Skip to content
This is an oauth2 proxy server
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore First working stand-alone version of oauthproxy Jun 8, 2017
COPYING Documentation on how to set it up and use it. Jun 8, 2017 Update rclone config instructions after rclone update Jun 10, 2017
app.yaml Convert it to work with Appengine Jun 8, 2017
oauthproxy-config.json.example Documentation on how to set it up and use it. Jun 8, 2017

oauth2 proxy

This is an oauth2 proxy designed to run on Google Appengine. Its purpose is to allow users to connect to an oauth service while hiding the client ID and client secret for the service from the users.

It works by receiving connections and proxying them onwards. It changes any client ID and client secrets as it passes through into the secret version.

Authentication to this proxy is done with a different client ID and client secret. These must be correct for the proxy to use the secret credentials.

It doesn't store any data or credentials as they pass through the proxy.

It is designed to be compatible with any oauth2 application.


Follow the go appengine quickstart "before you begin" section.

You should now have a working gcloud tool at this point and a project created with appengine before continuing.

Install the go language. Make sure go is on your PATH by running go version.

Set GOPATH - this should be a specific one for this project.

export GOPATH=/tmp/go-appengine

Install the appengine support libraries

go get

Check out the code wherever you like

git clone
cd oauthproxy


You need to create a file like this called oauthproxy-config.json (you can find this example in oauthproxy-config.json)

    "AuthURL" : "",
    "TokenURL" : "",
    "ClientID" : "Your Client ID goes here",
    "ClientSecret" : "Your Client secret goes here",
    "IncomingClientID" : "Client ID (username) your users should use",
    "IncomingClientSecret" : "Client Secret (password) your users should use",
    "Name" : "oauth2 proxy"

Note that ClientID and ClientSecret should be the ones for the service you are trying to use at AuthURL and TokenURL.

Whereas IncomingClientID and IncomingClientSecret should be made up by you to be as secure or not as you like. These are used for authentication to this service in place of a username and password.


Now try running the development version of this code. app.yaml

Check this starts up, and you can visit the test app at http://localhost:8080/. This should show a simple page with the current time on.


You are ready to deploy the app to Appengine now.

gcloud app deploy

Now visit the app to check it is working

gcloud app browse

It will take you to the index page of the app. Make a note of the URL it will be something like

rclone configuration

First make sure your oauth credentials allow the redirect URL of as this is what rclone uses. If you don't set this then the authorization process will fail mysteriously.

Now you need to configure rclone to use the new oauth proxy. You'll need an up to date rclone 1.37 or an up to date beta of 1.36 to use the oauth proxy.

Create a new remote with rclone config. When filling out the details in the configurator note that:

  • client_id takes the value of IncomingClientID
  • client_secret takes the value of IncomingClientSecret
  • auth_url is the same as your appspot URL but with /auth on the end.
  • token_url is the same as your appspot URL but with /token on the end.
No remotes found - make a new one
n) New remote
s) Set configuration password
q) Quit config
n/s/q> n
name> acd
Type of storage to configure.
Choose a number from below, or type in your own value
 1 / Amazon Drive
   \ "amazon cloud drive"
 2 / Amazon S3 (also Dreamhost, Ceph, Minio)
   \ "s3"
 3 / Backblaze B2
   \ "b2"
 4 / Dropbox
   \ "dropbox"
 5 / Encrypt/Decrypt a remote
   \ "crypt"
 6 / FTP Connection
   \ "ftp"
 7 / Google Cloud Storage (this is not Google Drive)
   \ "google cloud storage"
 8 / Google Drive
   \ "drive"
 9 / Hubic
   \ "hubic"
10 / Local Disk
   \ "local"
11 / Microsoft OneDrive
   \ "onedrive"
12 / Openstack Swift (Rackspace Cloud Files, Memset Memstore, OVH)
   \ "swift"
13 / SSH/SFTP Connection
   \ "sftp"
14 / Yandex Disk
   \ "yandex"
Storage> 1
Amazon Application Client Id - required.
client_id> IncomingClientID
Amazon Application Client Secret - required.
client_secret> IncomingClientSecret
Auth server URL - leave blank to use Amazon's.
Token server url - leave blank to use Amazon's.
Remote config
Make sure your Redirect URL is set to "" in your custom config.
Use auto config?
 * Say Y if not sure
 * Say N if you are working on a remote or headless machine
y) Yes
n) No
y/n> y
If your browser doesn't open automatically go to the following link:
Log in and authorize rclone for access
Waiting for code...
Got code
type = amazon cloud drive
client_id = IncomingClientID
client_secret = IncomingClientSecret
auth_url =
token_url =
token = XXXX
y) Yes this is OK
e) Edit this remote
d) Delete this remote
y/e/d> y

rclone should be ready to use - test with rclone lsd acd:.

You can’t perform that action at this time.