Sharepoint (Onedrive) single tenant with a shared secret

rdoering · April 20, 2023, 6:52am

STOP and READ USE THIS TEMPLATE NO EXCEPTIONS - By not using this, you waste your time, our time and really hate puppies. Please remove these two lines and that will confirm you have read them.

What is the problem you are having with rclone?

I registered a single tenant application in the Azure portal.

Now I am able to fetch the access key without entering my personal credential and by using client_id with this command. This is called as Access token request with a shared secret by Microsaft.

curl --location --request GET 'https://login.microsoftonline.com/<..>/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=3e72e39d-a253-48b5-<..>' \
--data-urlencode 'client_secret=u0t8Q~sIGNmE~<..>' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=https://graph.microsoft.com/.default'

But if I want to retrieve the access token using rclone I have to enter the my personal credential. I followed this instructions and used this command.

rclone --onedrive-drive-type "business" --onedrive-token-url 'https://login.microsoftonline.com/8f5f7bf4-542e-41aa-8b9a-<..>/oauth2/v2.0/token' -vvv --onedrive-auth-url
"https://login.microsoftonline.com/8f5f7bf4-542e-41aa-8b9a-<..>/oauth2/v2.0/authorize" authorize onedrive -- "3e72e39d-a253-<..>" "u0t8Q~sIGN<..>"

May I miss a detail, at the moment I do not understand, why I need to enter my personal credentials? Instead it should be enough to use client_id and

Run the command 'rclone version' and share the full output of the command.

rclone version ✘ INT 4m 9s 08:24:16
rclone v1.53.3-DEV

os/arch: linux/amd64
go version: go1.18

Which cloud storage system are you using? (eg Google Drive)

Sharepoint

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

 ./rclone --onedrive-drive-type "business" --onedrive-token-url 'https://login.microsoftonline.com/8f5f7bf4-542e-41aa-<..>/oauth2/v2.0/token' -vvv --onedrive-auth-url "https://login.microsoftonline.com/8f5f7bf4-542e-41aa-<..>/oauth2/v2.0/authorize" authorize onedrive -- "3e72e39d-a253-48b5-<..>" "u0t8Q~sIGNmE~<..>"

The rclone config contents with secrets removed.

There is no rclone config as this is used to get the access token only.

A log from the command with the `-vv` flag

2023/04/20 08:20:07 DEBUG : rclone: Version "v1.62.2" starting with parameters ["./rclone" "--onedrive-drive-type" "business" "--onedrive-token-url" "https://login.microsoftonline.com/8f5f7bf4-542e-41aa-<..>/oauth2/v2.0/token" "-vvv" "--onedrive-auth-url" "https://login.microsoftonline.com/8f5f7bf4-542e-41aa-<..>/oauth2/v2.0/authorize" "authorize" "onedrive" "--" "3e72e39d-a253-48b5-<..>" "u0t8Q~sIGNmE~<..>"]
2023/04/20 08:20:07 DEBUG : **temp-fs**: config in: state="", result=""
2023/04/20 08:20:07 DEBUG : Using config file from "/home/qtc340/.config/rclone/rclone.conf"
2023/04/20 08:20:07 DEBUG : OAuth only is set - overriding return state
2023/04/20 08:20:07 DEBUG : **temp-fs**: config out: out=&{State:*oauth,,, Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2023/04/20 08:20:07 DEBUG : **temp-fs**: config in: state="*oauth,,,", result=""
2023/04/20 08:20:07 DEBUG : **temp-fs**: config out: out=&{State:*oauth-confirm,,, Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2023/04/20 08:20:07 DEBUG : **temp-fs**: config in: state="*oauth-confirm,,,", result=""
2023/04/20 08:20:07 DEBUG : Auto confirm is set, choosing default "true" for state "*oauth-islocal,,,", override by setting config parameter "config_is_local"
2023/04/20 08:20:07 DEBUG : **temp-fs**: config out: out=&{State:*oauth-islocal,,, Option:<nil> OAuth:<nil> Error: Result:true}, err=<nil>
2023/04/20 08:20:07 DEBUG : **temp-fs**: config in: state="*oauth-islocal,,,", result="true"
2023/04/20 08:20:07 DEBUG : **temp-fs**: config out: out=&{State:*oauth-do,,, Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2023/04/20 08:20:07 DEBUG : **temp-fs**: config in: state="*oauth-do,,,", result=""
2023/04/20 08:20:07 NOTICE: Make sure your Redirect URL is set to "http://localhost:53682/" in your custom config.
2023/04/20 08:20:07 DEBUG : Starting auth server on 127.0.0.1:53682
2023/04/20 08:20:07 NOTICE: If your browser doesn't open automatically go to the following link: http://127.0.0.1:53682/auth?state=iVQ2DeyfCM0Za0IyoN0jbQ
2023/04/20 08:20:07 NOTICE: Log in and authorize rclone for access
2023/04/20 08:20:07 NOTICE: Waiting for code...
2023/04/20 08:20:51 DEBUG : Redirecting browser to: https://login.microsoftonline.com/8f5f7bf4-542e-41aa-<..>/oauth2/v2.0/authorize?access_type=offline&client_id=3e72e39d-a253-48b5-<..>&redirect_uri=http%3A%2F%2Flocalhost%3A53682%2F&response_type=code&scope=Files.Read+Files.ReadWrite+Files.Read.All+Files.ReadWrite.All+Sites.Read.All+offline_access&state=iVQ2DeyfCM0Za0IyoN0jbQ

Animosity022 · April 20, 2023, 2:49pm

Because the general user base is not going to compile a complex curl command to get an ID and they are going to use a standard API method provided by MS to get it.

ncw · April 20, 2023, 3:34pm

My understanding is that client_id is for identifying the app in use (in this case rclone).

OAuth always requires a user as well - at least the way rclone uses it with grant_type authorization_code.

This could probably be made to work by using a grant_type of client_credentials but it would require a bit of work in rclone.

BTW You'll need to put the client_id and client_secret in the config file too as rclone will need them to re-validate the token when it expires I think.

If you can get a token with your curl command, you can try putting that in the rclone config file - does that work?

rdoering · April 21, 2023, 11:33am

This was also new to me, but it seems to be correct. In the RFC it is described as followed:

either authorization server credentials (handle-based design; see Section 3.1) or authorization server shared secret/public key

And yes, it is mandatory to store the client_id andclient_secret and auth_url and token_url as these URLs have to contain the tenantId as described by Microsoft.

I put the created access_token into the config and yes it is working.

rdoering · April 21, 2023, 11:41am

Thanks for your comment, but please be aware that the curl request is using the normal OAuth API from Microsoft titled "First case: Access token request with a shared secret".

They are also using a hacky curl request to demonstrate how to use it.

Animosity022 · April 21, 2023, 11:46am

I got that. Good luck!

ncw · April 21, 2023, 4:56pm

If we want to make this work in rclone it is going to need a patch I think.

Do you want to have a go at it?

The relevant bit of rclone is here: rclone/oauthutil.go at master · rclone/rclone · GitHub

It in turn calls this library oauth2 package - golang.org/x/oauth2 - Go Packages and I think what is needed is use this package instead clientcredentials package - golang.org/x/oauth2/clientcredentials - Go Packages for 2-legged oauth flow...

rdoering · April 29, 2023, 5:35pm

Yes, I will try to implement this. My Next steps are

set up dev env
hack
create PR

ncw · April 30, 2023, 4:24pm

Great Let me know if you need help!

Here is how to do a source install

And check out the contributing docs for more stuff on PRs.

system · May 30, 2023, 4:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.