OBRI.AccessToken.Invalid error on /pisp/domestic-standing-orders/ GET submission call
Closed this issue · 0 comments
External Issue Id: 49579
Date Raised: 10/05/2020
Description of the bug
TPP receiving the following error:
ErrorCode":"OBRI.AccessToken.Invalid","Message":"The access token grant type CLIENT_CREDENTIAL doesn't match one of the expected grant types [AUTHORIZATION_CODE, HEADLESS_AUTH]
On the following endpoint:
GET https://matls.rs.aspsp.sandbox.lloydsbanking.com/open-banking/v3.1/pisp/domestic-standing-orders/{DomesticStandingOrderId}
Based on the Open Banking specification the TPP believes the endpoint should allow access with a Client Credentials grant token, and not an Authorisation Code grant token.
Investigation of the bug by the OBRI team
After looking at the spec here;
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937623689/Domestic+Standing+Orders+v3.1#DomesticStandingOrdersv3.1-Endpoints
we agree that this endpoint should be accessible using CLIENT_CREDENTIALS.
To Reproduce
Steps to reproduce the behaviour:
- Perform the domestic standing order flow
- When making the get request to the enpoint in question change the AUth header from bearer to basic and provide teh client Id and Client secret
Reproduce the issue with postman
- Collection:
End To End Test (Generated)/Test payment flow/Domestic payments/Domestic standing orders
- Run:
- POST: Generate client credential JWT
- POST: Client credential this access token have grant type client credentials
{{access_token}}
- POST: Create domestic payment consent Actual Rate
- GET: Get domestic payment consent
- POST: Generate request parameter
- POST: Get access token via headless auth this access token have grant type authorization code
{{access_token_with_consent}}
- POST: Domestic Payment
- GET: Get Domestic Payment - /open-banking/v3.0/international-payments/{InternationalPaymentId} use the {{access_token_with_consent}} with grant type authorization code before run it change on
Headers
tab the {{access_token_with_consent}} to {{access_token}} to use the access token with grant type client_credentials
- The response will be
ErrorCode":"OBRI.AccessToken.Invalid","Message":"The access token grant type CLIENT_CREDENTIAL doesn't match one of the expected grant types [AUTHORIZATION_CODE, HEADLESS_AUTH]
Expected behaviour
The call succeeds and the flow is executed.
Current behaviour
An error is returned to the caller stating
ErrorCode":"OBRI.AccessToken.Invalid","Message":"The access token grant type CLIENT_CREDENTIAL doesn't match one of the expected grant types [AUTHORIZATION_CODE, HEADLESS_AUTH]
Fix postman test
- Change the
{{access_token_with_consent}}
for{{access_token}}
- POST: Get access token via headless auth this access token have grant type authorization code
{{access_token_with_consent}}
- POST: Get access token via headless auth this access token have grant type authorization code
Release Notes
Affected App: X
Description: X