Sorry, you need to enable JavaScript to visit this website.

OAuth2 error and troubleshooting guide

This page contains the list of most common errors TPP’s face while connecting to the Rabobank OAuth 2.0 flow. The reasons for error are explained, and the solutions on how TPP’s can act upon are furnished.

Obtaining Authorization

During the Authorization call to get the consent of the user, the TPP may face one of the following issues.

Invalid client id supplied

A TPP could receive an HTTP response of 401 Unauthorized with the message ‘invalid client id or secret’ while invoking the Authorization flow.

The cause of the error could be one of the following:

  1. Invalid client id is supplied in the request.
  2. The application of the TPP is not subscribed to the OAuth 2.0 product

To solve this issue, you must verify that you have subscribed to the OAuth 2.0 Services and you have provided a valid client id in the request.

Redirect URI mismatch

While registering an application by a TPP, a redirect URI must be provided on the developer portal by the TPP. The same redirect URI must be provided as a query parameter called ‘redirect_uri’ during the Authorization call.

If the redirect URI from your request does not match with the one registered on the developer portal the below error message will be shown:

Redirect URI Mismatch

Requesting access token

To access the requested resources, an authorization code should be swapped for an access token. During the retrieval of the access token, the following errors might occur.

Invalid authorization code (grant type code flow)

The authorization code should be sent to the token endpoint to get the access token. Sending an invalid authorization code (expired, invalid or already used) will result in below error.

Http status: 400 (Bad request)
{"error": "invalid_grant"}

To solve this problem, make sure that you pass the correct authorization code within the expiration time period of 5 minutes. Also make sure you are not calling token endpoint multiple times with same authorization code.

Note: we recommend you to add a slight delay of 1000ms before calling this endpoint. This delay will make sure the authorization code are synchronised across our servers.

Invalid refresh token

Sending invalid refresh token to get access token will result in the below error message.

Http status: 401 (Unauthorized)
{"error": "invalid_grant"}

To resolve this issue, make sure you are passing the correct refresh token.

The refresh token can be only used once, using it more than once will result in the same error message as above.

Invalid authorization header

During the call to the token endpoint, an Authorization header should be provided consisting of the client id and client secret. When an invalid combination is passed, the following error will be returned.

Http status: 401 (Unauthorized)
{"error": "invalid_client"}

To resolve this issue, you must verify you are using the correct client id and secret. Also, you must make sure the Authorization header is prepared as stated in the OAuth 2.0 documentation.

Grant type mismatch

During the call to the token endpoint, a query parameter called ‘grant_type’ must be provided. The value of this query parameter is based on the type of authorization you are passing to the endpoint.

For example, if you are swapping an authorization code for an access token the value of the parameter should be ‘code’.

The correct values based on the input provided can be found in the OAuth 2.0 documentation.

An example of the error message returned in this scenario can be found below.

Http status: 400 (Bad request)
{"error": "invalid_request"}

Requesting resources with an access token

Access token invalid

The access token issued by the authorization server is valid for 1 hour. Passing an expired (or) invalid access token while accessing a resource will result in the following error.

{
  "httpCode": "401",
  "httpMessage": "Unauthorized",
  "moreInformation": "This server could not verify that you are authorized to access the URL"
}

To resolve this issue, check the expiry time associated with the access token. If the access token is expired, use the refresh token to get a new access token.

If you are unable to get a new access token using the refresh token, the common scenario would be either the consent of the user has expired or has been revoked by the user. This can be validated via the Consent Details API. This is explained in the section below.

In this case, the client must renew the consent flow.

How to check if the user consent expired (or) revoked?

To check the status of the user consent, you have to use the Consent Details API.

Using the information you received during the authorization flow, you can retrieve the consent by a specific Id. Specific implementation details is available on the documentation of the Consents Details API found below.

API Consent Details Service

If the consent status is ‘invalid’, the consent can’t be used to access the resources. The user must give consent again and a new authorization flow must be started.

Forbidden

You will see this error message when there is no valid consent found or you don’t have the required permission. These scenarios are explained in more detail below.

{
  "httpCode": "403",
  "httpMessage": "Forbidden",
  "moreInformation": "Forbidden"
}

Deactivated or Expired consent

The consent of the user may be expired or revoked by the user, while your access/refresh tokens are still active. This can cause a 403 Forbidden error message. We recommend checking the status of the consent by making a call to Consent Detail API. Re-initiating the consent flow will solve this issue.

Not having the required permission to access an API

Another scenario that will trigger a 403 Forbidden response is when the access token passed in the request does not contain the correct scope for the API you are calling. Example: You have an access token for the scope 'paymentRequest', but you are trying to access the Account information API. This API requires a different scope: 'ais.balances.read'.

To resolve this issue, start the authorization flow with the correct scope required for your API.