Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauthutil: clear client secret if client ID is set #7809

Merged
merged 1 commit into from May 11, 2024
Merged

oauthutil: clear client secret if client ID is set #7809

merged 1 commit into from May 11, 2024

Conversation

mikix
Copy link
Contributor

@mikix mikix commented Apr 28, 2024
edited

What is the purpose of this change?

When an external OAuth flow is being used (i.e. a client ID and an OAuth token are set in the config), a client secret should not be set. If one is, the server may reject a token refresh attempt.

But there's no way to clear out a backend's default client secret via configuration, since empty-string config values are ignored.

So instead, when a client ID is set, we should clear out any default client secret, since it wouldn't apply anyway.

Was the change discussed in an issue or in the forum before?

No - I was just debugging why my OAuth tokens weren't being refreshed correctly when using the Drive backend, and it led me here.

I did file #7825 for tracking purposes though.

Checklist

  • I have read the contribution guidelines.
  • I have added tests for all changes in this PR if appropriate.
  • I have added documentation for the changes if appropriate.
  • All commit messages are in house style.
  • I'm done, this Pull Request is ready for review :-)

@mikix
oauthutil: clear client secret if client ID is set
325b9d9 
When an external OAuth flow is being used (i.e. a client ID and an
OAuth token are set in the config), a client secret should not be set.
If one is, the server may reject a token refresh attempt.

But there's no way to clear out a backend's default client secret via
configuration, since empty-string config values are ignored.

So instead, when a client ID is set, we should clear out any default
client secret, since it wouldn't apply anyway.
@mikix
Copy link
Contributor Author

mikix commented Apr 29, 2024

For clarity on user impact of the bug I'm trying to fix, because that wasn't prominent in my description above:

If you pass Rclone a CLIENT_ID and a TOKEN today, Rclone fails to refresh the token once it expires (say, after an hour).

@mikix mikix mentioned this pull request May 7, 2024
Closed
ncw
ncw approved these changes May 11, 2024
View reviewed changes
Copy link
Member

@ncw ncw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a great fix , thank you.

I'll merge that now :-)

@ncw ncw merged commit cd76fd9 into rclone:master May 11, 2024
10 checks passed
@mikix mikix deleted the oauth-clear-secret branch May 12, 2024 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncw ncw ncw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mikix @ncw