Onedrive and refresh token

What is the problem you are having with rclone?

Successfully connected the drive using device_flow but then the Microsoft OneDrive connection stops working after 1 hour when the access token expires.

Run the command 'rclone version' and share the full output of the command.

Tried on two versions:

  • v1.50.2
  • v1.57.0

Which cloud storage system are you using? (eg Google Drive)

OneDrive

The command you were trying to run (eg rclone copy /tmp remote:tmp)

Starting it up via python but these are the params:

rclone: Version "v1.50.2" starting with parameters ["rclone" "mount" "onedriveremote:" "/tmp/OneDrive" "--log-level" "DEBUG" "--log-file" "/tmp/rclone.log" "--config" "/tmp/rclone.conf" "--daemon"]

The rclone config contents with secrets removed.

[onedriveremote]
type = onedrive
region = global
drive_id = b***
drive_type = business
token = {"access_token": "ey***", "token_type": "Bearer", "refresh_token": "0.A***", "expiry": "2022-02-25T15:10:50+00:00"}

A log from the command with the -vv flag

2022/02/24 19:49:35 DEBUG : onedriveremote: Loaded invalid token from config file - ignoring
2022/02/24 19:49:35 DEBUG : onedriveremote: Token refresh failed try 1/5: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app ***}

hello and welcome to the forum,
this is a common first time mistake, microsoft makes this very confusing.

https://forum.rclone.org/t/onedrive-client-id-secret-not-working/22630/7

So the clientid and client secret are required for refreshing but not for the initial connection?

that debug log, is from a very old version of rclone, not sure how it behaves.
make sure to use latest stable v1.57.0

did you create your own client id and secret, as i do not see it in that onedrive remote you created?

So I tested quite a bit in regards to the azure app registration, trying to get one to work with both rclone and MSAL (as that is a requirement in my case). Eventually got it to work by

  • setting it to Web authentication
  • redirect url: http://localhost:53682/
  • set it to issue access & id tokens (maybe id isn't needed?)
  • enabled mobile and desktop flows

Using this new app registration I managed to get an access token from the app with both msal and rclone.

Thought I could populate the rclone.conf with the access_token and refresh_token fetched via python/MSAL. But when the access_token runs out I got another error:

{"error":"invalid_client","error_description":"AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented

Did a rclone config on another machine and copied the refresh token over to the initial one and the error disappeared and the onedrive mount started working again.
When comparing the refresh tokens, the start of them are equal (header?) and the rest is different (including the length).
I guess the refresh token fetched via python & MSAL just isn't compatible with rclone unfortunately...

Maybe the way to get around is to not store the refresh token in the rclone.conf and then just replace it every hour with python...

perhaps try
https://rclone.org/onedrive/#onedrive-token

I eventually found a somewhat hacky solution. The refresh tokens from the python msal lib (GitHub - AzureAD/microsoft-authentication-library-for-python: Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Azure Active Directory. These documented APIs are stable https://msal-python.readthedocs.io. If you have questions but do not have a github account, ask your questions on Stackoverflow with tag "msal" + "python".) were just not compatible with rclone.
I eventually just did use the refresh token I got from the msal lib to get a new access token and then I put the new access token in the rclone.conf programatically replacing the old one. I then killed the rclone mount process and did fusermount -uz and then ran rclone mount again using the config with the now updated access token. This does not seem to interrupt the onedrive connection so far during testing...

It would've been cleaner if I could tell the running rclone process to re-read the rclone.conf file to pickup the new access token. I'm guessing that's probably not possible though? But oh well, at least it works!

For someone looking for a way to do an ad-hoc non-browser/headless connection to onedrive with rclone; python msal + rclone does at least work ( Remote Setup (rclone.org))

That would need a new rclone remote control call. Its easy enough to reload the config file, but getting the oauth to use the new tokens would be a bit harder...

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.