Are you people fine with others your Rclone's client id/secret?

Sirzechs_Lucifer · June 25, 2022, 4:01pm

I've seen some projects (dont' think they're affiliated with rclone in anyway) use rclone's client_id & client_secret for Google Drive OAuth in there own apps

Example: goindex/goindex.js at 206e69d47571f6fd91eced5f93fcaf6ab2771bb8 · alx-xlx/goindex · GitHub

Animosity022 · June 25, 2022, 4:09pm

There's really no harm in that other than they are choosing a really stupid client ID and secret to use as rclone's is generally over subscribed. The poor folks would be better off making their own.

How do you know that's rclone's?

Sirzechs_Lucifer · June 25, 2022, 4:14pm

when you form the sign flow url
Source: oauth2 web server

which is pretty much in format of

https://accounts.google.com/o/oauth2/auth?response_type=code&access_type=offline&client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&scope={SCOPES}"

you go to account selection > click on app's name (in this case that'd be rclone)

you get:

Email: nickcw@gmail.com
Choosing an account will redirect you to: https://forum.rclone.org

which I'm farily certain is Nick's email address

Animosity022 · June 25, 2022, 4:18pm

I can only see the client ID, not the secret when I auth.

You get auth'ed via:

Where are you seeing the secret as well?

Sirzechs_Lucifer · June 25, 2022, 4:20pm

Yeah you don't see the secret during sign-in flow, I found the secret in the repo I linked.

I don't know how they got it tbh, don't believe its in the rclone's source code?

Animosity022 · June 25, 2022, 4:23pm

Correct, I'm not aware of that being there either, but it's not really anything harmful to the best of my knowledge.

It just allows you to use the API for API quota stuff and since rclone defaults to it, it's silly to use it else where as it's over subscribed and you'd get much better performance making your own.

Sirzechs_Lucifer · June 25, 2022, 4:28pm

I'm guessing part of the reason people use rclone's is so they don't have to go through the verification process (required when u use sensitive scopes) which requires ToS page, privacy policy page etc (its a hassle)

I asked this question because I was suggested to use rclone's creds on one of my projects and I was not sure if I should?

It's not a big deal for me tbh, I've added build instruction so ppl can create their own creds but if rclone devs are fine with others using their creds I'd wanna add it to my app as well.

Animosity022 · June 25, 2022, 4:44pm

I'd defer to @ncw for input on that part of the discussion to share his input.

I'd probably say to not use if but from a use case, it would be worse to use generally as well.

ncw · June 27, 2022, 3:42pm

Security wise, it is no big deal however this is certainly against Google's terms and conditions...

If you come across any projects with more than a handful of users using it let me know and I'll write to them.

system · August 27, 2022, 11:43am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.