OneDrive token keeps getting revoked

Hassan_Allami · April 8, 2020, 10:18pm

What is the problem you are having with rclone?

We have a remote repo on OneDrive through a university account. So it's business type.
The problem is that seemingly every now and then (almost everyday) rclone fails to access the repo, and gives the following error:

"error":"invalid_grant","error_description":"AADSTS50173:
The provided grant has expired due to it being revoked, a fresh auth token is needed.

Then when we remove the remote and initiate a new one, it works again until soon the token gets revoked.
Last time I checked the config file, the "expiry" time (that comes after "refresh_token") was just in about an hour after I created a new remote.

What is your rclone version (output from `rclone version`)

rclone v1.50.2

os/arch: linux/amd64
go version: go1.13.4

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Ubuntu 18.04.4 LTS 64 bit

Which cloud storage system are you using? (eg Google Drive)

OneDrive

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

A log from the command with the `-vv` flag (eg output from `rclone -vv copy /tmp remote:tmp`)

Harry · April 8, 2020, 11:09pm

OneDrive has couple of hundreds bugs, which they don’t fix or just don’t want to. Microsoft sucks at everything.

asdffdsa · April 8, 2020, 11:40pm

as a micro$oft user for over 40+ years, i cannot disagree more

micro$oft does not suck at everything.

the one thing micro$oft does NOT suck at - is sucking at everything!

ncw · April 9, 2020, 5:22pm

The tokens live for 1 hour - that is pretty standard but after an hour it should use the refresh_token to get a new one.

Have you got a refresh_token in your token?

Hassan_Allami · April 9, 2020, 9:04pm

Yes. According to the config file, there is an "access_token," and there is also a "refresh_token". And the "token_type" is "Bearer," if that's important.

ncw · April 11, 2020, 12:25pm

If you run rclone with -vv --dump bodies when it has expired it might give you a bit more of a clue.

I would suspect something to do with the config of the account since I don't see this on the onedrive for business account I have access to.

Microsoft auth is very complicated!

Hassan_Allami · April 11, 2020, 6:26pm

here is what I get from:
rclone -vv --dump bodies about "the remote"

2020/04/11 14:17:40 DEBUG : rclone: Version "v1.50.2" starting with parameters ["rclone" "-vv" "--dump" "bodies" "about" "the remote"]
2020/04/11 14:17:40 DEBUG : Using config file from "/home/.config/rclone/rclone.conf"
2020/04/11 14:17:40 DEBUG : backups: Loaded invalid token from config file - ignoring
2020/04/11 14:17:40 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/04/11 14:17:40 DEBUG : HTTP REQUEST (req 0xc000573f00)
2020/04/11 14:17:40 DEBUG : POST /common/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
User-Agent: rclone/v1.50.2
Content-Length: 1014
Authorization: XXXX
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

grant_type=refresh_token&refresh_token=[...]

2020/04/11 14:17:40 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/04/11 14:17:41 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/04/11 14:17:41 DEBUG : HTTP RESPONSE (req 0xc000573f00)
2020/04/11 14:17:41 DEBUG : HTTP/1.1 400 Bad Request
Content-Length: 737
Cache-Control: no-cache, no-store
Content-Type: application/json; charset=utf-8
Date: Sat, 11 Apr 2020 18:17:40 GMT
Expires: -1
P3p: CP="DSP CUR OTPi IND OTRi ONL FIN"
Pragma: no-cache
Set-Cookie: fpc=[...]; expires=Mon, 11-May-2020 18:17:40 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=prod; path=/; SameSite=None; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; SameSite=None; secure; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Ests-Server: 2.1.10369.13 - CHI ProdSlices
X-Ms-Request-Id: b46c38c2-af54-4ddf-af32-576886c51500

{"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2020-04-08T04:35:38.4010000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2020-04-08T21:34:16.0000000Z'.\r\nTrace ID: b46c38c2-af54-4ddf-af32-576886c51500\r\nCorrelation ID: e6102e3d-421a-4d45-b454-9324181ecf6c\r\nTimestamp: 2020-04-11 18:17:40Z","error_codes":[50173],"timestamp":"2020-04-11 18:17:40Z","trace_id":"b46c38c2-af54-4ddf-af32-576886c51500","correlation_id":"e6102e3d-421a-4d45-b454-9324181ecf6c","error_uri":"https://login.microsoftonline.com/error?code=50173"}

ncw · April 12, 2020, 8:14am

There is quite a lot of extra info there for humans to read...

AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2020-04-08T04:35:38.4010000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2020-04-08T21:34:16.0000000Z'.
https://login.microsoftonline.com/error?code=50173

There is also this on the link

Expected part of the token lifecycle - either an admin or a user revoked the tokens for this user, causing subsequent token refreshes to fail and require re-authentication. Have the user sign-in again.

I presume you didn't change your password. I wonder if your admin only lets the tokens last for a short period of time? It might be worth sending your admin that link and asking them about it.

Hassan_Allami · April 13, 2020, 12:36am

Yeah. Should I contact the university through which we were granted the OneDrive account, or contact Microsoft service directly?

ncw · April 14, 2020, 10:49am

I'd try the university first - they may have this as a policy.

bhaiterabhai · April 14, 2020, 11:37am

I can't find an official explanation anywhere but my refresh token suddenly didn't work.
Does onedrive refresh token expire under some conditions?
Although I noticed that every time I use refresh token to get an access token, a new refresh token was returned by onedrive. Should I use the new one or just keep using the original one since there is no difference?
Hope someone can help me. shareit vidmate

ncw · April 14, 2020, 11:50am

Your refresh token will get invalidated if you change your account password or your password gets locked out.

Your administrators may have more control though so they may be able to invalidate your refresh token more often.

I haven't been able to find Microsoft docs on the issue - if you find them then please post links!

system · June 14, 2020, 7:50am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.