Rclone OAuth Implemented Incorrectly. Exposes Client Secrets?

If you don't have a client_secret then you have to do the oauth login every time the token expires. Typically this is 1 hour. Rclone could work like this but it would be very inconvenient!

As far as I know you either need

  1. To store the client ID/ client secret in the application or
  2. Have an external service which stores them and this is called with the users credentials to sign them as part of the oauth process.

We've gone for option 1. Option 2. opens up a different problem in that the users credentials have to go through a service run by us. This wasn't a risk that we wanted to take, having everyone's credentials come through a service run by us, and it isn't something most users want either. It might be an option for you though, and I do have some code which we ran for a while for amazon cloud drive which does it: https://github.com/ncw/oauthproxy

Note that in the scale of things the oauth client_id and client_secret aren't particularly important. All they do is identify the app connecting. They do not allow access to data on their own. The user still needs to provide authentication to access the actual data. It is a layer in the security Onion, but there are better layers just beneath!

If the client_id and client_secret were leaked then someone would be able to pretend to be rclone. Which gets you access to no user data without user credentials.

Note that native apps using oauth2 pretty much all use the rclone solution. I've seen threads where people have installed an https proxy and read the oauth client and secret from lots of commercial apps.

We found a solution for this here

Some of the learnings for that need to go into the docs!