentials" and select "OAuth 2.0 Client IDs".
    • Configure the consent screen and set up the OAuth 2.0 client ID.

  2. Enable Gmail API:

    • In the Google Cloud Console, go to the "Library" section.
    • Search for "Gmail API" and enable it for your project.

  3. Set Up OAuth 2.0 Credentials:

    • Download the credentials.json file from the Google Cloud Console.
    • Store this file securely in your Laravel project.

  4. Install Required Packages:

    • Use a package like league/oauth2-google to handle OAuth 2.0 authentication.

    • Install it via Composer:

      composer require league/oauth2-google

  5. Configure Laravel to Use OAuth 2.0:

    • Update your .env file with the necessary configuration:

      MAIL_MAILER=smtp
MAIL_HOST=smtp.gmail.com
MAIL_PORT=587
MAIL_ENCRYPTION=tls
[email protected]
MAIL_PASSWORD=your-oauth2-access-token

    • Note: You will need to generate an OAuth 2.0 access token and refresh token using the league/oauth2-google package.

  6. Generate Access and Refresh Tokens:

    • Use the following script to generate the tokens:

      use League\OAuth2\Client\Provider\Google;

$provider = new Google([
    'clientId'     => 'your-client-id',
    'clientSecret' => 'your-client-secret',
    'redirectUri'  => 'your-redirect-uri',
]);

if (!isset($_GET['code'])) {
    $authUrl = $provider->getAuthorizationUrl();
    $_SESSION['oauth2state'] = $provider->getState();
    header('Location: ' . $authUrl);
    exit;
} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {
    unset($_SESSION['oauth2state']);
    exit('Invalid state');
} else {
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code']
    ]);

    echo 'Access Token: ' . $token->getToken();
    echo 'Refresh Token: ' . $token->getRefreshToken();
}

    • Replace 'your-client-id', 'your-client-secret', and 'your-redirect-uri' with your actual credentials.

  7. Use the Access Token in Laravel:

    • Once you have the access token, use it in your .env file as shown above.

  8. Handle Token Refresh:

    • Implement logic to refresh the access token using the refresh token when it expires.

By following these steps, you can configure Laravel to send emails using Gmail with OAuth 2.0 authentication. This approach is more secure and aligns with Google's current authentication policies.

ryangurnick's avatar

So I will somehow need to figure out how to update the .env file and recache it whenever the offline oauth2 token expires?

I look forward to any human responses...

ryangurnick's avatar

@JussiMannisto There is an additional setting required for google workspace accounts, I mentioned it below.

I realize now, that I forgot to mention I was using google workspaces....

Snapey's avatar

+1 for using a real mail service

1 like
ryangurnick's avatar

@Snapey agreed, but sometimes customer requirements make doing the right thing challenging.

martinbean's avatar

@ryangurnick The “recommendation” is to not use your personal Gmail account for sending application emails in the first place, and to use a dedicated service (such as Mailgun, SES, etc) for sending transactional emails.

1 like
ryangurnick's avatar
ryangurnick
OP
10 months ago
Best Answer
Level 22

Funnily enough I am not using a personal gmail account. I am using a google workspace service account.

I personally am also not a fan of using gmail accounts to send transactional emails, however the customer I am working with is already paying for google workspaces and does not want to eat the costs of another service that in their eyes "sends emails".

None the less, I contacted google workspace support and was informed the following. Hopefully it will be useful to others using google apps/workspaces to send emails.

If you are using a google workspace account the following setting needs to be enabled via the google admin console: Log in to your Admin Console or refresh the page if you are already logged in > Menu > Apps > Google Workspace > Gmail > End User Access > Look for "Allow per-user outbound gateways" > Turn on the "Allow users to send mail through an external SMTP server when configuring a "from" address hosted outside your email domain"

Then after turning that setting on, login to the account in question and verify that 2 step verification is turned on, and after that app specific passwords are possible to generate.

My personal recommendation is that if anyone is "required" to use google workspace accounts for this purpose, ensure that you are only enabling that admin console setting on a specific OU that only has the accounts you need app specific passwords from. That will at least mitigate the risk of those "insecure" passwords to specific accounts.

Again, I hate that I am being told to use google workspaces for transactional emails, but I understand that the cost of the dedicated email services is a bit to swallow (at least for non-technical folks) when they can send as many emails as they want from a non-commercial email "for free". ("for free" is relative because the services are definitely selling/licensing your data but still, perception...)

Please or to participate in this conversation.