Why is Plaid changing to use OAuth for some institutions – Chase, Capital one….?

Plaid provides a single interface to connect to most banks. In the past, when someone used Plaid to connect to their bank, they had to give Plaid their bank user name and password. While I’m sure that Plaid was careful with these credentials, there’s just more peace of mind when you only give your bank’s credentials to your bank.

Plaid’s OAuth flow allows Plaid to get your permission to access certain financial data from your account without having to know your credentials.

How does the Plaid OAuth flow work?

First, let’s review how Plaid connects with a bank in the non-OAuth flow:

Non-OAuth flow

The Client App invokes Plaid Link, where the user provides their bank credentials to Plaid. Plaid uses the credentials to access the user’s bank information whenever they need to access the user’s financial data.

OAuth Flow

Plaid gets a bank access token that it uses to access the user’s bank information from the bank’s REST servers. Plaid makes API calls (i.e. GET /account_info) to get the information your app wants.

How does Plaid get the bank access token? Through OAuth.

Instead of asking the user to give their bank credentials to a Plaid dialog, your app:

1. Redirects the user to their bank’s website
2. The user enters his credentials
3. The bank asks the user for permission to allow Plaid to access his financial data
4. The bank gives Plaid an access token

In the future, when Plaid needs to talk to your customer’s bank, it directly communicates with the bank’s REST endpoints, using the OAuth access token as proof that the user has given Plaid permission to access the data.

What changes do developers have to make to their app to support OAuth?

This has two answers.

1. Nothing.If you don’t update your app to optimally support the OAuth flow, Plaid still “kind-of” supports the OAuth flow. When a user connects to an external bank that supports the OAuth flow with Plaid, Plaid will pop up in a browser window to sign into the external bank’s website.

   Note: This pop-up flow works pretty well on a desktop. However, there are some problems with a mobile device:

   • Sometimes this flow just won’t work on mobile devices
   • Even when it does work on mobile devices, users are less likely to complete this flow on mobile devices when it uses a pop-up window
   • Can’t jump to the bank’s native app to take advantage of signing in with face ID, fingerprint, etc.
2. Implement redirection to bank’s website.
   To get around the above problems on mobile devices, you must implement the redirect flow for OAuth.
   • Give Plaid Link a “Redirect URI”, which is a URL that’s part of your website for Plaid to send your users back to after they’ve finished the OAuth flow.
     • Specify the redirect URI when you create the Link token.
       • You must notify Plaid in your developer dashboard (dashboard.plaid.com) of the URL before Plaid will allow its use
     • The presence of a redirect URI in the Link token determines whether the Link uses the pop-up flow or redirect flow when connecting to a bank that supports the OAuth flow.
   • Finish up the Link process after Plaid sends the user back to the redirect URI:
     • Reinitialize Plaid Link
       • You must use the same Link token as the original invocation of Link
       • You must pass the received redirect URI. This is so that Plaid can get the one-time password that Plaid provides when Plaid redirects the user back to the redirection URI (the password is in the URL’s query params).
     • Plaid then finishes up the link process and gives you the public token that you then use to get the access token.

Note: One potential gotcha with the redirect flow is that it likely will not work if your app displays the Plaid Link UI in an iFrame.