The content stored in the OneDrive file-hosting service can be accessed through a web browser, application, or HTTP API. Access to files in folders shared publicly with everyone wasn’t restricted to authenticated requests only. With the deprecation of public folders, the ability to easily access OneDrive folders also disappears. I found a trick to keep the current code with minimal changes while staying up-to-date with the procedures required by the latest version of the service.
Windows Live Folders were introduced around the same time as Dropbox. The service was renamed to Windows Live SkyDrive, then simplified to SkyDrive, and later rebranded to OneDrive. It absorbed the functionality of Windows Live Mesh, which is now retired. There is also another service using OneDrive in its name: OneDrive for Business, formerly SkyDrive Pro. The same developer platform is shared by SharePoint Online. The content of this article is not relevant for OneDrive for Business or SharePoint Online.
In the past, I used OAuth authentication to access my files stored in OneDrive. The problem was that the app had to ask the user to process the authentication flow, store tokens, and periodically refresh the access token. This level of security wasn’t necessary because the app was accessing data published on the website. Then the OneDrive REST API became part of the Microsoft Graph API. At that time, it allowed access to public files from OneDrive without an access token obtained from the authentication flow.
The API for accessing public items was as follows:
https://api.onedrive.com/v1.0/drive/items/{item-id}/children
Where the item-id looks like this:
AB8DAAB49807BE4!140
It is visible in the browser’s URL in the id parameter, but in URL-encoded form (! becomes %21):
https://onedrive.live.com/?id=AB8DAAB49807BE4%21140&cid=0AB8DAAB49807BE4
The API returns the content of the folder serialized in JSON format.
Today, Microsoft is in the process of removing the public sharing feature. It has supposedly been a source of confusion for end users who don't understand the difference between publishing something as public and sharing a view link to a file. It is a logical consequence of removing all warning message boxes from the UI across all Microsoft products. The data that some information message was shown wasn’t tied to the Microsoft account, because linking the Windows (local) account to the Microsoft account was introduced much later. You had to dismiss all warning messages again after Windows reinstallation. It was considered annoying, thus informational messages were removed and features that required safety instructions before first use were also removed.
Anyways, we can read in the documentation that there is still a possibility of accessing shared files via hyperlink:
https://api.onedrive.com/v1.0/shares/{sharingTokenOrUrl}
The problem is where you can get the sharing token or URL other than from the Microsoft Graph API. The website generates the share link like this:
https://1drv.ms/f/s!AovxGDBRozRrjQa0_G1V50XOaZku
You have to use the F12 Developer Tools to catch that the link redirects several times. The first redirect is to something similar to:
https://onedrive.live.com/redir?resid=6B34A3513018F18B!1670&authkey=!ALT8bVXnRc5pmS4&ithint=folder,
Following redirects are not important at this time. But it is worth mentioning that while OneDrive requires users to sign in with a Microsoft account after following the share link, the OneDrive API offers the content through the OData protocol without any authentication. The role of 1drv.ms is link shortening. The important part is the URL which is expanded from the short form. It is the sharing URL which the document.
https://api.onedrive.com/v1.0/shares/u!{sharingUrlBase64Encoded}/root?expand=children
Some users were affected even before this mechanism was documented. There was no announcement about this change potentially affecting many programs working with OneDrive. I spent several hours investigating what was going on until I found some reasoning from the product team.