According to the Open Banking Account and Transaction API Specification v1.1.0:
If the PSU does not complete a successful consent authorisation (e.g. if the PSU is not authenticated successfully), the authorization code grant ends with a redirection to the TPP with an error response as described in RFC 6749 Section 4.1.2.1. The PSU is redirected to the TPP with a error parameter indicating the error that occoured.
Following deployment of the "Barclays enhanced OB journeys", on the web-to-mobile flow, where web is the browser on the mobile device, PSUs are "stuck" after logging in, both via biometrics or the 5 digit code, as they are presented with the following error message:
OBA28
Something went wrong! Sorry, we aren't able to carry out your request at the moment.
Please try again later
PSUs are not able to complete the journey and are not redirected back to the TPP with an "error" code.
Expected
PSU should be redirected back to the TPP if they cannot log in using PINsentry or Mobile PINsentry.
Actual
PSU is "stuck" on the Barclays page and has no feasible way of returning to the TPP.
Impact
Critical. This change has been pushed onto a live production environment, breaking redirection flows for PSUs that are using the web-to-mobile flow, where web is the browser on the mobile device.
This goes against the principle of Oauth which requires error redirection so that a PSU can continue using a TPPs product in the case of failure.
According to the Open Banking Account and Transaction API Specification v1.1.0:
Following deployment of the "Barclays enhanced OB journeys", on the web-to-mobile flow, where web is the browser on the mobile device, PSUs are "stuck" after logging in, both via biometrics or the 5 digit code, as they are presented with the following error message:
PSUs are not able to complete the journey and are not redirected back to the TPP with an "error" code.
Expected
PSU should be redirected back to the TPP if they cannot log in using PINsentry or Mobile PINsentry.
Actual
PSU is "stuck" on the Barclays page and has no feasible way of returning to the TPP.
Impact
Critical. This change has been pushed onto a live production environment, breaking redirection flows for PSUs that are using the web-to-mobile flow, where web is the browser on the mobile device.
This goes against the principle of Oauth which requires error redirection so that a PSU can continue using a TPPs product in the case of failure.
Submitted as OBSD-6459.