A question and feature proposal concerning access tokens

I'm having the following security concern with accessing Google Drive via rclone. The access tokens that rclone gets for Google Drive are refreshable, meaning that after they expire it is possible ot refresh them without undergoing authorization. If such token gets compromised then a third-party can refresh this token several times to access my Google Drive until I figure out that something is wrong. Fortunately, there is the command rclone config disconnect that revokes a valid access token. This command may be used to "log out" after finished work and thus presents an extra security measure that partially mitigates my concern. But if my refreshable token by any means gets compromised before I revoke it with rclone config disconnect, then it may be refreshed by an unauthorized third-party and rclone config disconnect cannot revoke such token. Is my understanding right?

If so, then it would be nice to have an option to make rclone request a non-refreshable token (if possible with Google API). Also, it would be nice to specify the expire time of the token (again, if Google API allows such requests). Please excuse me if this proposal is not possible to implement, I'm not familiar with app development and Google API in particular.

Side note: Yes, I know that rclone configurations (and so access tokens) should be protected by passwords, similarly as SSH keys should be. But password protection is not 2FA and hence my concern.

If your token was comprised, you'd log into you Google Account and revoke access for that authorized app.

The way rclone works is standard with every app I've ever seen use my Google Account with oAuth so not sure as to get authorized, you already to log into your account with whatever 2FA you have setup.

You can also lock down to IP and such if you really wanted to via google tools in terms of application authorization so if I was really concerned, I'd make it much tighter.

I don't think that is correct. I think rclone disconnect will work even after the token has been refreshed. It does the same thing as doing the procedure @Animosity022 suggested I'm pretty sure.

This answers my question. Thanks!

NB: I can see no option to mark your answer as the solution...

That would indeed be helpful. But I cannot find such an option when reviewing authorized apps in my Google account settings. I have only found some info that in G suite it is possible to restrict IP addresses for messaging. Can you explain what you mean, @Animosity022?

You log into any Google Site and hit your picture in the top right and select manage account.

You'd see security and hit manage 3rd party access:

Yes, sure, but I can see no way to restrict IP for particular apps. Perhaps I have misunderstood what you meant. Anyway, thanks.

I use redirect_uris for my items:



And it's locked down so my web apps only can be used for an auth on a redirect I've allowed.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.