Set OneDrive permission scopes during configuration

ToeKneeFan · November 16, 2021, 1:46am

At the moment, it is possible to set the permission scope for Google Drive access during configuration. However, it appears this has not yet been implemented for OneDrive. Would it be possible to add scope configuration for OneDrive as well?

This request is analogous to this request except for OneDrive instead of Google Drive. This is useful for contexts where one would like to leverage a large capacity of OneDrive storage for an application or research purpose without exposing the account's entire drive, which might contain sensitive information. This could be implemented by granting only app-specific storage in OneDrive (Files.ReadWrite.AppFolder). Although I realize the authentication token lives client-side, I'd like to minimize exposure to potential exfiltration from the drive outside of the scope of the rclone use case in the event that the device is compromised.

I conducted a search of the GitHub repository and this forum and did not see a previous request; apologies beforehand if I missed something.

ncw · November 16, 2021, 12:36pm

This seems like a reasonable request.

At the moment we request these scopes from onedrive

github.com

rclone/rclone/blob/ba6730720d74f6ccc0031285cbc06b76cadfffbc/backend/onedrive/onedrive.go#L70

    
      
          	regionCN     = "cn"
          )
          
          
// Globals
          var (
          	authPath  = "/common/oauth2/v2.0/authorize"
          	tokenPath = "/common/oauth2/v2.0/token"
          
          
	// Description of how to auth for this app for a business account
          	oauthConfig = &oauth2.Config{
          		Scopes:       []string{"Files.Read", "Files.ReadWrite", "Files.Read.All", "Files.ReadWrite.All", "offline_access", "Sites.Read.All"},
          		ClientID:     rcloneClientID,
          		ClientSecret: obscure.MustReveal(rcloneEncryptedClientSecret),
          		RedirectURL:  oauthutil.RedirectLocalhostURL,
          	}
          
          
	graphAPIEndpoint = map[string]string{
          		"global": "https://graph.microsoft.com",
          		"us":     "https://graph.microsoft.us",
          		"de":     "https://graph.microsoft.de",
          		"cn":     "https://microsoftgraph.chinacloudapi.cn",

"Files.Read", "Files.ReadWrite", "Files.Read.All", "Files.ReadWrite.All", "offline_access", "Sites.Read.All"

What you are saying is that you'd like to request a subset of, or configure these scopes.

How does AppFolder work on onedrive? Does the app gets its own (invisible) folder like it does in google drive?

ToeKneeFan · November 16, 2021, 7:49pm

Thank you for your reply! Yes, this feature request would be to configure those scopes.

AppFolder scope in OneDrive is very much like the AppData scope in Google Drive except the contents remain readable/writable by the user through the regular user interface, so it is not invisible. There is some overlap in use cases with drive.file permissions in Google Drive (in the sense of limited read/write permissions to a drive with the files still being accessible by the user interface).

The App Folder is a dedicated, special folder for your app. The App Folder is typically named after your app, and is found in the Apps folder in the user's OneDrive. If you request the Files.ReadWrite.AppFolder permission scope and the user authorizes it, your app gets read and write access to this folder. Since it behaves like any other folder in the user's OneDrive, users can add, modify, and remove content from it. Your app doesn't need to maintain logic unique to the user, which allows the user to rename or move it. (source)

ncw · November 17, 2021, 12:02pm

It seems like we could copy the way the google drive backend deals with this quite easily.

Can you open a new issue on Github about this? Put a link to this forum thread in please.

Maybe you'd like to contribute a pull request to implement?

ToeKneeFan · November 18, 2021, 6:15am

Sounds great, I have created a GitHub feature request here.

I'm not very familiar with Go, to be honest; I would be hesitant to put production-level Go software in my hands, unless you would prefer that I contribute.

ncw · November 18, 2021, 2:53pm

Thanks for making the issue.

If you'd like to have a go I'd be very happy to help you out. This is nearly all about configuration and it should be possible to copy the Google drive code.

ToeKneeFan · November 20, 2021, 2:13am

Sounds good, I'll try to take a crack at it.

system · January 19, 2022, 10:13pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.