AADSTS700025 error when setting up a new OneDrive remote

What is the problem you are having with rclone?

  1. Follow the steps at Microsoft OneDrive to create a client ID and key.
  2. Run rclone config to set up a new remote.
Log in and authorize rclone for access
Waiting for code...
Got code
2021/06/04 13:57:06 Failed to configure token: failed to get token: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.

What is your rclone version (output from rclone version)

rclone v1.55.1
- os/type: windows
- os/arch: amd64
- go/version: go1.16.3
- go/linking: dynamic
- go/tags: cmount

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Windows 10, 64 bit

Which cloud storage system are you using? (eg Google Drive)

OneDrive

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone config

The rclone config contents with secrets removed.

N/A. The new remote is not added successfully.

A log from the command with the -vv flag

Paste  log here

can you copy/paste the entire text of the rclone config command, not just a snippet.

It's below, redacted to remove the client ID and secret. That said, I think the error is self-explanatory. Rclone is passing along the client_secret, and Microsoft doesn't like it. If I capture an HTTP trace, I can see that the client_secret is indeed included.

λ rclone config
Current remotes:

Name                 Type
====                 ====
Source               drive
SourceMyDrive        drive
SourceOneDrive       onedrive
SourceOneDrive2      onedrive
TargetMyDrive        drive

e) Edit existing remote
n) New remote
d) Delete remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
e/n/d/r/c/s/q> n
name> SourceOneDrive3
Type of storage to configure.
Enter a string value. Press Enter for the default ("").
Choose a number from below, or type in your own value
 1 / 1Fichier
   \ "fichier"
 2 / Alias for an existing remote
   \ "alias"
 3 / Amazon Drive
   \ "amazon cloud drive"
 4 / Amazon S3 Compliant Storage Providers including AWS, Alibaba, Ceph, Digital Ocean, Dreamhost, IBM COS, Minio, and Tencent COS
   \ "s3"
 5 / Backblaze B2
   \ "b2"
 6 / Box
   \ "box"
 7 / Cache a remote
   \ "cache"
 8 / Citrix Sharefile
   \ "sharefile"
 9 / Compress a remote
   \ "compress"
10 / Dropbox
   \ "dropbox"
11 / Encrypt/Decrypt a remote
   \ "crypt"
12 / Enterprise File Fabric
   \ "filefabric"
13 / FTP Connection
   \ "ftp"
14 / Google Cloud Storage (this is not Google Drive)
   \ "google cloud storage"
15 / Google Drive
   \ "drive"
16 / Google Photos
   \ "google photos"
17 / Hadoop distributed file system
   \ "hdfs"
18 / Hubic
   \ "hubic"
19 / In memory object storage system.
   \ "memory"
20 / Jottacloud
   \ "jottacloud"
21 / Koofr
   \ "koofr"
22 / Local Disk
   \ "local"
23 / Mail.ru Cloud
   \ "mailru"
24 / Mega
   \ "mega"
25 / Microsoft Azure Blob Storage
   \ "azureblob"
26 / Microsoft OneDrive
   \ "onedrive"
27 / OpenDrive
   \ "opendrive"
28 / OpenStack Swift (Rackspace Cloud Files, Memset Memstore, OVH)
   \ "swift"
29 / Pcloud
   \ "pcloud"
30 / Put.io
   \ "putio"
31 / QingCloud Object Storage
   \ "qingstor"
32 / SSH/SFTP Connection
   \ "sftp"
33 / Sugarsync
   \ "sugarsync"
34 / Tardigrade Decentralized Cloud Storage
   \ "tardigrade"
35 / Transparently chunk/split large files
   \ "chunker"
36 / Union merges the contents of several upstream fs
   \ "union"
37 / Webdav
   \ "webdav"
38 / Yandex Disk
   \ "yandex"
39 / Zoho
   \ "zoho"
40 / http Connection
   \ "http"
41 / premiumize.me
   \ "premiumizeme"
42 / seafile
   \ "seafile"
Storage> onedrive
** See help for onedrive backend at: https://rclone.org/onedrive/ **

OAuth Client Id
Leave blank normally.
Enter a string value. Press Enter for the default ("").
client_id> REDACTED
OAuth Client Secret
Leave blank normally.
Enter a string value. Press Enter for the default ("").
client_secret> REDACTED
Choose national cloud region for OneDrive.
Enter a string value. Press Enter for the default ("global").
Choose a number from below, or type in your own value
 1 / Microsoft Cloud Global
   \ "global"
 2 / Microsoft Cloud for US Government
   \ "us"
 3 / Microsoft Cloud Germany
   \ "de"
 4 / Azure and Office 365 operated by 21Vianet in China
   \ "cn"
region> 1
Edit advanced config? (y/n)
y) Yes
n) No (default)
y/n>
Remote config
Make sure your Redirect URL is set to "http://localhost:53682/" in your custom config.
Use auto config?
 * Say Y if not sure
 * Say N if you are working on a remote or headless machine
y) Yes (default)
n) No
y/n>
If your browser doesn't open automatically go to the following link: http://127.0.0.1:53682/auth?state=CDwL567OLxdI4SgLujCSmA
Log in and authorize rclone for access
Waiting for code...
Got code
2021/06/04 14:31:27 Failed to configure token: failed to get token: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.\r\nTrace ID: b587875b-0ad6-43e5-a672-ec9f4f8f4000\r\nCorrelation ID: f54ac7d6-2cba-4da6-a0d1-d99e06ea10ed\r\nTimestamp: 2021-06-04 19:31:28Z","error_codes":[700025],"timestamp":"2021-06-04 19:31:28Z","trace_id":"b587875b-0ad6-43e5-a672-ec9f4f8f4000","correlation_id":"f54ac7d6-2cba-4da6-a0d1-d99e06ea10ed"}

need to use value, not secret id

if you use the secret id, you will get error_description":"AADSTS7000215: Invalid client secret is provided

The issue was that I was reusing an existing app that had been set up as something other than the Web platform. I was able to set the redirect for this platform, but it causes the AADSTS7000215 error. Recreating the app from scratch and ensuring the platform is Web resolved the problem.

Thanks!

sure, it is very confusing

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.