Congratulations for this fantastic tool!
I’d like to use RClone with my own OAuth2 GCS Client ID + Client Secret; I assume this is the recommended approach anyway, for keeping RClone’s OAuth2 reputation intact. I keep Refresh Tokens for each of my machines / users.
However, my problem is this: from an OAuth2 perspective, client_secret should be kept confidential and hence should not be saved within rclone.conf (or even any other means which can be ‘sniffed’ by a Process Monitor or similar).
I looked up how RClone keeps its own client_secret to try and see if there’s a way to do it securely, but from what I understand it seems that rcloneEncryptedClientSecret is simply obscured by a hard-coded key cryptKey inside obscure.go. I guess this is fine for RClone as an open tool, but is there any recommended workflow / way for using OAuth2 in a secure way? For example, is it possible to provide an “Access Token provider” (i.e. URL / command-line) which RClone would call whenever it needs an Access Token, instead of filling refresh_token + client_secret in rclone.conf?
I realize this may be a complex question, but exposing client_secret on a desktop application is a blocker from a security perspective.
You can encrypt the config file, but the use will need to know the decryption password.
That is correct. It isn’t an ideal solution, but in my opinion the client_secret isn’t that important. It doesn’t allow access to any other data, all it does is identify the client. If compromised then your client can be spoofed which I don’t think is a big deal.
An interesting idea…
Maybe it could be generalised for every config variable, so if there was backend_setting then backend_setting_command would be a command to run to read it. Probably not too tricky…
You can pass config to rclone via environment variables , command line options, and the config file all of which are visible to the determined user. rclone could potentially overwrite sensitive environment variables I suppose.
That will work, but long running transfers (running longer than the token age) will need a refresh token.