Public folders suddenly discontinued in personal OneDrive

, 5 minutes to read

The con­tent stored in the OneDrive file-host­ing ser­vice can be ac­cessed through a web browser, ap­pli­ca­tion or HTTP API. Access to files in fold­ers shared publicly with ev­ery­one wasn’t re­stricted to au­then­ti­cated re­quests only. With dep­re­ca­tion of public fold­ers dis­ap­pears also the abil­ity of an easy ac­cess to OneDrive fold­ers. I found the trick how to keep the cur­rent code with min­i­mal changes while keeping up-to-date with pro­ce­dures re­quired by the lat­est ver­sion of the ser­vice.

Win­dows Live Fold­ers were in­tro­duced in al­most the same time as Drop­box was. The ser­vice was re­named to Win­dows Live Sky­Drive then sim­pli­fied to Sky­Drive and later re­branded to OneDrive. It ab­sorbed the func­tion­al­ity of Win­dows Live Mesh, which is now re­tired. There is also an­other ser­vice us­ing OneDrive in its name. It is OneDrive for Busi­ness, for­merly Sky­Drive Pro. The same de­vel­oper plat­form is shared by Share­Point On­line. The con­tent of this ar­ti­cle is not rel­e­vant for OneDrive for Busi­ness or Share­Point On­line.

In the past I used an OAuth au­then­ti­ca­tion to ac­cess my files stored in OneDrive. The prob­lem was that the app had to ask the user for pro­cess­ing the au­then­ti­ca­tion flow, store to­kens and pe­ri­od­i­cally re­fresh the ac­cess to­ken. The se­cu­rity of this kind wasn’t nec­es­sary be­cause the app was ac­cess­ing the data which were pub­lished on the web site. Then the OneDrive REST API be­comes part of the Mi­crosoft Graph API. At that time, it al­lowed ac­cess to public files from OneDrive without an ac­cess to­ken ob­tained from the au­then­ti­ca­tion flow.

The API for ac­cess­ing public items was fol­low­ing:


Where the item-id looks like this:


It is vis­i­ble in the browser’s URL in the id pa­ram­e­ter, but in URL-en­coded form (! be­comes %21):


The API re­turns the con­tent of the folder se­ri­al­ized in JSON for­mat.

To­day, Mi­crosoft is in a pro­cess of re­mov­ing the public shar­ing fea­ture. It's been sup­pos­edly a source of con­fusion for end users who don't un­der­s­tand the dif­fer­ence be­tween pub­lish­ing some­thing as public and shar­ing a view link to a file. It is log­i­cal con­se­quence of re­mov­ing all warn­ing mes­sage boxes from the UI across all Mi­crosoft prod­ucts. The data that some in­for­ma­tion mes­sage was shown wasn’t tied to the Mi­crosoft ac­count, be­cause link­ing of the Win­dows (lo­cal) ac­count to the Mi­crosoft ac­count was in­tro­duced much later. You had to dis­miss all warn­ing mes­sages again af­ter Win­dows re­in­stal­la­tion. It was con­sidered as an­noy­ing thus in­for­ma­tional mes­sages were re­moved and fea­tures that re­quired safety in­struc­tion be­fore first use with them.

Any­ways we can read in the doc­u­men­ta­tion there is still a pos­si­bil­ity of ac­cess­ing shared files via hy­per­link:


The prob­lem is where you can get the shar­ing to­ken or URL other than from the Mi­crosoft Graph API. The web site gen­er­ates the share link like this:


You have to use the F12 De­vel­oper Tools to catch that the link redi­rects sev­eral times. The first redi­rect is to some­thing sim­i­lar to:


Fol­low­ing redi­rects are not im­por­tant at this time. But it is worth men­tion­ing that while OneDrive re­quires users to sign in with a Mi­crosoft ac­count af­ter fol­low­ing the share link, the OneDrive API of­fers the con­tent through OData pro­to­col without any au­then­ti­ca­tion. The role of the 1drv.ms is link short­en­ing. The im­por­tant is the URL which is ex­panded from the short form. It is the shar­ing URL which the doc­u­men­ta­tion is men­tion­ing about. It can be en­coded with the Base64 en­cod­ing mod­i­fied to use in the URL (by con­ven­tion / is re­placed with _ and + with -).


Some users were af­fected even be­fore this mech­a­nism was doc­u­mented. There was no an­nounce­ment about this change po­ten­tially ef­fect­ing many pro­grams work­ing with OneDrive. I have spent sev­eral hours by in­ves­ti­gat­ing what is go­ing on un­til I found some rea­son­ing from the prod­uct team.