OneDrive: 'account loading...'

[jbostoen]

Describe the bug: just after rolling out this extension for more users, it seems there's an issue between Authenticator and OneDrive. The backup page is stuck on 'account - loading...'

Perhaps something changed on OneDrive, or perhaps it's a bug; how do we debug this?

Platform: Windows 10

• Browser: Chrome, FireFox
• Browser Version: latest versions

In Azure's audit logs, we do see a lot of "app role assignment grant to user" failures (Microsoft.Online.DirectoryServices.UniqueKeyPropertyException)

With my personal/private OneDrive account, it works as expected; but not within our corporate O365 environment.

---

After I explicitly sign out and then sign in again, this appears in the debugger:

Error 403 - XHR GET https://graph.microsoft.com/v1.0/me/drive/special/approot

Request

Accept-Encoding | gzip, deflate, br
-- | --
Accept-Language | en-US,en;q=0.5
Authorization | Bearer   <redacted>
Connection | keep-alive
Cookie | s_preRef=%5B%5B%27neowin.net%27%2C%271492531998951%27%5D%5D;  s_fid=1DB9DB9943B5A8EF-1329F236115FC0EE;  _ga=GA1.2.1340837329.1525429298; LPVID=BkZWMyMWJiOTZjMzdhZWE5;  mbox=PC#b4abd76be1114733b279653e440d54b7.37_0#1677239875\|session#e6381b68c4914f58b5d0e3e2fa11f6ce#1613996935;   MC1=GUID=e539776adb3b46ccb03fb00329f2a55d&HASH=e539&LV=202002&V=4&LU=1580719930235;  MUID=246626B83BF46FDE02132CD03FF46C26; MSCC=1614337854;  mslocale={'u':'nl-be'}
Host | graph.microsoft.com

Response

{
  "error": {
    "code": "accessDenied",
    "message": "Access denied",
    "innerError": {
      "date": "2021-03-24T10:08:39",
      "request-id": "b65d8e4a-064f-4465-a4ac-0d8ec86b1206",
      "client-request-id": "b65d8e4a-064f-4465-a4ac-0d8ec86b1206"
    }
  }
}

Potentially related:

• Unexpected behavior for AppFolder permissions OneDrive/onedrive-api-docs#682
• https://docs.microsoft.com/en-US/onedrive/developer/rest-api/concepts/direct-endpoint-differences?view=odsp-graph-online#permissions -> seems like there's a 2.0 version?
• https://docs.microsoft.com/en-us/graph/permissions-reference#remarks-5 -> see remark: The Files.ReadWrite.AppFolder delegated permission is only valid for personal accounts and is used for accessing the App Root special folder with the OneDrive Get special folder Microsoft Graph API.

[mymindstorm]

Thanks for the detailed report. There are some significant differences between OneDrive business and personal accounts. Currently, it just works with personal accounts. That specific loading indicator is just for displaying the current logged in account.

There seems to be a development M365 subscription that I can test with.

[jbostoen]

It would be wonderful if this could be supported! 😁

We preferred this over Microsoft Authenticator, Google Authenticator and Authy because it integrates so perfectly with a browser and doesn't need a phone number. We have several employees using different devices from time to time.

[jbostoen]

@mymindstorm would it be possible to give us a clue if or when this would be supported please?

[mymindstorm]

if: I'd like to have this supported along with PKCE
when: I am currently working and a full-time college student. I do not have much time to work on new features at the moment. Most of my efforts focus on maintenance. If you submit a PR I would be happy to merge and release it.

[jbostoen]

Thanks! I'm not familiar with developing FireFox extensions, but I might check this out at some point if my employer lets me.

[jbostoen]

I am doing a copy-paste operation to see how far I'd get.
I stumbled upon this section:

Authenticator/src/store/Backup.ts

Line 27 in 63f25ac

state.driveToken = args.value;

Is this a typo? Should that be oneDriveToken?

[mymindstorm]

Is this a typo?

Yes.

I'm pretty sure that the oauth permissions are correct already, so all that needs to be done here:

1. Check if the onedrive account is a buisness account
2. If so figure out what the endpoint is https://docs.microsoft.com/en-us/onedrive/developer/rest-api/concepts/direct-endpoint-differences?view=odsp-graph-online#onedrive-personal-accounts and possibly put it in localstorage
3. Use discovered endpoint here https://github.com/Authenticator-Extension/Authenticator/blob/dev/src/models/backup.ts#L451
4. Modify manifests & permissions requests to allow connections to *.sharepoint.com

[jbostoen]

I was already preparing a pull request where I just copied nearly everything.
Most important aspect is Files.ReadWrite.AppFolder becoming Files.ReadWrite.All

After that, I managed to sign in and I got a functional upload to the professional OneDrive. (using an O365 E3 subscription). If you want to keep it one "OneDrive" class, you probably could read https://docs.microsoft.com/en-us/graph/api/user-list-licensedetails?view=graph-rest-1.0&tabs=http and handle the subscriptions within O365.

[jbostoen]

I think a check could be implemented somewhere along this line:

Authenticator/src/models/backup.ts

Line 536 in 63f25ac

xhr.send(

There, you could either ask a broader permission for all OneDrive users (including personal ones); or implement the check based on license.

[Sneezry]

Most important aspect is Files.ReadWrite.AppFolder becoming Files.ReadWrite.All

Files.ReadWrite should be enough.

[jbostoen]

What would the perfect approach be?
Can the license be determined automatically beforehand?

• Keep OneDrive (business) as separate button
• Add a checkbox or radio button to the OneDrive page, so user has to know and check it manually
• Adjust the original implementation for more permissions => will likely be an issue for backward compatibility

[Sneezry]

To sign in OneDrive for Business requires AAD app (https://docs.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/aad-oauth?view=odsp-graph-online#register-your-app-with-azure-active-directory). As far as I know, Only the AAD app registered in customer organization and Microsoft first party can access to enterprise customer data (OneDrive for Business, for example).

Because this project has no relationship with Microsoft, we are not able to get a first party AAD app. The only one solution may be to ask enterprise customer to create an AAD app in their Azure AD, and provide the service principle (SP) to the extension. However, because the extension saves data locally, it is not recommended to use SP in this way.

[jbostoen]

Actually it worked without having to create any app. As an admin, I did have to consent this app in name of the organization. But after that, it worked like a charm and would be a great help.