Hi all,
We would like to employ rClone on large scale on our Linux Desktop (1k+ clients) at the company as we use MS OneDrive Business as main backup tool (not my choice) these days and I am working on getting feature parity with the Win/Mac desktop.
While testing rClone with our IAM expert, we ran into a couple of AzureAD related issues. In a nutshell, we could not figure a decent way to enable (global) access to rClone. We followed the guide and the setup recommendations but we did not find a good way to enable globally rClone access - only on individual base (meaning we would need to put every user on a positive list) which is not really an option at the moment. We also tried building a new app ID + client secret and share this among several users but this does not work (or we did something wrong here) - nevertheless, this should not be the way this is intended to be used.
Has anyone made some similar experience? Is there a large scale deployment producition use? I am happy about any success story or hints!
MS Auth is very complicated and I'm not an expert but maybe we can work something out together.
So what you'd like if I'm understanding you is for rclone to authenticate itself with AzureAD on behalf of a user and then get access to the users OneDrive space
I guess you don't want each user to have to do an oauth.
I don't understand quite what you mean here. Can you explain more?
I think regardless of the app Id you'll still need some user based Auth.
What do you think the best way of working for rclone should be?
Thanks for getting back to me. Basically, we're trying to use rClone for the whole organization to sync files to OneDrive for Business. Each client to his/hers OneDrive profile. Currently, we need to allow access on a per user base in the AzureAD/MS auth backend. This is what we end up as a user trying to login:
Ah, so I guess you've tried whitelisting the app itself by making a new client_id and client_secret and whitelisting the client_id? I think other Azure AD users have managed that.
yes, this is what we tried - generating a new client_id and client_secret and put this on a positive list in AzureAD. And using these data across in the rclone config across all users. But we did not understand whether (1) this is safe to be used (not to have any access breaches) and (2) it did not really work in a quick check.
If this is a way that is to be followed, I will it once more. Is it enough to have only the same client_id positive-listed?
we did try it again with a new app_id which worked on my client. But only with my client, trying on another instance (in a vm) using the same client_id (but again with empty app_secret) did not work. This app_id has admin consent granted. Anything further we missed?
tried both with a preset client_id and client_secret. Did again not work for more than one client. Also tried multi-tenant vs. single-tenant, did not make a difference. Not sure what else to try anymore :(((
Yes, sorry, you're right. It worked for only one user. I ran a test, it worked fine for me, then my colleague tested with setting up rclone using the same client_id and client_secret but it did not work for him (using also different browser to avoid some cookie/token caching issue I also read about in similar forum entries).
I checked the log and I do see the following Failed to create file system for "onedrive:": failed to get root: Get https://graph.microsoft.com/v1.0/drives/xxxxxxxxxxxxxxxxxx/root: oauth2: cannot fetch token: 400 Bad Request
Application 'xxxxx'(rclone-test) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.\r\nTrace
Thank you for your continuous feedback. We opened a case with MS and had a few calls with them. Eventually, it seems that the issues lies with the endpoint URL: rclone employs login.microsoftonline.com/common/oath2/ whereas the it should have the tenant ID login.microsoftonline.com/TENANT_ID/oath2/
I tested this is with the latest rclone v1.52.3
Is there any way to change/specify the endpoint URL?
sorry, did not have the time so far. Our IAM expert is also on holiday, too. I need him to create me another client_id and client_secret.
I assume in the rclone.conf I can adjust the variables auth_urland token_url? Any hint for the syntax? I tried it as follows. At least with rclone config I was not able to run the setup with (I tried /usr/bin/rclone config -vv --dump headers)
