Setting up OneDrive (personal)

If the auth link was broken in general others wouldn’t have been reporting successful transitions so I’m guessing it’s something specific to your situation.

Did you try getting another auth key since your current one isn’t working?

Although I would have expected a different error than “Unauthorized”, please be sure you fill this out with the address you want. It’s also simpler to click the “AuthID” link in Duplicati job’s “Destination” screen than to use manual access to Duplicati Oauth Handler (and have to copy the AuthID manually). It should work either way.

How we get along with OAuth explains how Duplicati doesn’t handle your username (email) or password, and looking at the “Sign in”, you will see it’s a Microsoft page. How do I enable and disable Autofill in my browser? explains how you can disable autofill for a test. Autofill: What web devs should know, but don’t is tech details.

The test I ran has both in operation, on different jobs, so at least here the answer is that revoke isn’t needed. This was on my consumer OneDrive, which I suspect is what you have. Is manual URL onedrive.live.com?

I did.

Did that too.

Yes, I use consumer OneDrive and that’s the URL. But the AuthID url is login.microsoftonline.com, which I’ve never seen before anywhere else. I think that’s what’s prompting the autofill (BTW, I don’t use the autofilled email address; I clear it from the field and use the intended consumer email address.) But I suspect the reason the Auth code is invalid is because the login.microsoftonline.com portal is not intended for Office 365 Home subscribers. Is there another one I should be using instead?

EDIT: I tried using a different browser instead and now I get this error message:

Failed to connect: Failed to authorize using the OAuth service: Invalid authid in query. If the problem persists, try generating a new authid token from: Duplicati OAuth Handler

Following the instructions just gives the same error message again.

Multiple times, on different browsers. Each new key is rejected in the same manner. The only thing that has changed the error message so far is switching to Chrome, but the login is still rejected on that browser too. Do you know if the Auth link is specific only to a certain type of OneDrive account? Mine is an Office 365 Home annual subscription. Is it supposed to work for that account type, or is there a different URL for users like myself?

Just tried a different browser profile so that I’d have to sign into OneDrive from scratch and got the same error message.

Another thing: my OneDrive is protected by 2FA. Does this AuthID method support that?

I think I saw some other people mention having issues with two factor authentication - though I think that was before the switch to the new API.

Have you checked out this to topic yet?

1 Like

The v1 API supported 2FA just fine. Literally all my problems with connecting started after it was deprecated.

1st time seeing that thread. I’ve commented there asking the person who managed to solve the issue on their end how they did it. Thanks for the link.

For three shots in the dark.

  1. Try it from the Duplicati OAuth Handler directly instead of on Destination screen, and carefully copy.

  2. Go to https://account.live.com/consent/Manage and look over the Duplicati entry or entries, or if you feel more comfortable navigating, go to your account’s Privacy settings to find " Apps and services". Probably Duplicati would have below, but probably there was a consent page shown at first creation.

  • Access OneDrive files

  • Maintain access to data you have given Duplicati access to

  1. Invalid authid in query which you were seeing is interesting because AuthID is a Duplicati term, which from source looks superficially (but I also just tested it) like it means your AuthID lacked a colon. Don’t post it here, but do you see any colon in the rest of the random-appearing numbers and letters?

Or maybe this will remain a mystery until the person who got it going says what it actually took to get it going.

1 Like

Did that multiple times before, no luck.

OK, this was productive. I removed 2 Duplicati entries and then generated a new AuthID in Duplicati settings. Now I get a new (albeit shorter) error message:

Failed to connect: Failed to authorize using the OAuth service: Server error. If the problem persists, try generating a new authid token from: Duplicati OAuth Handler

I’ve since generated a new one and still get the same error message. Any ideas?

And yes, my AuthID code has a colon :slight_smile:

FWIW, I created a matching support thread for this on Microsoft Answers.

The Microsoft Answers thread didn’t mention 2FA (if you’re still using it). Although I’m not sure how that looks in Graph API, do you recall your previous interaction? It would seem like it would have to be somewhere around a Microsoft screen. Duplicati doesn’t handle any 2FA details, and I doubt it even knows that you want to use 2FA, however I’d sort of hope Microsoft doesn’t let it just slide in, if your account is configured for it to be required…

FWIW, I’m having the EXACT same problem as @jdrch, right down to the symptom that the email that shows up initially is my enterprise email, not my consumer onedrive MSA email.

I don’t have any answers but happy to test out suggestions.

Success!
When you are on the Duplicati backup destination screen, it appears that Duplicati is adding an extra (redundant?) authid header in the advanced options. If you delete this advanced option, then generate a new authid, then click test, it seems to now work.

1 Like

You’re gonna die laughing, but the reverse just worked for me. Brilliant idea. Full start to finish steps, for anyone else with the problem:

  • Go to Sign in to your Microsoft account and search the page for “Duplicati.”
  • Click on each Duplicati entry from the above page
  • In the page that loads afterwards, click Remove. Repeat this until all Duplicati entries on the Manage page are gone
  • In the Duplicati web UI, under Backup Destination, select Microsoft OneDrive V2
  • In path, enter the folder path of the backup in the format Folder/ChildFolder. There are no symbols, indicators, or characters necessary for the root directory.
  • Click the AuthID link and sign into your Microsoft Account
  • Grant Dupilcati permissions in the dialog that pops up. This should automatically populate the AuthID field
  • Expand Advanced Options
  • Expand Add advanced option drop down menu
  • Under Microsoft OneDrive V2, select authid: the authorization code
  • In the authid field that opens up above the Add advanced option menu, copy and enter the AuthID generated from the link. Ensure the same AuthID is in the AuthID field under the Backup destination heading.
  • Click Test Connection. You’ll get an error message about “duplicate authid”, but ignore it. The test should be successful.
  • Set up the rest of the backup as the documentation specifies
  • Run the backup and check the live verbose log to ensure there isn’t any connection error.
  • After that backup has completed successfully, go back to the Advanced Options setting and remove the authid entry.
  • Test the connection again. It should pass with no errors.
  • Click Next until you can save the config.
  • Click Save to save the config.

