According to the Open Banking Account and Transaction API Specification v1.1.0:
> If the PSU does not complete a successful consent authorisation (e.g. if the PSU is not authenticated successfully), the authorization code grant ends with a redirection to the TPP with an error response as described in RFC 6749 Section 126.96.36.199. The PSU is redirected to the TPP with a error parameter indicating the error that occoured.
Following deployment of the "Barclays enhanced OB journeys", during the web-to-web flow if the PSU logs in using "Passcode and memorable word", they are encountered with an error (see attached screenshot), and are "stuck" on their Online Banking portal.
There is no way for the PSU to come back to the TPP, unless they "go back" on their browser, which is not an acceptable UX, and does not notify the TPP that the PSU was unable to complete the redirection journey.
Further, the PSU should not even be presented with the option of using "Passcode and memorable word" if, through that "log in" method, they are not "authorised enough" to authorise an AccountRequest.
PSU should be redirected back to the TPP if they cannot log in using PINsentry or Mobile PINsentry.
PSU is "stuck" on the Barclays page and has no feasible way of returning to the TPP.
Critical. This change has been pushed onto a live production environment, breaking redirection flows for PSUs that log in using one of the three options provided to them ("Passcode and memorable word").
Redirect the PSU back to the TPP if the PSU does not have "enough access" to authorise the AccountRequest.
Do not present the option to log in via "Passcode and memorable word" if the PSU is not "authorised" enough to authorise the AccountRequest.