Nationwide - Services inaccessible since V2 deploy/downtime

[tobypinder]

TPPs cannot access Nationwide services after deploy/downtime

Since the V2 deploy and subsequent unplanned downtime, no TPP that we are aware of has been able to access any of the services.

I have confirmations from 3 other TPPs that they are experiencing the following behaviour:

1) The authorization server immediately bounces TPPs back with error "invalid_jwt"

2) Attempts to refresh tokens results in an unexpected iss value error.

TPPs were not given any indication of changes impacting production environments as part of this release.

The .well-known endpoints for Version 1 releases appear to have mutated significantly including the iss value mentioned above. TPPs have attempted connections with various permutations of "old" and "new" configurations with no success.

.well-known changes

• issuer: From https://api.nationwide.co.uk/open-banking/v1.1 to https://api.nationwide.co.uk/open-banking

• authorization_endpoint: From https://obonline.nationwide.co.uk/open-banking/v1.1/oauth/authorize to "https://obonline.nationwide.co.uk/open-banking/oauth/authorize

• token_endpoint: From https://api.nationwide.co.uk/open-banking/v1.1/oauth/token to https://api.nationwide.co.uk/open-banking/oauth/token

---

Impact

URGENT. All mentioned TPPs have zero access to production nationwide systems.

---

References:

• OBSD-4824
• OBSD-4822
• OBSD-4825

[davidgtonge]

Further reference:

• https://openbanking.atlassian.net/servicedesk/customer/portal/1/OBSD-4825

In addition, as Nationwide are returning ID tokens from the token endpoint when a refresh grant is performed, then according to the spec https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse the iss value must be the same as that which was originally returned then auth first happens.

[tobypinder]

To provide a small update, multiple TPPs are working with Nationwide on this. There are at least two underlying issues and given the fast nature of triage it is better for us to wait until the facts are known fully to all parties before I update this.

[tobypinder]

The issue with authorization_code has been resolved. Affected TPPs are able to restore functionality if they implement exp in the request object used during OIDC redirection.

[tobypinder]

Leaving this issue open for any resolution: while CK has been able to restore functionality there are still TPPs that need to respond.

[tobypinder]

Have had confirmation from multiple TPPs that they have managed to restore production.