Are you people fine with others your Rclone's client id/secret?

I've seen some projects (dont' think they're affiliated with rclone in anyway) use rclone's client_id & client_secret for Google Drive OAuth in there own apps

Example: goindex/goindex.js at 206e69d47571f6fd91eced5f93fcaf6ab2771bb8 · alx-xlx/goindex · GitHub

There's really no harm in that other than they are choosing a really stupid client ID and secret to use as rclone's is generally over subscribed. The poor folks would be better off making their own.

How do you know that's rclone's?

when you form the sign flow url
Source: oauth2 web server

which is pretty much in format of{CLIENT_ID}&redirect_uri={REDIRECT_URI}&scope={SCOPES}"

you go to account selection > click on app's name (in this case that'd be rclone)

you get:

Choosing an account will redirect you to:

which I'm farily certain is Nick's email address

I can only see the client ID, not the secret when I auth.

You get auth'ed via:


Where are you seeing the secret as well?

Yeah you don't see the secret during sign-in flow, I found the secret in the repo I linked.

I don't know how they got it tbh, don't believe its in the rclone's source code?

Correct, I'm not aware of that being there either, but it's not really anything harmful to the best of my knowledge.

It just allows you to use the API for API quota stuff and since rclone defaults to it, it's silly to use it else where as it's over subscribed and you'd get much better performance making your own.

I'm guessing part of the reason people use rclone's is so they don't have to go through the verification process (required when u use sensitive scopes) which requires ToS page, privacy policy page etc (its a hassle)

I asked this question because I was suggested to use rclone's creds on one of my projects and I was not sure if I should?

It's not a big deal for me tbh, I've added build instruction so ppl can create their own creds but if rclone devs are fine with others using their creds I'd wanna add it to my app as well.

I'd defer to @ncw for input on that part of the discussion to share his input.

I'd probably say to not use if but from a use case, it would be worse to use generally as well.

Security wise, it is no big deal however this is certainly against Google's terms and conditions...

If you come across any projects with more than a handful of users using it let me know and I'll write to them.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.