Using PKCE OAuth with YNAB

Hi all,

The YNAB OAuth documentation recommends the Implicit Flow for OAuth applications where the client is untrusted, such as a mobile app. Unfortunately the implicit flow is less secure than the PKCE flow and provides a poor user experience.

Furthermore, the implicit flow does not support refresh tokens, so the UX for a third party app will require frequent user disruption to re-authenticate.

If the YNAB API supports the PKCE flow, then a mobile app can securely authenticate and receive a refresh token. This will greatly help the UX for third party apps.

Further reading on the PKCE flow can be found here:

https://developer.okta.com/blog/2018/12/13/oauth-2-for-native-and-mobile-apps

https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead

I would love to see YNAB support PKCE, as I consider the poor UX of the implicit flow to be a blocker preventing integration with YNAB. I look forward to hearing back from the YNAB API team.

Thanks!

1reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi sballew

    You can go ahead and submit a feature request for the PKCE flow option. Right now, it's not an option available but it's something we are aware of and could potentially make available, based on interest.

    Thanks!

    Like
Like Follow
  • 12 days agoLast active
  • 1Replies
  • 84Views
  • 2 Following