Google Chat: Add user OAuth support for reactions and media uploads

[ndohuu]

Summary

The Google Chat channel currently only supports Service Account authentication (scope chat.bot). This limits functionality:

• ❌ Reactions — spaces.messages.reactions.create requires user-level OAuth scopes
• ❌ Media uploads — attachments:upload fails with service account auth
• ❌ Proactive DMs — cannot initiate DMs using email aliases (403: "Service account authentication doesn't support access to user information using email aliases")
• ✅ Text messages and links work fine
• ✅ Receiving messages via webhook works fine

Proposal

Add optional user OAuth flow alongside the existing Service Account auth for Google Chat.

Suggested approach

1. Add a userOAuth config section under channels.googlechat for user-level credentials (client ID, client secret, refresh token)
2. Use the user OAuth token for operations that require user-level scopes (reactions, attachments, proactive DMs)
3. Keep Service Account for webhook verification and bot-level operations (receiving messages, sending replies in existing spaces)
4. Fall back gracefully: if no user OAuth is configured, skip unsupported operations with a warning

Required scopes

• https://www.googleapis.com/auth/chat.messages.reactions.create
• https://www.googleapis.com/auth/chat.messages.reactions.readonly
• https://www.googleapis.com/auth/chat.messages (for attachments and proactive DMs)

Config sketch

{
  channels: {
    googlechat: {
      // existing service account config (keep as-is)
      serviceAccountFile: "/path/to/sa.json",
      
      // new: user OAuth for enhanced operations
      userOAuth: {
        clientId: "...",
        clientSecret: "...",
        refreshToken: "...",
      }
    }
  }
}

Context

• The code already has createGoogleChatReaction() and uploadGoogleChatAttachment() in extensions/googlechat/src/api.ts — they work structurally but fail at runtime due to insufficient scope
• typingIndicator: "reaction" also requires user OAuth (noted in monitor.ts line 697)
• Proactive DMs via findDirectMessage require user auth to resolve email aliases

Environment

• OpenClaw 2026.2.1
• Google Chat app configured via webhook + Service Account
• Tested with GCP project using Chat API v1

[montvid]

gog is already working with oauth and openclaw. Would be nice to have google chat working with oauth too.

[steipete]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this issue open. Current main still has Google Chat wired for service-account credentials and the chat.bot scope only; there is no user OAuth config, refresh-token credential resolution, scoped OAuth client routing, or graceful fallback for reactions, attachment upload, or email-alias proactive DMs. The external Google Chat work mentioned in the timeline is useful prior art, but it is not shipped in this repository, and the later #73681 cross-reference tracks the opposite inbound-reaction gap rather than this outbound/user-auth work.

Best possible solution:

Keep the issue open. The bundled Google Chat plugin should add a strict, secret-aware user OAuth credential model, support refresh-token resolution via existing secret/config patterns, construct scoped user OAuth clients for reactions, attachment uploads, reaction typing, and proactive DM/email-alias lookup, keep service-account auth for webhook verification and bot-level sends, and document fallback behavior when user OAuth is absent.

What I checked:

• Issue context reviewed: Provided GitHub context shows author association NONE, only the enhancement label, a user comment asking for Google Chat OAuth parity, an external closed PR in mmackelprang/claude-code-channels as prior art, and an Apr 26 Codex review comment that also kept this issue open for missing Google Chat user OAuth support. (ef58307f843e)
• Bundled plugin advertises service-account env only: The Google Chat plugin manifest owns the bundled googlechat channel and declares only GOOGLE_CHAT_SERVICE_ACCOUNT and GOOGLE_CHAT_SERVICE_ACCOUNT_FILE; it has no user OAuth env/config marker. (extensions/googlechat/openclaw.plugin.json:7, ef58307f843e)
• Config type has no userOAuth model: GoogleChatAccountConfig exposes serviceAccount, serviceAccountRef, and serviceAccountFile, and its typing-indicator comment still says reaction mode requires user OAuth but is not supported with service-account auth. (src/config/types.googlechat.ts:66, ef58307f843e)
• Strict schema would reject the proposed config: GoogleChatAccountSchema includes service-account fields but no userOAuth, clientId, clientSecret, or refreshToken, then calls .strict(), so the config sketch from the issue is not accepted on current main. (src/config/zod-schema.providers-core.ts:807, ef58307f843e)
• Credential resolution is service-account only: Google Chat credential resolution parses inline service-account JSON, service-account SecretRefs, service-account files, and the service-account env fallbacks; the credential source union has no OAuth/refresh-token branch. (extensions/googlechat/src/accounts.ts:15, ef58307f843e)
• Auth remains fixed to chat.bot service-account flow: The Google Chat auth helper uses only https://www.googleapis.com/auth/chat.bot, builds GoogleAuth with that scope, and validates credentials as service_account, rejecting other credential types. (extensions/googlechat/src/auth.ts:11, ef58307f843e)

Likely related people:

• Chris Zhang chris@ChrisdeMac-mini.local: Local git blame, git log, and git shortlog attribute the relevant Google Chat auth/config/API/docs lines to this author in the available current-main history. The history appears compressed, so this is a routing signal rather than definitive original authorship. (role: current-main history owner; confidence: low; commits: 081e4be11e63; files: extensions/googlechat/src/auth.ts, extensions/googlechat/src/google-auth.runtime.ts, extensions/googlechat/src/accounts.ts)
• steipete: Peter Steinberger is the committer on the same current-main import commit that owns the relevant lines locally, authored the latest release tag commit in the provided context, and posted the prior maintainer-side Codex review comment keeping this issue open for the same missing OAuth work. (role: committer and recent maintainer reviewer; confidence: medium; commits: 081e4be11e63, be8c24633aaa; files: extensions/googlechat/src/auth.ts, extensions/googlechat/src/google-auth.runtime.ts, extensions/googlechat/src/accounts.ts)

