Are you talking about manual registration using the provider’s web interface?
I don’t recall having done that, and rclone directions don’t seem to demand it.
Specifically, if you mean registering the redirect URL, theirs might be fixed at:
http://127.0.0.1:53682/
as documented in their manual. I’m not sure fixed is considered best practice.
My thoughts on “trust no one” is that whatever admin or malware controls the
server potentially has access to the refresh token when it’s decrypted for use.
This is the same argument I use for Duplicati, on a fully compromised system.
Ultimately the secret must be obtained in raw form to pass to a provider’s API.
It’s also the argument I used earlier for a corporate IT department wanting the
refresh tokens kept in-house somehow, although they have other issues then.
We face the same issues. I don’t know if GAE does more handholding for high
availability through machine failure, updates, etc. I would hope it’s well hidden.
Responsibility for doing backups and restores of stored tokens may also move.
Maybe GAE helps there. I’m not sure what the C# design is, or even if it’s local.
https://github.com/kenkendk/kvpsbutter seems to be in use, but I didn’t look far.
Potentially we’re also in multiple-server future if the Internet keeps fragmenting.
If it gets bad enough, it might get like the corporate IT model, except per region.
If issue is “encryption on the new service is different”, C# can call to Python code
as AuthID comes in. Do the usual decrypt for use, but also reencrypt in new way.
Question is whether passphrase length increase is needed, or just done because
it was known the rest of the encryption didn’t match up, so why not update more?
I don’t know what logs exist, but you’d probably want to make sure that incoming
request rate doesn’t exceed migration capacity. If it does, just defer the migration.
Is there a big advantage to the new encryption code, or is it just what was handy?