GDrive: Token has been expired or revoked

Help and Support
1

What is the problem you are having with rclone?

Suddenly my encrypted gdrive share cannot mount and cannot ls. Get the error: "token has been expired or revoked"

What is your rclone version (output from rclone version)

rclone 1.56

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Ubuntu 18.04.5; macOS 11.5.2

Which cloud storage system are you using? (eg Google Drive)

Google Drive

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone ls secret:archive

The rclone config contents with secrets removed.

[remote]
type = drive
client_id = [redacted]
client_secret = [redacted]
token = {"access_token":"[redacted","token_type":"Bearer","refresh_token":"[redacted]","expiry":"2021-08-19T10:04:58.982259+01:00"}
root_folder_id = [redacted

[secret]
type = crypt
remote = remote:serverbackup
filename_encryption = standard
password = [redacted]
password2 = [redacted]

A log from the command with the -vv flag

2021/08/20 19:39:36 DEBUG : rclone: Version "v1.56.0" starting with parameters ["rclone" "-vv" "ls" "secret:archive"]
2021/08/20 19:39:36 DEBUG : Creating backend with remote "secret:archive"
2021/08/20 19:39:36 DEBUG : Using config file from "/Users/user/.rclone.conf"
2021/08/20 19:39:36 DEBUG : Creating backend with remote "remote:serverbackup/[redacted]"
2021/08/20 19:39:36 DEBUG : remote: Loaded invalid token from config file - ignoring
2021/08/20 19:39:37 DEBUG : remote: Token refresh failed try 1/5: oauth2: cannot fetch token: 400 Bad Request
Response: {
  "error": "invalid_grant",
  "error_description": "Token has been expired or revoked."

Is it possible that this is a temporary user ban?

I have no idea how to troubleshoot this. I can see in the GDrive web interface that the data is still there but I can't interact with it: can't "ls" and can't mount.

I've been using this gdrive and mounting rclone for 6 years and this is the first time this has happened.

Any help much appreciated.

2

hello,

sorry, i do not know the cause of the problem.

i would try https://rclone.org/commands/rclone_config_reconnect

perhaps you just updated to v1.56.0 and the problem started then?

3

I gather that this thread is what the issue is here.

It has to do with the new GDrive “enhanced security”.

Unfortunately, that thread points to newly-updated instructions for making your own client ID.

What if I’ve already got a client ID? Could someone possibly walk me through the steps to get my existing ID to work with the new security?

Or, if I have to set up a new ID, could someone walk me through doing that without losing access to my encrypted shares.

I’d be most appreciative and I’m sure I’m not alone in being perplexed (and fearful!) about how to proceed in this case.

Thanks in advance,

4

Just run the command above that @asdffdsa shared and you should be done. Nothing else needed.

5

When I do that and enter the URL in the browser, I get this:

Authorization Error
Error 400: admin_policy_enforced
Access to your account data is restricted by policies within your organization. Please contact the administrator for [redacted] for more information.

I fear the worst here. I can't imagine how I'd be able to justify to my organization's administrator the need to have a server accessing my Google Drive storing my Plex content.

Is there a workaround for this?

6

That means the admin removed your token and you can't access it.

You need to contact that person as there isn't anything you can do about it.

7

Wow.

Is there any way to access any of this encrypted data to move it somewhere else, perhaps in its encrypted state in order to decrypt it from a new location?

If, for example, I opened a new (paid) GD account...

8

Can you access it through a web browser?

https://drive.google.com/drive/u/0/my-drive

If they remove API access, that's the only way I am aware of. You'd have to download it and decrypt it though assuming you can access it.

9

I can still access it through the browser. All the content for the relevant folder, including the filenames, is encrypted, so it'd be quite laborious even figuring out which folders are the essential ones.

10

I'd imagine it would be depending on the number of files you got.

Maybe Drive Stream?

https://support.google.com/drive/answer/7329379

I've never used it myself as I don't use Windows.

11

I wonder if I'd dare try to cajole an administrator (it's an educational account) that I need rclone to be able to access my GD. I think that that would be mission impossible. There'd be questions about the 39TB of files. :weary:

I suspect that it wasn't that anyone personally revoked API access for me. Rather, I would imagine they introduced a new policy regarding "scopes" (I have no idea what these are, but could guess) and it blocked anything that ran afoul of that policy.

Is it sure that changing the "Publishing Status" from "In Production" to "Testing" wouldn't do anything?

There is in the Google Account management page a big old button for transferring content to another Google Account. I think that might be my best bet: set up an unlimited enterprise account ($$$) and transfer the data there.

12

@Animosity022,
since the OP can access the folder using the browser.
is there a way to get the folder id, use it as root_folder_id and use rclone's client_id to create a remote?

13

Nope. The API is disabled.

14

Any reason why using the big button on the Google Accounts page: Screenshot 2021-08-20 at 22.04.43

wouldn't transfer everything over, if I set up a 5-user Google Enterprise account with unlimited storage?

If you think that would work, I assume it is also possible to decrypt via rclone once the files have been transferred.

15

I've never used it that so I don't have any feedback on how it works.

As for if the files are moved, you'd point to the new location and you'd be fine.

You can either re-use the same rclone.conf and just copy it or setup a new remote with the same passwords/salt.

That is no issue.

16

Thanks. Is it also possible to point rclone to local files (if, say, I were to download them to a server) and decrypt them. I realise this may be a stupid question but I've only ever used rclone to transfer and decrypt files hosted remotely.

17

Check out:

https://rclone.org/crypt/#specifying-the-remote

1 Like
18

yes, crypt files can be located anywhere - local, cloud, net share, on a NAS, etc...

[localcypt]
type = crypt
remote = /path/to/crypt/folder
filename_encryption = 
directory_name_encryption = 
password = 
password2 =
1 Like
19

Thanks for the help.

I don't suppose there's some other GDrive client or any other utility for a Linux server that would allow me to transfer the encrypted files to my server? I gather (in my limited knowledge of such things) that some third-party apps can access my files. These continue to work. Only my rclone "app" has been removed from API access.

What would be involved (obviously at developer level) in giving rclone the kind of access to GDrive that other apps have? For example, Arq Backup can write and read from my Google Drive and continues to be able to do so.

Is there any other workaround that might give me back access to my GDrive share? Would the "verification" process work?

Forgive me if this is a naive or confused question. Although I've been running a server for quite a while, I'm really just a hobbyist.

Also: is there any way to determine the size of GDrive folders? DaisyDisk (mac app) will do this in theory, but seems to choke every time (times out), no doubt because of the number of files or size of the storage in GDrive.

20

I've now been able to install gdrive on my headless server (the one on which I used to mount my GD share using rclone).

Here's what I don't understand (and this isn't a complaint; I'm just hoping to learn): the unofficial gdrive app for linux has this in its README.md:

gdrive is finally verified for using sensitive scopes which should fix the This app is blocked error. Note that the project name will show up as project-367116221053 when granting access to you account. (I don't dare to change any more settings in the google console.)

rclone no longer works with my GD share precisely because of those 'sensitive scopes' which has led my gdrive administrators to require 'verification' of the app.

Question: can rclone not be 'verified' in this way in the way that, say, the ftp clients on my mac are verified to interact with Gdrive?

gdrive can apparently access my entire Google Drive from my linux server. I haven't tested it, but I assume it will be able to transfer (or mount?) the encrypted folder I used for my rclone share. Why is rclone blocked but not gdrive?