[Kmymoney-devel] libOFX question (relates to recent OFX failures with Chase credit card downloads)
Thomas Baumgart
thb at net-bembel.de
Thu Dec 10 10:53:44 UTC 2015
Hi,
On Wednesday 09 December 2015 19:38:08 Jack wrote:
> Some of you may have seen some other posts I've made about this, but I
> think I've tracked down the problem.
Thanks for the information. That helped a lot to identify what's going on.
>
> Background: last month Chase credit cards made a "security enhancement"
> change that has made all OFX downloads since 11/17 fail. The error
> message says to got to the Chase secure message center for info on how
> to verify your identity, but no such message ever appears. The section
> at
> http://wiki.gnucash.org/wiki/Setting_up_OFXDirectConnect_in_GnuCash_2#Chase_
> .22username_or_password_are_incorrect.22 indicates the need for using a UID
> (user id) within the OFX request. It looks like they associate that user
> UID with the account, probably to limit access. However, the first time
> they see a UID on an OFX request, they should generate a PIN and send it to
> your account at their Secure Message Center. You then use that PIN on
> another page the message links to. I suppose since KMM isn't sending the
> UID, they don't generate that message.
>
> So - I don't see any place in KMM for a user UID. In fact, looking
> into the libOFX source, I see the UUID type defined, but no element
> defined as that type which looks like a user id. Can someone confirm
> this is correct, and if so, does this need to be brought up on the
> libOFX list before there is anything that KMM can do? (Other forum
> messages I've seen seem to indicate that aqbanking can handle this, so
> I'll see if I can get this set up, but I hate to spin my wheels if
> someone can provide a more definitive answer.
I took a look into the OFX spec (version 2.1.1) and found chapter 2.5.1.1.1
"Client Unique ID <CLIENTUID>". In short, this is a uid generated by the
client (KMyMoney). Here's the paragraph of the spec (© 2006 Intuit Inc.,
Microsoft Corp., CheckFree Corp. All rights reserved):
---8<---
OFX servers can require OFX clients to include a client ID in each signon
request. This client ID should be unique to the installation of the client
software, but the method that the ID is generated is left up to the client.
The server can specify that this field is required using the <CLIENTUIDREQ>
tag in the applicable <SIGNONINFO> section of the profile. Servers should
expect that users may connect via OFX from multiple locations and may need to
associate more than one <CLIENTUID> value with their <USERID>.
---8<---
Would be interesting, if you see the CLIENTUIDREQ in the SIGNONINFO message of
the server. One can (at least could) enable logging for OFX traffic in some
way. Don't know, if that is still available. Will have to check.
--
Regards
Thomas Baumgart
GPG-FP: E55E D592 F45F 116B 8429 4F99 9C59 DB40 B75D D3BA
-------------------------------------------------------------
Arguing with a woman is like reading the Software License Agreement.
In the end you ignore everything and click 'I agree'.
-------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 225 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kmymoney-devel/attachments/20151210/e3da8c80/attachment.sig>
More information about the KMyMoney-devel
mailing list