OpenBankingToolkit/openbanking-reference-implementation

OBRI.AccessToken.Invalid error on /pisp/domestic-standing-orders/ GET submission call

Closed this issue · 0 comments

BohoCode commented

External Issue Id: 49579
Date Raised: 10/05/2020

Description of the bug
TPP receiving the following error:

ErrorCode":"OBRI.AccessToken.Invalid","Message":"The access token grant type CLIENT_CREDENTIAL doesn't match one of the expected grant types [AUTHORIZATION_CODE, HEADLESS_AUTH]

On the following endpoint:
GET https://matls.rs.aspsp.sandbox.lloydsbanking.com/open-banking/v3.1/pisp/domestic-standing-orders/{DomesticStandingOrderId}

Based on the Open Banking specification the TPP believes the endpoint should allow access with a Client Credentials grant token, and not an Authorisation Code grant token.

Investigation of the bug by the OBRI team

After looking at the spec here;
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937623689/Domestic+Standing+Orders+v3.1#DomesticStandingOrdersv3.1-Endpoints

we agree that this endpoint should be accessible using CLIENT_CREDENTIALS.

To Reproduce
Steps to reproduce the behaviour:

  1. Perform the domestic standing order flow
  2. When making the get request to the enpoint in question change the AUth header from bearer to basic and provide teh client Id and Client secret

Reproduce the issue with postman

  1. Collection: End To End Test (Generated)/Test payment flow/Domestic payments/Domestic standing orders
  2. Run:
    • POST: Generate client credential JWT
    • POST: Client credential this access token have grant type client credentials {{access_token}}
    • POST: Create domestic payment consent Actual Rate
    • GET: Get domestic payment consent
    • POST: Generate request parameter
    • POST: Get access token via headless auth this access token have grant type authorization code {{access_token_with_consent}}
    • POST: Domestic Payment
    • GET: Get Domestic Payment - /open-banking/v3.0/international-payments/{InternationalPaymentId} use the {{access_token_with_consent}} with grant type authorization code before run it change on Headers tab the {{access_token_with_consent}} to {{access_token}} to use the access token with grant type client_credentials
  3. The response will be
    • ErrorCode":"OBRI.AccessToken.Invalid","Message":"The access token grant type CLIENT_CREDENTIAL doesn't match one of the expected grant types [AUTHORIZATION_CODE, HEADLESS_AUTH]

Expected behaviour
The call succeeds and the flow is executed.

Current behaviour
An error is returned to the caller stating
ErrorCode":"OBRI.AccessToken.Invalid","Message":"The access token grant type CLIENT_CREDENTIAL doesn't match one of the expected grant types [AUTHORIZATION_CODE, HEADLESS_AUTH]

Fix postman test

  1. Change the {{access_token_with_consent}} for {{access_token}}
    • POST: Get access token via headless auth this access token have grant type authorization code {{access_token_with_consent}}

Release Notes

Affected App: X

Description: X