Gdrive + Okta SSO?

nnmiller · August 24, 2019, 11:00pm

I've been using rclone with Gdrive for personal use extensively. Recently, my company ditched Crashplan and directed us to start using our G-Suite Gdrive storage. But no automation has been provided to do backups to Gdrive. Of course, my first thought was to turn rclone to the task.

I've been able to get rclone configured w/Gdrive + Okta for basic tasks--until the token expires in about 1 hour, and it fails to refresh.

I get a message like the following:

2019/08/24 11:42:06 ERROR : Attempt 1/3 failed with 1 errors and: couldn't list directory: Get https://www.googleapis.com/drive/v3/files?alt=json&fields=files%28id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%29%2CnextPageToken&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+%28%27root%27+in+parents%29+and+%28name%3D%27mbp_test%27%29+and+mimeType%3D%27application%2Fvnd.google-apps.folder%27: oauth2: cannot fetch token: 401 Unauthorized Response: { "error": "unauthorized_client", "error_description": "Unauthorized" }

OS X 10.14.6, rclone installed via homebrew:
rclone v1.48.0

os/arch: darwin/amd64
go version: go1.12.6

Rclone config:
[workbkup]
type = drive
client_id = .apps.googleusercontent.com
client_secret =
scope = drive.file
root_folder_id =
token = {"access_token":"","token_type":"Bearer","refresh_token":"","expiry":"2019-08-24T15:34:46.274873-04:00"}

Debug log from when the token expires (ran a while loop copying and deleting a file with a 2m pause b/w each):

Summary

2019/08/24 15:31:23 DEBUG : test.mp4: Sending chunk 92274688 length 3157392
2019/08/24 15:31:24 INFO : test.mp4: Copied (new)
2019/08/24 15:31:24 INFO :
Transferred: 91.011M / 91.011 MBytes, 100%, 14.591 MBytes/s, ETA 0s
Errors: 0
Checks: 0 / 0, -
Transferred: 1 / 1, 100%
Elapsed time: 6.2s

2019/08/24 15:31:24 DEBUG : 6 go routines active
2019/08/24 15:31:24 DEBUG : rclone: Version "v1.48.0" finishing with parameters ["rclone" "--log-file=test_refresh.log" "-vvv" "copy" "moo/test.mp4" "workbkup:mbp_test/"]
2019/08/24 15:33:24 DEBUG : rclone: Version "v1.48.0" starting with parameters ["rclone" "--log-file=test_refresh.log" "-vvv" "delete" "workbkup:mbp_test/test.mp4"]
2019/08/24 15:33:24 DEBUG : Using config file from "/Users/nmiller/.config/rclone/rclone.conf"
2019/08/24 15:33:26 INFO : Waiting for deletions to finish
2019/08/24 15:33:26 DEBUG : moo: Excluded
2019/08/24 15:33:26 INFO : test.mp4: Deleted
2019/08/24 15:33:26 DEBUG : 6 go routines active
2019/08/24 15:33:26 DEBUG : rclone: Version "v1.48.0" finishing with parameters ["rclone" "--log-file=test_refresh.log" "-vvv" "delete" "workbkup:mbp_test/test.mp4"]
2019/08/24 15:35:26 DEBUG : rclone: Version "v1.48.0" starting with parameters ["rclone" "--log-file=test_refresh.log" "-vvv" "copy" "moo/test.mp4" "workbkup:mbp_test/"]
2019/08/24 15:35:26 DEBUG : Using config file from "/Users/nmiller/.config/rclone/rclone.conf"
2019/08/24 15:35:26 DEBUG : workbkup: Loaded invalid token from config file - ignoring
2019/08/24 15:35:27 DEBUG : workbkup: Token refresh failed try 1/5: oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Unauthorized"
}
<...snipped 3 attempts..>
2019/08/24 15:35:42 DEBUG : workbkup: Loaded invalid token from config file - ignoring
2019/08/24 15:35:42 DEBUG : workbkup: Token refresh failed try 5/5: oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Unauthorized"
}
2019/08/24 15:35:43 ERROR : Attempt 1/3 failed with 1 errors and: couldn't list directory: Get https://www.googleapis.com/drive/v3/files?alt=json&fields=files(id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink)%2CnextPageToken&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+('root'+in+parents)+and+(name%3D'mbp_test')+and+mimeType%3D'application%2Fvnd.google-apps.folder': oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Unauthorized"
}

I read through this thread: Enabling rclone for SSO box.com accounts

However, even if the Gdrive web interface is active and has a valid Okta session token when I run the authorize command, rclone fails to refresh the Gdrive token after it expires. Our SSO is set up such that for Gdrive use, we must use Okta even when on VPN or on the office network.

I'm wondering if anyone has successfully worked with Gdrive and Okta as the SSO? I do not have any administrative access to authorize rclone at a higher level, only at my user account level.

Any suggestions appreciated.

David_Lazaro · August 25, 2019, 8:27am

Hi

Have you follow the last step : Making your own client_id on https://rclone.org/drive/

Regards

nnmiller · August 25, 2019, 10:14am

Yes, I created my own client_id -- I have one for each of my Gdrive accounts. The one used here is specific to the work account and was created while authenticated to Google using SSO.

ncw · August 26, 2019, 8:30am

Hmm, it looks like that the refresh token you get when using SSO doesn't work for some reason...

Can you make a service account? That should work along with --drive-impersonate you@email.com and that shouldn't expire.

nnmiller · August 27, 2019, 5:28pm

I tried two different SAs, one with no roles granted, the other with my role as owner of the "Project" set. Both resulted in the same logs:

Summary

rclone --drive-impersonate nnmiller@workdomain.com lsd workbkup:
2019/08/27 12:19:13 ERROR : : error listing: couldn't list directory: Get https://www.googleapis.com/drive/v3/files?alt=json&fields=files(id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink)%2CnextPageToken&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+('root'+in+parents): oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
2019/08/27 12:19:13 Failed to lsd with 2 errors: last error was: couldn't list directory: Get https://www.googleapis.com/drive/v3/files?alt=json&fields=files(id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink)%2CnextPageToken&pageSize=1000&prettyPrint=false&q=trashed%3Dfalse+and+('root'+in+parents): oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

I was logged into Okta and Gdrive with my work account at the time. So it looks like this just isn't going to work without some sort of admin access.

I guess I'll try to figure out a method to use a TimeMachine disk image with Drive Stream, similar to how I've used it with an NFS server.

Thanks for the suggestions.

ncw · August 28, 2019, 9:04am

No problems! Maybe someone will figure it out in the mean time!

kaijay · August 29, 2019, 2:17am

Can't help you really with the OAUTH but I believe it's still required to have domain wide delegation on a SA to get a clientID. You would then add the ID to the authorized API list in admin center in order to be able to impersonate.

Have you tried sharing a folder with the service account though? You would still be able to use it as you have been and being a separate "entity" it wouldn't have to follow the specialized flow you have on yourself. Either that, or if sharing is allowed, create a different gmail account / use your personal one.

Being an SA is a special use-case, and they don't have passwords, maybe look into seeing if you're able to get a "Team/Shared" drive for just you "two" to use until you're able to follow the flow they're requiring. They can lock that down all the same if not more so. It's also able to be fully audited by your admins if they so wish.

nnmiller · September 5, 2019, 1:10am

Actually that is an interesting idea that I hadn't considered. Since the plan is to encrypt the whole shebang, anyway, shouldn't be an issue.

nnmiller · October 8, 2019, 12:09pm

I used kaijay's suggestion and created a folder that I shared with a personal, external account, which worked. Thank you for the idea.

system · January 6, 2020, 12:09pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.