Once a PSU has authorized and consented to the account request they are given 90 seconds to return to the the "original" window. In a Web-Web interaction this means switching tabs, where in an app based flow this involves switching apps.
(see attached image)
Given that Barclays already has session timeout management that governs the entire consent, it is completely unclear to us what benefit this 90 second window provides from a security profile perspective.
The timing here is quite unforgiving and it's not quite clear to us why this time is not included in the overall consent window. The OB Security Profile does allow for aggressive timing on the authorization_code => access_token swap as part of OIDC, but this is a non-interactive process that does not require PSU interaction.
This is one of many individual concerns TPPs have with Barclays Authorization and adds more pressure on PSUs to move quickly through the process. They may struggle to locate the original tab, and given that authorization has been completed it is unclear to us what reasoning exists for this individual timeout. As such, we feel that unless sufficient justification can be provided, this potentially could be construed as an "obstacle to the provision of [services]" under RTS Article 32 (3)