The content stored in the OneDrive file-hosting service can be accessed through a web browser, application or HTTP API. Access to files in folders shared publicly with everyone wasn’t restricted to authenticated requests only. With deprecation of public folders disappears also the ability of an easy access to OneDrive folders. I found the trick how to keep the current code with minimal changes while keeping up-to-date with procedures required by the latest version of the service.
Windows Live Folders were introduced in almost the same time as Dropbox was. The service was renamed to Windows Live SkyDrive then simplified to SkyDrive and later rebranded to OneDrive. It absorbed the functionality of Windows Live Mesh, which is now retired. There is also another service using OneDrive in its name. It is OneDrive for Business, formerly SkyDrive Pro. The same developer platform is shared by SharePoint Online. The content of this article is not relevant for OneDrive for Business or SharePoint Online.
In the past I used an OAuth authentication to access my files stored in OneDrive. The problem was that the app had to ask the user for processing the authentication flow, store tokens and periodically refresh the access token. The security of this kind wasn’t necessary because the app was accessing the data which were published on the web site. Then the OneDrive REST API becomes part of the Microsoft Graph API. At that time, it allowed access to public files from OneDrive without an access token obtained from the authentication flow.
The API for accessing public items was following:
Where the item-id looks like this:
It is visible in the browser’s URL in the id parameter, but in URL-encoded form (! becomes %21):
The API returns the content of the folder serialized in JSON format.
Today, Microsoft is in a process of removing the public sharing feature. It's been supposedly a source of confusion for end users who don't understand the difference between publishing something as public and sharing a view link to a file. It is logical consequence of removing all warning message boxes from the UI across all Microsoft products. The data that some information message was shown wasn’t tied to the Microsoft account, because linking of the Windows (local) account to the Microsoft account was introduced much later. You had to dismiss all warning messages again after Windows reinstallation. It was considered as annoying thus informational messages were removed and features that required safety instruction before first use with them.
Anyways we can read in the documentation there is still a possibility of accessing shared files via hyperlink:
The problem is where you can get the sharing token or URL other than from the Microsoft Graph API. The web site generates the share link like this:
You have to use the F12 Developer Tools to catch that the link redirects several times. The first redirect is to something similar to:
Following redirects are not important at this time. But it is worth mentioning that while OneDrive requires users to sign in with a Microsoft account after following the share link, the OneDrive API offers the content through OData protocol without any authentication. The role of the 1drv.ms is link shortening. The important is the URL which is expanded from the short form. It is the sharing URL which the documentation is mentioning about. It can be encoded with the Base64 encoding modified to use in the URL (by convention / is replaced with _ and + with -).
Some users were affected even before this mechanism was documented. There was no announcement about this change potentially effecting many programs working with OneDrive. I have spent several hours by investigating what is going on until I found some reasoning from the product team.