Barclays - Cannot revoke/delete AccountRequests

[oliver-hohn]

According to the Account and Transaction API Specification "DELETE Account Request" section:

If the PSU revokes consent to data access with the AISP - the AISP should delete the account-request resource.

• This is done by making a call to DELETE the account-request resource.
• Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.

However, when doing a DELETE to https://carme.api.barclays/open-banking/v1.1/account-requests/[ACCOUNT_REQUEST_ID], the response is a 503 (Service Unavailable) status code and a body of:

<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

and the access token that is tied to that AccountRequest is still valid, as a GET /accounts returns a successful response.

The last occurrence that we have observed of this, as of the time this issue was posted, was at 11:57:49 BST today (24th October).

Impact

Very High. While it is still possible for the PSU to revoke consent via the Barclays Online portal, it is a requirement that the PSU should have the right to revoke consent from the TPP side, which is not possible currently for Barclays PSUs due to this issue.

Remediation

Allow for AccountRequests to be revoked via a DELETE to the /account-requests/[ACCOUNT_REQUEST_ID] endpoint.

Submitted as OBSD-5343

[oliver-hohn]

Has been fixed by Barclays last Friday (2nd November).