[GNC-dev] Patelco stopped supporting OFX... other options

John Ralls jralls at ceridwen.us
Fri Jun 19 12:38:34 EDT 2020 

The actual OAUTH implementation begins with https://cdn.plaid.com/link/v2/stable/link-initialize.js. I don't really have time ATM to reformat and study it, but it supports my initial suspicion that they're setting up a man-in-the-middle to obtain an OAUTH token to monitor the user's bank account. I wouldn't be comfortable permitting a third party that kind of access, and I'll bet that very few of plaid's customers disclose to their users that that's what's going on.

It's also apparent that server.py is intended as example code and that plaid customers would probably write their own, likely in php running on their web servers. It's very simple and could be easily ported to C++ or Scheme. Since it appears so far to be a one-time setup step it could live in an assistant that would use a webkitgtkwebview for the user to authenticate with the bank. The other half of the implementation would live in gnucash/import-export/plaid and handle the plaid API interaction and converting the json response into the transactions to present to the matcher. A bit of a project.

Documentation would have to include strong warnings and disclaimers about the third-party involvement and links to plaid's documentation and terms of use as well as to the registration page.

Plaid's terms of use are at https://plaid.com/legal/. I don't see anything in the Developer TOU that would preclude GnuCash providing the facility outlined above; it would be incumbent on every user to obtain the developer credentials just like they do for Alphavantage.

Regards,
John Ralls


> On Jun 18, 2020, at 10:05 AM, Jean Laroche <ripngo at gmail.com> wrote:
> 
> The server code clearly mentions OAUTH. Let me know what you can determined from the server code if you find something interesting...
> J.
> 
> On 6/18/20 9:51 AM, Derek Atkins wrote:
>>> This is interesting. It sounds like OAUTH, where the mini-webserver
>>> redirects to the bank's website for authentication and gets a token back,
>>> but OAUTH tokens are supposed to be single-use and expire. The fact that
>>> neither seems to be the case is a bit worrying. Does plaid provide the
>>> source code for this web server?
>> That's not always the case.  OAuth has long-lived tokens that can be
>> refreshed and reused, they are not (always) single-use tokens.  You're
>> right that it DOES sound like OAuth, but it also sounds like you're
>> obtaining a client token that can be re-used.
>>> Regards,
>>> John Ralls
>> -derek

More information about the gnucash-devel mailing list