Barclays - Mobile Banking - PSU cannot consent after the "logging in"

[oliver-hohn]

According to the Open Banking Account and Transaction API Specification v1.1.0:

If the PSU does not complete a successful consent authorisation (e.g. if the PSU is not authenticated successfully), the authorization code grant ends with a redirection to the TPP with an error response as described in RFC 6749 Section 4.1.2.1. The PSU is redirected to the TPP with a error parameter indicating the error that occoured.

Following deployment of the "Barclays enhanced OB journeys", on the web-to-mobile flow, where web is the browser on the mobile device, PSUs are "stuck" after logging in, both via biometrics or the 5 digit code, as they are presented with the following error message:

OBA28 Something went wrong! Sorry, we aren't able to carry out your request at the moment. Please try again later

PSUs are not able to complete the journey and are not redirected back to the TPP with an "error" code.

Expected

PSU should be redirected back to the TPP if they cannot log in using PINsentry or Mobile PINsentry.

Actual

PSU is "stuck" on the Barclays page and has no feasible way of returning to the TPP.

Impact

Critical. This change has been pushed onto a live production environment, breaking redirection flows for PSUs that are using the web-to-mobile flow, where web is the browser on the mobile device.

This goes against the principle of Oauth which requires error redirection so that a PSU can continue using a TPPs product in the case of failure.

Submitted as OBSD-6459.

[tl-joao-souza]

I can confirm this is still happening whenever the flow opens the Online Banking page instead of the app directly. This happens:

• on Android phones when the flow starts on an iframe
• on some Chrome Custom Tabs

Any clue what's happening here?