Read only Oauth scope

Hi,

A question came up from a user of Sheets For YNAB about read/write permissions. Although my add-on never writes data to a users YNAB budget, the only Oauth scope available includes write permissions.

It would be nice to have the option of selecting a read only scope, to provide users with more reassurance about the security of granting an Oauth application access.

Apologies if I have missed a previous discussion or solution regarding this issue.

Best regards,

Steve

8replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Great idea, Steve. I've added a read-only OAuth scope to the list. Thanks for the feedback!

    Like 1
  • Cool, thanks George.

    By "list" I presume you mean backlog?  :-)

    Like 1
  • Like 1
  • Brady  - Not to drag up this old topic, but I'm working on an integration that should be read-only and was... surprised that with read-only being an option, it's not the default. IMO, you should always need to ask for elevated credentials, not the other way around. Shouldn't read-only be the default token returned, with an explicit "read-write" option to expand your authorization (and additional language telling the user that you're requesting write access in big, bold letters?

    Like
    • Kyle Kurz Thanks for the note.  When authorizing with write access we mention the permissions being requested, with "Write: Create and update transactions, budget to categories".   Since the read-only scope was added after we released the API, and it was a new feature, we wanted to get some usage with it before elevating it to the default.  There are a few other factors that affect this decision as well.  I'll add this to our list of considerations!

      Like 1
    • Brady Understood, I'd love to see it as the default in a v2 API, as it strengthens the user-protection story.

      Like 1
  • Brady It would be great if I could specify resource access to a more fine-grained level than 'read-only'. For example, my app does not need access to any transaction level data. As this is quite sensitive information, I would rather not have access to it, and I think it would be reassuring for my users to see that I wasn't requesting that access. Any plans for fine-grained scopes/resource access?

    Like
    • Felix Terpstra - no current plans but I'll note the request!

      Like 1
Like2 Follow
  • 2 Likes
  • 4 mths agoLast active
  • 8Replies
  • 213Views
  • 5 Following