site banner

Small-Scale Question Sunday for October 27, 2024

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

2
Jump in the discussion.

No email address required.

Current iterations as far as I can tell generally use “Oauth” … In practice, plaid doesn’t have your password generally (although maybe for some banks as your link discusses.)

I've never heard any reports of this. Are you saying you've seen some bank for which Plaid supports OAuth rather than merely doing screen-scraping? If so, what bank is that?

“Oauth” which again is a bit of a black box … what it can do with that token (is it read only?) is even read only bad enough? Etc. is up for debate.

It really shouldn't be “up for debate”.

If your bank supports OAuth as a protocol, but doesn't tell you exactly what authorizations you're granting the relying party when you approve a request, that's a massive failure of your bank, and arguably a violation of at least the spirit of the OAuth spec:

If the request is valid, the authorization server authenticates the resource owner and obtains an authorization decision (by asking the resource owner or by establishing approval via other means) … If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client …