Remaining risk / open question:

• Adding this feature will introduce secret-bearing OAuth refresh-token config, so schema, redaction, SecretRef resolution, token refresh, and SSRF-guarded Google auth transport need to be handled deliberately.
• Current Google Chat message actions can advertise upload-file and reaction actions whenever service-account credentials exist, so users may continue seeing Google API 403s until OAuth-aware routing or explicit fallback warnings are implemented.
• The related open googlechat: REACTION_ADDED / REACTION_REMOVED webhook events are silently dropped #73681 issue covers inbound reaction events only; it should not be treated as a substitute for outbound user OAuth support.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ef58307f843e.

[Morphious12345]

1000000% agree this should remain open, Google Chat with Openclaw channel is essentially useless at this point.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 11, 2026, 10:07 AM ET / 14:07 UTC.

Summary
Current main and v2026.6.5 still expose only service-account Google Chat credentials and a single chat.bot token path, while Google’s current API contract requires user authentication for reaction creation and media upload and only permits email aliases for direct-message lookup under user authentication. No viable OpenClaw PR or merged change now owns this work, so the issue remains necessary but needs maintainer product and security decisions before implementation.

Reproducibility: yes. at source level. Current main and v2026.6.5 accept only service-account credentials and construct chat.bot tokens, which cannot satisfy Google’s documented user-auth-only reaction and upload methods; no live credentials were used in this read-only review.

Next step
Maintainers must approve the delegated credential model, minimum scopes, sender attribution, consent flow, and fallback semantics before implementation can be safely assigned.

Review details

Best possible solution:

Add a plugin-owned, SecretRef-aware delegated OAuth credential model with minimum per-operation scopes and explicit identity routing, retain service-account auth for inbound verification and supported bot operations, and document deterministic skip/warning behavior when user authorization is absent.

Do we have a high-confidence way to reproduce the issue?

Yes at source level. Current main and v2026.6.5 accept only service-account credentials and construct chat.bot tokens, which cannot satisfy Google’s documented user-auth-only reaction and upload methods; no live credentials were used in this read-only review.

Is this the best way to solve the issue?

No, the issue’s raw clientSecret and refreshToken config sketch is not yet the best complete solution. The maintainable direction is plugin-local dual authentication with SecretRefs, minimum operation-specific scopes, explicit sender identity, and deterministic fallback policy approved before implementation.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• A delegated OAuth implementation would add long-lived client and refresh-token secrets, sensitive scopes, consent-screen obligations, and token-refresh behavior that need explicit security ownership.
• Choosing user authentication changes the acting identity: reactions, uploads, and direct messages can be attributed to and limited by the authorized user rather than the Chat app.
• A broad automatic fallback between user and app credentials could hide authorization failures or send through the wrong identity; the supported operations and warnings need a closed routing contract.

Codex review notes: model internal, reasoning high; reviewed against 777f7409d814.

Label changes

Label changes:

• remove clawsweeper:needs-security-review: Current issue advisory state no longer selects this label.

Label justifications:

• P2: The gap blocks several valuable Google Chat operations but is limited to one bundled channel and does not make the core runtime unusable.
• impact:security: The requested capability introduces delegated user credentials, sensitive scopes, consent, and long-lived refresh-token handling.
• impact:message-loss: Media uploads and proactive direct messages can fail instead of delivering the requested content or notification.
• impact:auth-provider: The central work is credential resolution and routing between service-account and scoped user OAuth identities.

Evidence reviewed

What I checked:

• Current authentication path: The Google Chat plugin defines only the chat.bot scope and constructs every outbound access token through one service-account-oriented GoogleAuth instance. (extensions/googlechat/src/auth.ts:12, 777f7409d814)
• Current credential model: Google Chat account configuration exposes inline, SecretRef, and file forms for service-account credentials, but no client ID, client secret, refresh token, or delegated user credential branch. (src/config/types.googlechat.ts:73, 777f7409d814)
• Known fallback behavior: The config contract explicitly documents that reaction typing requires user OAuth and currently falls back because service-account authentication does not support it. (src/config/types.googlechat.ts:112, 777f7409d814)
• Plugin metadata: The bundled plugin advertises only service-account environment variables, confirming there is no discoverable user OAuth setup surface. (extensions/googlechat/openclaw.plugin.json:9, 777f7409d814)
• Latest shipped behavior: The v2026.6.5 tree has no Google Chat userOAuth or refresh-token configuration; its OAuth2Client usage is limited to inbound token verification rather than delegated API credentials. (extensions/googlechat/src/auth.ts:48, 5181e4f7c82b)
• Google reaction contract: Google documents spaces.messages.reactions.create as requiring user authentication with reaction or message scopes; chat.bot is not accepted.

Likely related people:

• Vincent Koc: The available current-main history attributes the Google Chat auth runtime and fixed chat.bot credential path to the June 2026 auth refactor. (role: recent area contributor; confidence: medium; commits: aa5b1bd697; files: extensions/googlechat/src/auth.ts, extensions/googlechat/src/google-auth.runtime.ts)
• steipete: Posted the prior maintainer-side review preserving this issue for the same missing OAuth contract and is connected to recent Google Chat/auth integration review context. (role: recent reviewer and adjacent owner; confidence: medium; files: extensions/googlechat/src/auth.ts, extensions/googlechat/src/accounts.ts, src/config/types.googlechat.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.