search

derrix060 / onedriveClient

A Microsoft OneDrive and OneDrive for Business client for Linux, written in Python3.
MIT License
65 stars 10 forks source link

Why are you redirecting the user's token to another client application/domain? #4

Closed dabassett closed 5 years ago

dabassett commented 6 years ago

I was just trying the configuration steps and these are the instructions and url I've received:

NOTE: To better manage your OneDrive accounts, onedrived needs permission to access your account info (e.g., email address to distinguish different accounts) and read/write your OneDrive files.

Paste this URL into your browser to sign in and authorize onedrived:

https://login.microsoftonline.com/common/oauth2/authorize?redirect_uri=https%3A%2F%2Fod.cnbeining.com&response_type=code&client_id=6fdb55b4-c905-4612-bd23-306c3918217c

The authentication web page will finish with a blank page whose URL starts with "https://od.cnbeining.com". Paste this URL after the prompt. Paste URL here:

The client_id and redirect_uri show that you seem to have registered your own client app to receive the user's auth token. The user is asked to grant this domain (https://od.cnbeining.com) read/write access to their files and and profile data.

I'm not accusing you of anything but I think it's a serious security concern if this code is asking users to trust your client software with their business account token. I don't think most users will realize that configuring this client will be entrusting their accounts to a stranger.

derrix060 commented 6 years ago

Yeah, that's the limitation of the project, because I need this permission to download, remove, rename and deal with the files. If you are not so comfortable with this, just fork the project and put your credentials there, that's the better solution in this case.

derrix060 commented 6 years ago

Hello @dabassett, how are you doing??

I've changed some things on the project and now you can use your own domain to authenticate and do everything. Just change the config file with your own credentials, and done.

I will create one tutorial how to do this after.

Derrix

modelmat commented 5 years ago

As seen in https://github.com/gzxu/onedrive-sync-client/blob/master/onedrive/sdk.py#L76-L85 (and the called code) this service sets the redirect_uri to https://login.microsoftonline.com/common/oauth2/nativeclient, so this could be avoided?

derrix060 commented 5 years ago

Hmm, maybe. I remember that I spend long hours reading Microsoft documentation and each documentation says to do something different. I will try to use this native client as the redirect and if I can do this, would be amazing.

modelmat commented 5 years ago

Yup - I know other libraries actually serve a basic webserver too and parse the code instead, this also removes the reliance.

derrix060 commented 5 years ago

The redirect url is defined when you create a project on graph. I tried to change the url and I got this error:

Sign in
Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '6fdb55b4-c905-4612-bd23-306c3918217c'.

:cry:

modelmat commented 5 years ago

Can you not redefine the redirect url on graph?

modelmat commented 5 years ago

Bump? Any luck?

derrix060 commented 5 years ago

Reopening issue to redefine the redirect url

derrix060 commented 5 years ago

Closing again because using the current API is not possible. I've implemented these changes in the branch that is using GraphAPI.