Best practice for keeping OAuth2 client_secret confidential

#1

Hi all,

Congratulations for this fantastic tool!
I’d like to use RClone with my own OAuth2 GCS Client ID + Client Secret; I assume this is the recommended approach anyway, for keeping RClone’s OAuth2 reputation intact. I keep Refresh Tokens for each of my machines / users.

However, my problem is this: from an OAuth2 perspective, client_secret should be kept confidential and hence should not be saved within rclone.conf (or even any other means which can be ‘sniffed’ by a Process Monitor or similar).

I looked up how RClone keeps its own client_secret to try and see if there’s a way to do it securely, but from what I understand it seems that rcloneEncryptedClientSecret is simply obscured by a hard-coded key cryptKey inside obscure.go. I guess this is fine for RClone as an open tool, but is there any recommended workflow / way for using OAuth2 in a secure way? For example, is it possible to provide an “Access Token provider” (i.e. URL / command-line) which RClone would call whenever it needs an Access Token, instead of filling refresh_token + client_secret in rclone.conf?

I realize this may be a complex question, but exposing client_secret on a desktop application is a blocker from a security perspective.

Thanks a lot for any hints / ideas.

#2

Actually I think I may have found a solution: directly writing the “access_token” into rclone.conf along with some dummy refresh_token.

#3

You can encrypt the config file, but the use will need to know the decryption password.

That is correct. It isn’t an ideal solution, but in my opinion the client_secret isn’t that important. It doesn’t allow access to any other data, all it does is identify the client. If compromised then your client can be spoofed which I don’t think is a big deal.

An interesting idea…

Maybe it could be generalised for every config variable, so if there was backend_setting then backend_setting_command would be a command to run to read it. Probably not too tricky…

You can pass config to rclone via environment variables , command line options, and the config file all of which are visible to the determined user. rclone could potentially overwrite sensitive environment variables I suppose.

That will work, but long running transfers (running longer than the token age) will need a refresh token.

#4

Thank you Nick. The intermediate solution will reliable enough for what I need.
Truly an amazing product you’ve developed!
Cheers,
Eyal

1 Like