Error use cases

[andreborges01]

Error use cases (or error responses) must be covered at user guides.For example, what would happen if the TTP journey was interrupted after obtaining authorization_code? Which error responses and consent status will follow if authorization_code expires before getting access ans refresh tokens? These cases could be detailed on item 4.3.3 of TTP user guide.

[RalphBragg]

I agree partially - the error codes and responses are defined in OpenID Connect and RFC6749. The consent transitions states are unclear and do need work, i'd welcome a conversation with someone to discuss this. The mechanisms to recover a grant / consent are already in place, just reuse a consent:{consent_id} scope. If everyone is happy with this mechanism then it can be documented in the consent API.

[RalphBragg]

@GisAlmeida @GislaineAlmeida - the consent API error states need to be documented to cover the issues communicated to the Security and Standards working group.

[Renansanglard]

[Jose Michael] Ralph, we took this issue #17 and your proposal to the Security WG and we agreed to go ahead with your guidance, and we would also like to ensure that this point is made explicit in the documentation to be delivered "... that this mechanism is only for Authorization Code Retrieval and NO modifications to an existing Consent must be made by this flow. "

_"• With OpenID Redirect there is an edge condition where a Consent can be Authorised by the Authorisation Code is lost on redirect back to the TPP.

• This is addressed in the UK by allowing an Authorised Consent Scope to be “Re-Authorised” which doesn’t require any changes to the security profile but will require documentation in the Consent API specification.
• What changes, if any, do you want to allow on a ‘Re-Authorised’ consent scope. I would recommend that Customers can ADD Bank Accounts that a Consent is Bound too but not remove Bank Accounts on a ‘re-authorisation’ as this flow is not really meant to be a consent modification process. You could also allow consent time ranges to be extended for existing accounts or you could say explicit that this mechanism is for Authorisation Code Recovery only and NO modifications to an existing Consent should be performed by this flow. This last option would allow Banks to not ‘re-prompt’ for Consent from the user but Authenticate only."_

[RalphBragg]

Hi - Noted; wil make sure that this included in the User Guides. Will the consent API be updated to ensure a ConsentId can be re-used?

[ediemerson-br]

@andreborges01 there are error use cases/responses in these links. It is that you are looking for? https://openbanking-brasil.github.io/areadesenvolvedor/#casos-de-erro https://openbanking-brasil.github.io/areadesenvolvedor/#criar-novo-pedido-de-consentimento

[ediemerson-br]

If you have further questions, you can create a service desk ticket. https://servicedesk.openbankingbrasil.org.br/Login.jsp