CasaOS Files OneDrive login fails due to expired/invalid app credentials (AADSTS7000222 / AADSTS700016)

[Battlelamb]

Title

CasaOS Files OneDrive login fails due to expired/invalid app credentials (AADSTS7000222 / AADSTS700016)

Summary

Attempting to add OneDrive via CasaOS Files → Location → + → OneDrive (Personal) consistently fails. Logs show Microsoft AAD errors indicating CasaOS’s embedded app credentials are expired or invalid. The UI flow cannot succeed until CasaOS ships refreshed OneDrive client credentials.

Environment

• CasaOS: v0.4.15 (binary at /usr/bin/casaos)
• OS: Ubuntu 24.04 LTS (kernel 6.14.0-27-generic)
• Host: Dell Inspiron 3576, i5-8250U, 16 GB RAM
• Docker: 28.3.1
• Access: CasaOS gateway on port 80
• Related services: rclone.service enabled for Dropbox/GDrive mounts

Steps to Reproduce

1. In CasaOS Files, go to Location → click +.
2. Select OneDrive (Personal).
3. Complete the Microsoft sign-in and grant permissions.
4. Observe that the connection does not complete; the OneDrive location is not added.

Expected Behavior

• OneDrive account successfully connects and mounts under /mnt/<user>_onedrive_<id>.
• The new location appears in Files sidebar.

Actual Behavior

• UI flow ends without a working mount.
• CasaOS and rclone logs show Microsoft AAD client errors.

Relevant Logs

rclone service logs:

ERROR : rc: "mount/mount": error: failed to get root:
  couldn't fetch token - maybe it has expired?
Response: {"error":"invalid_client",
"error_description":"AADSTS7000222: The provided client secret keys for app 'f073bfc1-1396-48ff-a9a7-93578007222b' are expired."}

CasaOS service logs:

get refresh token:
{"error":"invalid_client",
 "error_description":"AADSTS7000222: The provided client secret keys for app 'f073bfc1-1396-48ff-a9a7-93578007222b' are expired."}

Additional occurrences:

{"error":"unauthorized_client",
 "error_description":"AADSTS700016: Application with identifier '83444633-eef6-4511-a35e-b8fc6dbe22ec' was not found in the directory 'Microsoft Accounts'."}

Diagnosis

• The embedded Microsoft app used by CasaOS Files for OneDrive has:
  • Expired client secret (AADSTS7000222), and/or
  • Invalid/missing app registration in the target tenant (AADSTS700016).
• This blocks OAuth token exchange, so the mount can never be created via the UI.

Impact

• OneDrive cannot be added through the official Files UI.
• Users must resort to manual rclone configuration to connect OneDrive.

Workarounds (confirmed)

• Use rclone with a user-provided Azure app and mount via rclone rc:
  • Create remote onedrive in /root/.config/rclone/rclone.conf.
  • Mount with rclone rc to /mnt/my_onedrive.
  • This works independently of CasaOS’s built-in credentials.

Example mount (already working for Dropbox/GDrive):

# via rclone rc (socket provided by rclone.service)
curl --unix-socket /var/run/rclone/rclone.sock \
  -H 'Content-Type: application/json' \
  -d '{"fs":"<your_onedrive_remote>:", "mountPoint":"/mnt/my_onedrive"}' \
  http://localhost/mount/mount

Requested Fix

• Rotate and ship new OneDrive client credentials for CasaOS Files, or
• Switch the UI flow to use device code / PKCE with a maintained CasaOS Azure app, and
• Add a health check that surfaces credential expiry before users start the flow (clear error message + link to release note/issue).

Additional Notes

• Dropbox and Google Drive work through rclone mounts.
• Removing “remnants” does not help; the problem is upstream in the credential exchange.

Attachments/Paths

• CasaOS binary: /usr/bin/casaos
• Configs: /etc/casaos/
• CasaOS logs: journalctl -u casaos.service
• rclone service: journalctl -u rclone.service
• Mount targets: /mnt/*
• Verified AAD errors observed between 2025‑09‑17 and 2025‑09‑23.

[mkursadulusoy]

Having the same exact problem:

Oct 15 19:30:17 ulusoy casaos[1280]: 2025-10-15T19:30:17.664Z        info        get refresh token        {"res": "{\"error\":\"invalid_client\",\"error_description\":\"AADSTS7000222: The provided client secret keys for app 'f073bfc1-1396-48ff-a9a7-93578007222b' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: e35a2cd8-6079-44a0-a1f3-a89da84aff03 Correlation ID: 45113a11-20fb-4636-9e0f-8abee9c784b2 Timestamp: 2025-10-15 19:30:17Z\",\"error_codes\":[7000222],\"timestamp\":\"2025-10-15 19:30:17Z\",\"trace_id\":\"e35a2cd8-6079-44a0-a1f3-a89da84aff03\",\"correlation_id\":\"45113a11-20fb-4636-9e0f-8abee9c784b2\",\"error_uri\":\"https://login.microsoftonline.com/error?code=7000222\"}", "func": "onedrive.(*Onedrive).getRefreshToken", "file": "/home/runner/work/CasaOS/CasaOS/drivers/onedrive/util.go", "line": 84}
Oct 15 19:30:17 ulusoy casaos[1280]: 2025-10-15T19:30:17.664Z        error        Then init error:         {"error": "AADSTS7000222: The provided client secret keys for app 'f073bfc1-1396-48ff-a9a7-93578007222b' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: e35a2cd8-6079-44a0-a1f3-a89da84aff03 Correlation ID: 45113a11-20fb-4636-9e0f-8abee9c784b2 Timestamp: 2025-10-15 19:30:17Z", "name": "onedrive", "func": "v1.GetRecoverStorage", "file": "/home/runner/work/CasaOS/CasaOS/route/v1/recover.go", "line": 185}

[Laly76]

here alos the same problem. the add location doesnot work for any of the accounts, Google Drive/Onedrive/Dopbox. despite approval in each.

17T17:59:00.097+0300 error Then get config error: {"error": "Post "http://localhost/config/listremotes\": dial unix /var/run/rclone/rclone.sock: connect: no such file or directory", "name": "google_drive", "func": "v1.GetRecoverStorage", "file": "/home/runner/work/CasaOS/CasaOS/route/v1/recover.go", "line": 58}

[LessTaken]

bump
Issue still existing

[LessTaken]

monthly bump
Issue still existing

[LessTaken]

monthly bump
Issue still existing