Webdav throw authentication error even when bearer_token is provided

What is the problem you are having with rclone?

I used rclone to access documents in my SharePoint site. I generate a bearer token and use it in rclone.conf. Plus, I leave user and pass blank.

When using simple rclone commands, e.g rclone ls in this case, I got this error
wst:FailedAuthentication: Authentication Failure (AADSTS500127: No authenticated credentials found in request.)

It seems like even the bearer_token is provided, it still requires the user/pass

What is your rclone version (output from rclone version)

rclone v1.51.0

  • os/arch: linux/amd64
  • go version: go1.13.7

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Fedora 30, 64 bit

Which cloud storage system are you using? (eg Google Drive)

SharePoint with Webdav

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone ls sp:/

A log from the command with the -vv flag (eg output from rclone -vv copy /tmp remote:tmp)

2020/05/06 13:46:54 DEBUG : Using config file from "/home/buidohiep/.config/rclone/rclone.conf"
2020/05/06 13:46:54 Failed to create file system for "aaa:/": wst:FailedAuthentication: Authentication Failure (AADSTS500127: No authenticated credentials found in request.)

Can you post your config file with the secrets XXX-ed out?

Can you also do rclone lsf sp:/ -vv --dump bodies --low-level-retries 1 --retries 1 and post that output please?

Thanks

@ncw thanks for your reply.
Here is my config:

[sp]
type = webdav
url = https://hiepbuianduin.sharepoint.com/
vendor = sharepoint
bearer_token = eyJ0e....WLke9Q

Here is the result from the command lsf sp:/ -vv --dump bodies --low-level-retries 1 --retries 1

2020/05/07 12:13:19 DEBUG : rclone: Version "v1.51.0" starting with parameters ["rclone" "lsf" "aaa:/" "-vv" "--dump" "bodies" "--low-level-retries" "1" "--retries" "1"]
2020/05/07 12:13:19 DEBUG : Using config file from "/home/buidohiep/.config/rclone/rclone.conf"
2020/05/07 12:13:19 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2020/05/07 12:13:19 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/05/07 12:13:19 DEBUG : HTTP REQUEST (req 0xc0004f0900)
2020/05/07 12:13:19 DEBUG : POST /extSTS.srf HTTP/1.1
Host: login.microsoftonline.com
User-Agent: rclone/v1.51.0
Content-Length: 1298
Accept-Encoding: gzip

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security s:mustUnderstand="1"
 xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken>
  <o:Username></o:Username>
  <o:Password></o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
  <a:EndpointReference>
    <a:Address>https://hiepbuianduin.sharepoint.com/</a:Address>
  </a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
2020/05/07 12:13:19 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/05/07 12:13:19 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/05/07 12:13:19 DEBUG : HTTP RESPONSE (req 0xc0004f0900)
2020/05/07 12:13:19 DEBUG : HTTP/1.1 200 OK
Content-Length: 1412
Cache-Control: no-cache, no-store
Content-Type: application/soap+xml; charset=utf-8
Date: Thu, 07 May 2020 05:13:19 GMT
Expires: -1
P3p: CP="DSP CUR OTPi IND OTRi ONL FIN"
Pragma: no-cache
Set-Cookie: fpc=An9I0xVdPk5Dg-ZvfFrPYhHJhsaMAQAAAO-PRdYOAAAA; expires=Sat, 06-Jun-2020 05:13:19 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=prod; path=/; SameSite=None; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; SameSite=None; secure; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Ests-Server: 2.1.10519.7 - HKG1 ProdSlices
X-Ms-Request-Id: fa7d3f64-eb56-46f1-8c95-95fd6a525a00

<?xml version="1.0" encoding="utf-8"?><S:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Header><psf:pp xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:serverVersion>1</psf:serverVersion><psf:authstate>0x80048800</psf:authstate><psf:reqstatus>0x80048821</psf:reqstatus><psf:serverInfo ServerTime="2020-05-07T05:13:19.2958159Z">PROD-HKG1-017.ProdSlices rid:fa7d3f64-eb56-46f1-8c95-95fd6a525a00</psf:serverInfo></psf:pp></S:Header><S:Body xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Fault><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:FailedAuthentication</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang="en-US">Authentication Failure</S:Text></S:Reason><S:Detail><psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048821</psf:value><psf:internalerror><psf:code>0x80048821</psf:code><psf:text>AADSTS500127: No authenticated credentials found in request.</psf:text></psf:internalerror></psf:error></S:Detail></S:Fault></S:Body></S:Envelope>
2020/05/07 12:13:19 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/05/07 12:13:19 Failed to create file system for "aaa:/": wst:FailedAuthentication: Authentication Failure (AADSTS500127: No authenticated credentials found in request.)

Thanks for the log - very helpful!

I can see this is rclone trying to get the odrive cookie which is a sharepoint special...

The request is done without auth, hence the failure. I can make it use the auth auth, but I think you probably don't need those cookies at all. Can you try this which sets the provider to something else.

lsf sp:/ -vv --dump bodies --low-level-retries 1 --retries 1 --webdav-provider other

Hopefully from those logs that I can figure out what to do next.

Expected outcomes are one of

  1. works!
  2. authenticates OK but since we haven't applied the Sharepoint quirks goes wrong in a different way
  3. complains about missing cookies

My prediction is 2 but we'll see :slight_smile:

I guess you mean --webdav-vendor other.