Wow… The AuthID that is entered in the dialog for setting up the backend is encoded into a “connection url”, so it will look something like onedrivev2://folder/subfolder?authid=abc:123.

The idea is that a service wanting to support Duplicati backups can have a button for “copy connection url” that you can paste in and have it all configured.

It should work such that the query parameters from the url override the advanced options, meaning that the override you put into the Advanced options should be ignored, as the url parameters take precedence.

I was guessing that it was an encoding issue, but since it works after you remove the advanced options, it must be something else.

It could be that it is simply the OAuth process that is unstable. I often see in the logs that OAuth fails for all requests towards a specific provider (e.g. Microsoft) for a period, and then starts working again with no change on my side.

1 Like

Hi, may be the same problem:
https://forum.duplicati.com/t/problems-with-sign-in-a-command-line-export/5951/5

You are the man!
Similar to jdrch, I went to https://account.live.com/consent/Manage, removed all Duplicati entries. And then I did what you suggested and it works. Thanks!

1 Like

Hello Guys,

i am writing you from germany. So please excuse me for my bad english. :wink:

I made all the points exactly as jdrch wrote it. But I still get an authorization error. I use duplicati on a Synology DS218+ NAS.

What information do you need to help me?

Greetings from Germany!
Nico

An old thread but…
I have family O365. I see my onedrive (1T per peson), and can push things to it!
I have configured duplicati to use onedrive. I added a folder on onedrive, then added that name into the configuration (step 2). Got the Auth code and hit test.
it returned to say that the folder did not exist, did I want to add it, yes I do!
The backup failed (trailing slash on the name I think)
So I started again, only this time I did not create a folder, but used a different name at step 2
The test worked, the backup worked!
But where is my backup folder? I can not see it in onedrive!
If I re-run the backup, it runs without complaint!
Any ideas?

I have been using Duplicati for some time with various backup destination types, and so far I have been satisfied with it. I am considering whether OneDrive would be an option to add for certain backups going forward, and I read this thread and other related information (e.g. How We Get Along With OAuth - Duplicati 2 User's Manual).

After reading this I am left with a security concern that I am curious to hear opinions about. I think I sort-of understand that Duplicati’s OAuth service has been set up in such a way that the risk is limited if an attacker would compromise the service’s database. But am I wrong in assuming that for this system to be secure, you must place 100% trust in the service itself? It seems to me that it would be very straightforward for someone with access to the service to store all the information required to access OneDrive without the need for the local instance of Duplicati – it would probably just need to store the authid it generates. Even if one trusts the service in principle, wouldn’t an attacker with access to the service have the power to modify it such that authids are stored locally, thereby gaining full access to all OneDrive accounts? Or do I misunderstand something about how this works? (It certainly isn’t my expertise.)

Also, I think I sort-of understand why it isn’t smart to store all information in the local Duplicati instance (all information being whatever the service stores at the moment), but on the other hand I also don’t really understand why it is not an option. If the information is compromised an attacker could have full access to my backups. However, this doesn’t seem different from e.g. a WebDAV destination or any other destination that can be accessed directly by Duplicati (at least not when the OneDrive account is only used for backups). In addition, if attackers can get this information from my local Duplicati installation this almost certainly means my entire system is compromised, which would give them access to the original data anyway (no need to access the backup). So why isn’t this a possibility, to avoid having to trust an external service about which I have no knowledge when it comes to security?

I think I am probably missing something here. Could anyone explain what I am missing?

Yes, that is correct. It is designed such that a leak or access to the stored data in the service does not compromise any tokens.

Yes, that is what tokens do; they allow you to authenticate as the user they were issued for. It is no different than hijacking session tokens in a browser.

That is correct. The authid is essentially a “password” that decrypts the stored token and uses it to authenticate with the destination service.

Sadly, this is required due to the way OAuth is designed. For OAuth to work, the service needs to store a token for each user. In other systems, this is designed to be guarded by a login for the service, but since we do not have users in that sense, the authid covers the role of authenticating and unlocking the secret token for a short a period as possible

Yes. That is why the service is hosted on Google App Engine, which I count on as being a trusted hosting service that prioritizes security. See also my answer above.

Again, this is due to how OAuth is designed. Each application that uses access via OAuth needs to store an “application secret” that authenticates each request as being emitted by the application. It then serves as a sort of kill-switch that the OAuth owner (e.g. OneDrive) can use to immediately cut off an application that has defects. This limits the impact of a faulty third-party but also requires that the secret is stored outside the application (i.e. on a closed server).

That is sadly a good observation about the logic behind OAuth. And most services (including OneDrive) does not allow you to access the API without authenticating via OAuth (i.e.: you cannot just send your username and password).

Some services have started allowing Personal Access Token (PAT), which is essentially a random extra password for your account with selectable privileges, but this is not common across services yet. If this option is allowed for a backend, it should be used to avoid roundtrips to the OAuth server.

For Duplicati, you can actually implement your own OAuth server and avoid a trusted third party. The source code of the auth-handler is freely available. It runs on Google App Engine but can quickly be adapted to run without the GAE datastore.

However, before you can use OAuth you need to register with the provider (i.e. OneDrive) and create application. The you register the allowed callbacks and gather the application secret, and you can run your own trusted OAuth solution.

I hope this is covered?