@ncw First of all, thank you for the response and your work on Rclone! I appreciate it.
The access tokens typically expire within 1 hour.
This is where Refresh tokens come in, which Rclone already handles.
I think you might be thinking about the Implicit flow for public clients (which is old and basically being deprecated). You are correct that "The implicit grant flow does not issue refresh tokens..."
Now the current spec and recommendation is to use both client types Confidential & Public (But especially Public) with Proof Key for Code Exchange (PKCE)
"Refresh tokens are, and always will be, completely opaque to your application. They are long-lived e.g., 90 days for public clients, but the app should not be written to expect that a refresh token will last for any period of time."
Here are the reference(s):
- https://docs.microsoft.com/en-us/advertising/guides/authentication-oauth-identity-platform?view=bingads-13#refresh-accesstoken.
- https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
This reference/spec also shows where we simply need to perform the following:
- Generate a code_verifier
- Send a code_challenge and code_challenge_method in the initial Request for User Consent
- Send code_verifier in the Request for Access Token
Here is another reference that really helps simplify the flow and steps even further and really helps clarify a lot of confusion (for me at least) regarding how Public clients can be handled given the circumstances.
-
https://medium.com/@software_factotum/pkce-public-clients-and-refresh-token-d1faa4ef6965
- Video of OAuth Flow with (PKCE) https://www.youtube.com/watch?v=nyjEDSGwN1o
In the end, it seems that you are correct in that whether Rclone is implemented as a Web Client or Public Client doesn't really matter because the App/Client can be impersonated in either case. (E.g. the client_secret is exposed, or doesn't exist, leaving no way for the Auth Server to truly confirm the client's true identity). This bothers me because there is so much information out there about separating Public Clients from Web Clients, it makes me think I could still be missing something. Either way, PKCE is mostly introduced to further harden all OAuth 2 apps to help prevent Tokens from being stolen and easily used by attackers. I still think switching Rclone to the Public Client and implementing things as recommended by the specification would help prevent confusion and even make configuration a bit easier on end users.
Please let me know what you think?
I guess I'm documenting the following more for myself as future reference:
I'm starting to understand why this is/was quite confusing as I continue to read more and become more familiar. Here are some examples of questions that represent the confusion:
- Are there any actual limitations to using a public client? If not, what's the real difference between using a Confidential Client with a client_secret (exposed in the app) vs using Public Client without a client secret.