This is the result when I try the command rclone lsf sp:/ -vv --dump bodies --low-level-retries 1 --retries 1 --webdav-vendor other:

2020/05/08 16:30:18 DEBUG : rclone: Version "v1.51.0" starting with parameters ["rclone" "lsf" "sp:/" "-vv" "--dump" "bodies" "--low-level-retries" "1" "--retries" "1" "--webdav-vendor" "other"]
2020/05/08 16:30:18 DEBUG : Using config file from "/home/buidohiep/.config/rclone/rclone.conf"
2020/05/08 16:30:18 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2020/05/08 16:30:18 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/05/08 16:30:18 DEBUG : HTTP REQUEST (req 0xc0002b0600)
2020/05/08 16:30:18 DEBUG : PROPFIND / HTTP/1.1
Host: hiepbuianduin.sharepoint.com
User-Agent: rclone/v1.51.0
Authorization: XXXX
Depth: 1
Referer: https://hiepbuianduin.sharepoint.com/
Accept-Encoding: gzip

2020/05/08 16:30:18 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/05/08 16:30:18 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/05/08 16:30:18 DEBUG : HTTP RESPONSE (req 0xc0002b0600)
2020/05/08 16:30:18 DEBUG : HTTP/2.0 401 Unauthorized
Content-Length: 16
Content-Type: text/plain; charset=utf-8
Date: Fri, 08 May 2020 09:30:18 GMT
Microsoftsharepointteamservices: 16.0.0.20029
Ms-Cv: n1BcvimwAABFotjVkZhUSg.0
P3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Request-Id: be5c509f-b029-0000-45a2-d8d59198544a
Sprequestguid: be5c509f-b029-0000-45a2-d8d59198544a
Www-Authenticate: Bearer realm="88756440-3d37-4db6-b3da-9a81e855f2ab",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="00000001-0000-0000-c000-000000000000@*,D3776938-3DBA-481F-A652-4BEDFCAB7CD8@*,https://sts.windows.net/*/,00000003-0000-0ff1-ce00-000000000000@90140122-8516-11e1-8eff-49304924019b",authorization_uri="https://login.windows.net/common/oauth2/authorize"
X-Content-Type-Options: nosniff
X-Ms-Invokeapp: 1; RequireReadOnly
X-Ms-Suspended-Features: features=""
X-Msedge-Ref: Ref A: 29506667F37F4A0CA7269F6F90CCD1DE Ref B: HK2EDGE0710 Ref C: 2020-05-08T09:30:18Z
X-Powered-By: ASP.NET
X-Sharepointhealthscore: 1

401 UNAUTHORIZED
2020/05/08 16:30:18 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/05/08 16:30:18 ERROR : : error listing: couldn't list files: 401 UNAUTHORIZED: 401 Unauthorized
2020/05/08 16:30:18 Failed to lsf with 2 errors: last error was: error in ListJSON: couldn't list files: 401 UNAUTHORIZED: 401 Unauthorized

Sorry, yes!

Ah, a non-listed option :wink:

It is passing the bearer token in Authorization: XXXX but still no auth.

You can use --dump bodies,auth if you want to check the Authorization header looks correct (but don't post it here!).

I looked at the cookie code and it is expecting a username and password to pass to a login api so I don't think that will work changing that to use a bearer token.

Can you use the bearer token with anything else so we know it is working? Maybe with curl?

How did you make the bearer token - can you point me at some docs?

Ah, a non-listed option :wink:

Could you elaborate more on this?

You can use --dump bodies,auth if you want to check the Authorization header looks correct (but don't post it here!).

Right, I can see the whole token is there.

Can you use the bearer token with anything else so we know it is working? Maybe with curl ?
How did you make the bearer token - can you point me at some docs?

I follow the guideline from this medium post https://medium.com/@anoopt/accessing-sharepoint-data-using-postman-sharepoint-rest-api-76b70630bcbf. I followed the post to create the bearer token and try with some file folder api https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-folders-and-files-with-rest using Postman and it worked.

P/S: The forum keep saying that I am not able to include links in my post, so I have to put them in the ``

We don't allow new users to post links as it creates spam problems with new accounts. I upgraded your account.

1 Like

Sorry that was just my little joke! I made a prediction as to what would happen with the listed options and it wasn't any of them :slight_smile:

Ah, those docs seem to show the token is for the sharepoint API not for the webdav interface.

Can I ask why you are trying to use a bearer token? You should be able to use sharepoint either with the onedrive backend or with the webdav backend + the sharepoint vendor - it shouldn't need any special configuration.

Ah, those docs seem to show the token is for the sharepoint API not for the webdav interface.

Well, that may be true, but I couldn't find any resource or topic talking about this, seems like no hope for me :frowning:

Can I ask why you are trying to use a bearer token? You should be able to use sharepoint either with the onedrive backend or with the webdav backend + the sharepoint vendor - it shouldn't need any special configuration.

I choose bearer_token as using it is considered as safer choice compared to using plain username/password. I tried using OneDrive backend but OneDrive for business couldn't recognize the Shared drive but only can get My File drive, which means it can't access the Sharepoint site documents.

:frowning:

Try the latest beta for this - some improvements were made in this area. It still might not work though.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.