OneDrive token keeps getting revoked

What is the problem you are having with rclone?

We have a remote repo on OneDrive through a university account. So it's business type.
The problem is that seemingly every now and then (almost everyday) rclone fails to access the repo, and gives the following error:

The provided grant has expired due to it being revoked, a fresh auth token is needed.

Then when we remove the remote and initiate a new one, it works again until soon the token gets revoked.
Last time I checked the config file, the "expiry" time (that comes after "refresh_token") was just in about an hour after I created a new remote.

What is your rclone version (output from rclone version)

rclone v1.50.2

  • os/arch: linux/amd64
  • go version: go1.13.4

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Ubuntu 18.04.4 LTS 64 bit

Which cloud storage system are you using? (eg Google Drive)


The command you were trying to run (eg rclone copy /tmp remote:tmp)

A log from the command with the -vv flag (eg output from rclone -vv copy /tmp remote:tmp)

OneDrive has couple of hundreds bugs, which they don’t fix or just don’t want to. Microsoft sucks at everything.

as a micro$oft user for over 40+ years, i cannot disagree more :wink:

micro$oft does not suck at everything.

the one thing micro$oft does NOT suck at - is sucking at everything!


The tokens live for 1 hour - that is pretty standard but after an hour it should use the refresh_token to get a new one.

Have you got a refresh_token in your token?

Yes. According to the config file, there is an "access_token," and there is also a "refresh_token". And the "token_type" is "Bearer," if that's important.

If you run rclone with -vv --dump bodies when it has expired it might give you a bit more of a clue.

I would suspect something to do with the config of the account since I don't see this on the onedrive for business account I have access to.

Microsoft auth is very complicated!

here is what I get from:
rclone -vv --dump bodies about "the remote"

2020/04/11 14:17:40 DEBUG : rclone: Version "v1.50.2" starting with parameters ["rclone" "-vv" "--dump" "bodies" "about" "the remote"]
2020/04/11 14:17:40 DEBUG : Using config file from "/home/.config/rclone/rclone.conf"
2020/04/11 14:17:40 DEBUG : backups: Loaded invalid token from config file - ignoring
2020/04/11 14:17:40 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/04/11 14:17:40 DEBUG : HTTP REQUEST (req 0xc000573f00)
2020/04/11 14:17:40 DEBUG : POST /common/oauth2/v2.0/token HTTP/1.1
User-Agent: rclone/v1.50.2
Content-Length: 1014
Authorization: XXXX
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip


2020/04/11 14:17:40 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/04/11 14:17:41 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/04/11 14:17:41 DEBUG : HTTP RESPONSE (req 0xc000573f00)
2020/04/11 14:17:41 DEBUG : HTTP/1.1 400 Bad Request
Content-Length: 737
Cache-Control: no-cache, no-store
Content-Type: application/json; charset=utf-8
Date: Sat, 11 Apr 2020 18:17:40 GMT
Expires: -1
Pragma: no-cache
Set-Cookie: fpc=[...]; expires=Mon, 11-May-2020 18:17:40 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=prod; path=/; SameSite=None; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; SameSite=None; secure; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Ests-Server: 2.1.10369.13 - CHI ProdSlices
X-Ms-Request-Id: b46c38c2-af54-4ddf-af32-576886c51500

{"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2020-04-08T04:35:38.4010000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2020-04-08T21:34:16.0000000Z'.\r\nTrace ID: b46c38c2-af54-4ddf-af32-576886c51500\r\nCorrelation ID: e6102e3d-421a-4d45-b454-9324181ecf6c\r\nTimestamp: 2020-04-11 18:17:40Z","error_codes":[50173],"timestamp":"2020-04-11 18:17:40Z","trace_id":"b46c38c2-af54-4ddf-af32-576886c51500","correlation_id":"e6102e3d-421a-4d45-b454-9324181ecf6c","error_uri":""}

There is quite a lot of extra info there for humans to read...

AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2020-04-08T04:35:38.4010000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2020-04-08T21:34:16.0000000Z'.

There is also this on the link

Expected part of the token lifecycle - either an admin or a user revoked the tokens for this user, causing subsequent token refreshes to fail and require re-authentication. Have the user sign-in again.

I presume you didn't change your password. I wonder if your admin only lets the tokens last for a short period of time? It might be worth sending your admin that link and asking them about it.

Yeah. Should I contact the university through which we were granted the OneDrive account, or contact Microsoft service directly?

I'd try the university first - they may have this as a policy.

I can't find an official explanation anywhere but my refresh token suddenly didn't work.
Does onedrive refresh token expire under some conditions?
Although I noticed that every time I use refresh token to get an access token, a new refresh token was returned by onedrive. Should I use the new one or just keep using the original one since there is no difference?
Hope someone can help me. shareit vidmate

Your refresh token will get invalidated if you change your account password or your password gets locked out.

Your administrators may have more control though so they may be able to invalidate your refresh token more often.

I haven't been able to find Microsoft docs on the issue - if you find them then please post links!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.