Congratulations for this fantastic tool!
I’d like to use RClone with my own OAuth2 GCS Client ID + Client Secret; I assume this is the recommended approach anyway, for keeping RClone’s OAuth2 reputation intact. I keep Refresh Tokens for each of my machines / users.
However, my problem is this: from an OAuth2 perspective, client_secret should be kept confidential and hence should not be saved within rclone.conf (or even any other means which can be ‘sniffed’ by a Process Monitor or similar).
I looked up how RClone keeps its own client_secret to try and see if there’s a way to do it securely, but from what I understand it seems that rcloneEncryptedClientSecret is simply obscured by a hard-coded key cryptKey inside obscure.go. I guess this is fine for RClone as an open tool, but is there any recommended workflow / way for using OAuth2 in a secure way? For example, is it possible to provide an “Access Token provider” (i.e. URL / command-line) which RClone would call whenever it needs an Access Token, instead of filling refresh_token + client_secret in rclone.conf?
I realize this may be a complex question, but exposing client_secret on a desktop application is a blocker from a security perspective.
Thanks a lot for any hints / ideas.