Closed tobypinder closed 5 years ago
Further reference:
In addition, as Nationwide are returning ID tokens from the token endpoint when a refresh grant is performed, then according to the spec https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse the iss
value must be the same as that which was originally returned then auth first happens.
To provide a small update, multiple TPPs are working with Nationwide on this. There are at least two underlying issues and given the fast nature of triage it is better for us to wait until the facts are known fully to all parties before I update this.
The issue with authorization_code
has been resolved. Affected TPPs are able to restore functionality if they implement exp in the request object used during OIDC redirection.
Leaving this issue open for any resolution: while CK has been able to restore functionality there are still TPPs that need to respond.
Have had confirmation from multiple TPPs that they have managed to restore production.
TPPs cannot access Nationwide services after deploy/downtime
Since the V2 deploy and subsequent unplanned downtime, no TPP that we are aware of has been able to access any of the services.
I have confirmations from 3 other TPPs that they are experiencing the following behaviour:
1) The authorization server immediately bounces TPPs back with error "invalid_jwt"
2) Attempts to refresh tokens results in an
unexpected iss value
error.TPPs were not given any indication of changes impacting production environments as part of this release.
The
.well-known
endpoints for Version 1 releases appear to have mutated significantly including theiss
value mentioned above. TPPs have attempted connections with various permutations of "old" and "new" configurations with no success..well-known changes
issuer
: Fromhttps://api.nationwide.co.uk/open-banking/v1.1
tohttps://api.nationwide.co.uk/open-banking
authorization_endpoint
: Fromhttps://obonline.nationwide.co.uk/open-banking/v1.1/oauth/authorize
to"https://obonline.nationwide.co.uk/open-banking/oauth/authorize
token_endpoint
: Fromhttps://api.nationwide.co.uk/open-banking/v1.1/oauth/token
tohttps://api.nationwide.co.uk/open-banking/oauth/token
Impact
URGENT. All mentioned TPPs have zero access to production nationwide systems.
References: