Procedure to obtain refresh token (idempotent and minimal interaction)

[AleixMT]

Hello, I have developed my software using this software as one of its components. From time to time, when I need to reauthorize my application, I waste a lot of time because I do not understand how the app manages the info in the refresh_token file.

Most of the time I launch onedrive with docker run to refresh the token so that in the next execution I can start the app as is, without the interruption to do the authorization. I need to do docker run ... instead of the usual docker compose up onedrive because I need to interact with the stdin of the process to introduce the response URL, with docker compose up I can't do that. My surprise comes when even if I just reauthorized, when I launch onedrive with docker compose up, onedrive ignores the token, says that is too old or says that the request is malformed, so I'm starting to think that it is expecting a token in another location or I have a misconfiguration between docker run and docker compose up, which makes sense because they do different things.

So, basically, my problem is that there is no separation of concerns between the authorization and the onedrive app itself. I was thinking if there could be a way to obtain a valid authentication in my developer machine, and supply that as a secret to docker compose up. In this way, I wouldn't need to do strange things executing onedrive twice, one for auth and another as the real execution.

I also noticed that sometimes when I switch between docker compose up and docker run, it starts downloading files from my personal onedrive instead of the Sharepoint file system that I configured.

I know that my question is very "basic" but I have lost many hours due to this and at this point I'm starting to be super frustrated because it used to work but I do not know why it does not anymore...

This is the relevant of my compose:

  onedrive:
    image: docker.io/driveone/onedrive:edge
    userns_mode: keep-id
    volumes:
      - ./service/onedrive_conf:/onedrive/conf
      - ./service/onedrive_data:/onedrive/data
      - ./service/onedrive_logs:/onedrive/logs
    environment:
      - ONEDRIVE_DOWNLOADONLY=1
      - ONEDRIVE_CLEANUPLOCAL=1
    labels:
      io.containers.autoupdate: "image"
    restart: unless-stopped
    networks:
      - justicier_net
    healthcheck:
      test: sh -c '[ -s /onedrive/conf/items.sqlite3-wal ]'
      interval: 60s
      timeout: 5s
      retries: 2

my config:

sync_dir = "/onedrive/data"
drive_id = "MY_SHAREPOINT_DRIVE_ID"
skip_dir = "SCANNER"


log_dir = "/onedrive/logs/"

sync_dir_permissions = "755"
sync_file_permissions = "644"

resync = "true"
resync_auth = "true"

So, what I do is the following:

• First, I call onedrive sending the config dir as volume so it can store the token and read the configuration:
  docker compose run onedrive -v $(pwd)/service/onedrive_conf:/onedrive/conf
  It asks for authentication, I copy URL to my browser, I login and I copy the answered URL into the process and the process finishes, saying that authentication succeeded but the app was not instructed to do anything else.

After that, I call docker compose up onedrive and I would expect to start syncing, since config is created and auth is too, but instead it complains with "AADSTS9002313: Invalid request. Request is malformed or invalid. Trace ID: 7fe4a980-bb3d-4f40-9817-4122102b5e00 Correlation ID: ee37dede-cc22-41bc-9f21-7ead0fa9154a Timestamp: 2025-08-28 18:27:39Z". Some times it says that the token is actually old and has been revoked.

I am in latest version of the container.

I would like to obtain the two commands (docker run... and docker compose up...) that together authenticate my app and then start them with authentication already on. I would like to understand limitations (if any) sorrounding the authentication. For example:

• Can a authentication be obtained on one computer and then applied into another? Auth depends on the computer that issued the login?
• What is the process to transform an URL into the refresh_token? In that sense, I could obtain the refresh token without really needing to start onedrive container to parse it.
• Is the token really stored in the conf dir? When is it stored? Right after authentication?

I would actually be super happy if I could obtain the authentication token in some way before the deployment (separate the authentication process from the deploy process), and when I want to start my app simply do docker compose up with everything ready to start. I am willing to apply any recommendations or good practices to my configuration.

Finally I want to say thank you for this application as i have been using it for long since it is the only viable option for using OneDrive in Linux. I have been donating from time to time so please have patience with me! 👯

[abraunegg]

@AleixMT

Most of the time I launch onedrive with docker run to refresh the token so that in the next execution I can start the app as is, without the interruption to do the authorization. I need to do docker run ... instead of the usual docker compose up onedrive because I need to interact with the stdin of the process to introduce the response URL, with docker compose up I can't do that

If your 'refresh_token' is not being saved between uses - then you have a deployment and configuration.

Please look at your deployment and your entire configuration as you will have most likely messed up the config path and where the client is storing configuration data including the 'refresh_token'

Can a authentication be obtained on one computer and then applied into another? Auth depends on the computer that issued the login?

100% as this is how everyone does this!

Is the token really stored in the conf dir? When is it stored? Right after authentication?

Yes .. so your Docker / Podman deployment is not correct.

All documented steps have been 100% validated time and time again.

Please read the documentation!

[abraunegg]

@AleixMT

resync = "true"
resync_auth = "true"

Please also stop doing this. Every time you are starting the container, you are blowing away what the client thinks what is insync, thus, has no idea what to do with files that have changed, so, by default the client makes a backup copy of your file so you do not experience data loss.

Please stop this resync by default practice.

[AleixMT]

Definitely, my error took place because I was forcing reauth. Of course, with my config you need to execute the app twice: once for authentication and the other for starting. With forcing reauth you can't make it work the second time. Anyway, my confusion came because the error shown by the app did not correspond with this situation: onedrive ignores the token, says that is too old or says that the request is malformed. Thank you for your time, my problem has been solved.

[abraunegg]

Please do not close discussions

[AleixMT]

Okay, sorry. Won't do.