Barclays "Oauth Security Policy handler" 401

[tobypinder]

At Mon, 03 Dec 2018 13:04 we experienced a PSU's request throwing the following 401 error.

  > Request
  GET https://deimos.api.barclays/open-banking/v1.1/accounts/[FILTERED]/standing-orders
  ================== Request Query ==================
  ================= Request Headers =================
  x-fapi-financial-id=[FILTERED]
  Authorization=[FILTERED]
  Accept=application/json; charset=utf-8
  =================== Request Body ===================

  < Response 401
  ================= Response Headers =================
  Content-Length=49
  Connection=keep-alive
  Date=Mon, 03 Dec 2018 13:04:50 GMT
  ================== Response Body ==================
  An error occured in OAuth security policy handler

Subsequent request retries exhibited the same behaviour.

Impact

Unknown. This is the first incidence of this happening that we've noticed, but this effectively causes an entire PSU's connection to fail, causing them to have to repeat the online banking process (or give up).

Remediation

It is unclear from the outside what causes this issue but I would like to draw attention to the fact that internal errors are being raised as 401 ("Unauthorized"). While the issue claims to be related to authentication, the issue is server side and not client side and therefore would be better represented as a 5xx error rather than 4xx.

---

Reference: OBSD-5854

[boggey79]

Same issue appears intermittently for us, although on a different endpoint.

{ RequestEventArgs: { Method: GET, Endpoint: "https://carme.api.barclays:443/open-banking/v2.0/account-requests/BARCLAYS-#######", Headers: { Authorization: [REMOVED], x-fapi-financial-id: [REMOVED], x-fapi-interaction-id: [REMOVED] } }, StatusCode: Unauthorized, Headers: { Connection: keep-alive, Keep-Alive: timeout=30, Date: "Wed, 23 Jan 2019 11: 20:33 GMT" }, Content: An error occured in OAuth security policy handler }