Here we list the most common errors encountered in Rabobank OAuth 2.0 flow on the client side. These use cases list reasons for errors and how to troubleshoot them.

Obtaining Authorization

During the Authorization call to get the consent of the user, the TPP may encounter the following:

Invalid client id supplied

You receive a 401 Unauthorized HTTP response with the invalid client id or secret message while invoking an Authorization flow.

This could be caused by one of the following:

An invalid client id is supplied in the request.
Your TPP application is not subscribed to an API using OAuth 2.0.

To solve this issue, your application should be subscribed to an API using OAuth 2.0 and provide a valid client ID.

Redirect URI mismatch

When registering an application, you should provide a redirect URI on the Rabobank developer portal.

If you have more than one redirect URL listed in the developer portal, make sure to provide one of the registered redirect URIs in the redirect_uri query parameter during an Authorization call. If the redirect URI from your request does not match the one registered on the Rabobank developer portal, you get the following error:

Requesting access token

To access the requested resources, you should exchange the received authorization code for an access token. During the retrieval of the access token, you may encounter the following:

Invalid authorization code (grant type code flow)

The authorization code should be sent to the token endpoint to get the access token. Sending an invalid authorization code (expired, invalid, or already used) results in the error:

Http status: 400 (Bad request)
{"error": "invalid_grant"}

To avoid this error, pass the correct authorization code before it expires (expiry: 5 minutes) and ensure you do not call the token endpoint multiple times using the same authorization code.

👍
Adding a slight delay of 1000ms before calling this endpoint ensures that the authorization code is in sync across our servers.

Invalid refresh token

Sending an invalid Refresh token to get an access token results in:

Http status: 401 (Unauthorized)
{"error": "invalid_grant"}

The Refresh token can only be used once. To avoid this error, pass a valid Refresh token and do not try to use the same token multiple times.

Invalid authorization header

When making a call to the token endpoint, an Authorization header must be provided containing a client id and client secret. If an invalid combination is passed, it results in:

Http status: 401 (Unauthorized)
{"error": "invalid_client"}

To avoid this error, use the correct client id and client secret and prepare the Authorization header as specified in the OAuth PSD2 and Premium documentation.

Grant type missing

When making a call to the token endpoint, the grant_type query parameter must be provided. For example, if you are swapping an authorization code for an access token, the value should be authorization_code.

An example error message:

Http status: 400 (Bad request)
{"error": "invalid_request"}

To avoid this error, ensure all required parameters, including grant_type, are provided.

Requesting resources with an access token

Access token invalid

The Access token issued by the authorization server is of limited validity. Its expiry time is provided in the token response. If you pass an expired or invalid Access token while accessing a resource, you receive the following error:

{
  "httpCode": "401",
  "httpMessage": "Unauthorized",
  "moreInformation": "This server could not verify that you are authorized to access the URL"
}

To avoid this error, always check the expiry time of the access token. If the token is expired, use a Refresh token to obtain a new Access token. If you are unable to get a new access token using the refresh token, it could be because the user consent is either expired or revoked. In that case, validate the consent using the Consent Details Service API and renew the consent, if necessary.

Check if the user consent is expired (or) revoked?

Using the information received during the authorization flow, you can retrieve the consent by its specific Id as explained in the Consent Details Service documentation for Premium or PSD2

The consent is not valid if its status is one of the following:

expired
revokedByPsu
terminatedByTpp
received
rejected

Using an invalid consent results in:

{
  "httpCode": "403",
  "httpMessage": "Forbidden",
  "moreInformation": "CONSENT_INVALID"
}

To regain access, follow the authorization flow again and ask the user to grant the required permissions.

Deactivated or Expired consent

The consent of the user may be expired or revoked while your access/refresh tokens are still active, resulting in a 403 Forbidden CONSENT_INVALID error.

👍
You may also check the status of the consent by calling the Consent Details Service API and re-initiate the consent flow if required.

Not having the required permission to access an API

A 403 Forbidden FORBIDDEN error can be triggered if the Access token does not contain the correct scope for the API being used.

Example: If you have an access token for the scope paymentRequest but are trying to access the Account information API (which requires the scope ais.balances.read), you encounter a 403 error.

To avoid this, follow the authorization flow with the correct scope required for your API.

Summary of Troubleshooting

Authorization Errors: Check client id, client secret, and redirect URI configuration.
Token Exchange Errors: Verify that the authorization code is valid, not expired, and used only once; ensure correct usage of refresh tokens.
Access Errors: Monitor access token expiry and scope; validate user consent using the Consent Details Service API.

By following these guidelines and troubleshooting steps, you can address the most common errors encountered in the Rabobank OAuth 2.0 flow.