forked from TrueCloudLab/rclone
dropbox: add scopes to oauth request and optionally "members.read"
This change adds the scopes rclone wants during the oauth request. Previously rclone left these blank to get a default set. This allows rclone to add the "members.read" scope which is necessary for "impersonate" to work, but only when it is in use as it require authorisation from a Team Admin. See: https://forum.rclone.org/t/dropbox-no-members-read/22223/3
This commit is contained in:
parent
2cdc071b85
commit
37e630178e
2 changed files with 41 additions and 5 deletions
|
@ -94,7 +94,14 @@ const (
|
||||||
var (
|
var (
|
||||||
// Description of how to auth for this app
|
// Description of how to auth for this app
|
||||||
dropboxConfig = &oauth2.Config{
|
dropboxConfig = &oauth2.Config{
|
||||||
Scopes: []string{},
|
Scopes: []string{
|
||||||
|
"files.metadata.write",
|
||||||
|
"files.content.write",
|
||||||
|
"files.content.read",
|
||||||
|
"sharing.write",
|
||||||
|
// "file_requests.write",
|
||||||
|
// "members.read", // needed for impersonate - but causes app to need to be approved by Dropbox Team Admin during the flow
|
||||||
|
},
|
||||||
// Endpoint: oauth2.Endpoint{
|
// Endpoint: oauth2.Endpoint{
|
||||||
// AuthURL: "https://www.dropbox.com/1/oauth2/authorize",
|
// AuthURL: "https://www.dropbox.com/1/oauth2/authorize",
|
||||||
// TokenURL: "https://api.dropboxapi.com/1/oauth2/token",
|
// TokenURL: "https://api.dropboxapi.com/1/oauth2/token",
|
||||||
|
@ -115,6 +122,19 @@ var (
|
||||||
errNotSupportedInSharedMode = fserrors.NoRetryError(errors.New("not supported in shared files mode"))
|
errNotSupportedInSharedMode = fserrors.NoRetryError(errors.New("not supported in shared files mode"))
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Gets an oauth config with the right scopes
|
||||||
|
func getOauthConfig(m configmap.Mapper) *oauth2.Config {
|
||||||
|
// If not impersonating, use standard scopes
|
||||||
|
if impersonate, _ := m.Get("impersonate"); impersonate == "" {
|
||||||
|
return dropboxConfig
|
||||||
|
}
|
||||||
|
// Make a copy of the config
|
||||||
|
config := *dropboxConfig
|
||||||
|
// Make a copy of the scopes with "members.read" appended
|
||||||
|
config.Scopes = append(config.Scopes, "members.read")
|
||||||
|
return &config
|
||||||
|
}
|
||||||
|
|
||||||
// Register with Fs
|
// Register with Fs
|
||||||
func init() {
|
func init() {
|
||||||
DbHashType = hash.RegisterHash("DropboxHash", 64, dbhash.New)
|
DbHashType = hash.RegisterHash("DropboxHash", 64, dbhash.New)
|
||||||
|
@ -129,7 +149,7 @@ func init() {
|
||||||
oauth2.SetAuthURLParam("token_access_type", "offline"),
|
oauth2.SetAuthURLParam("token_access_type", "offline"),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
err := oauthutil.Config(ctx, "dropbox", name, m, dropboxConfig, &opt)
|
err := oauthutil.Config(ctx, "dropbox", name, m, getOauthConfig(m), &opt)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("Failed to configure token: %v", err)
|
log.Fatalf("Failed to configure token: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -148,7 +168,22 @@ memory. It can be set smaller if you are tight on memory.`, maxChunkSize),
|
||||||
Advanced: true,
|
Advanced: true,
|
||||||
}, {
|
}, {
|
||||||
Name: "impersonate",
|
Name: "impersonate",
|
||||||
Help: "Impersonate this user when using a business account.",
|
Help: `Impersonate this user when using a business account.
|
||||||
|
|
||||||
|
Note that if you want to use impersonate, you should make sure this
|
||||||
|
flag is set when running "rclone config" as this will cause rclone to
|
||||||
|
request the "members.read" scope which it won't normally. This is
|
||||||
|
needed to lookup a members email address into the internal ID that
|
||||||
|
dropbox uses in the API.
|
||||||
|
|
||||||
|
Using the "members.read" scope will require a Dropbox Team Admin
|
||||||
|
to approve during the OAuth flow.
|
||||||
|
|
||||||
|
You will have to use your own App (setting your own client_id and
|
||||||
|
client_secret) to use this option as currently rclone's default set of
|
||||||
|
permissions doesn't include "members.read". This can be added once
|
||||||
|
v1.55 or later is in use everywhere.
|
||||||
|
`,
|
||||||
Default: "",
|
Default: "",
|
||||||
Advanced: true,
|
Advanced: true,
|
||||||
}, {
|
}, {
|
||||||
|
@ -327,7 +362,7 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (fs.Fs, e
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
oAuthClient, _, err := oauthutil.NewClient(ctx, name, m, dropboxConfig)
|
oAuthClient, _, err := oauthutil.NewClient(ctx, name, m, getOauthConfig(m))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "failed to configure dropbox")
|
return nil, errors.Wrap(err, "failed to configure dropbox")
|
||||||
}
|
}
|
||||||
|
|
|
@ -639,6 +639,7 @@ func (s *authServer) Init() error {
|
||||||
http.Error(w, "State did not match - please try again", http.StatusForbidden)
|
http.Error(w, "State did not match - please try again", http.StatusForbidden)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
fs.Debugf(nil, "Redirecting browser to: %s", s.authURL)
|
||||||
http.Redirect(w, req, s.authURL, http.StatusTemporaryRedirect)
|
http.Redirect(w, req, s.authURL, http.StatusTemporaryRedirect)
|
||||||
return
|
return
|
||||||
})
|
})
|
||||||
|
|
Loading…
Reference in a new issue