Security Conformance For UK Open Banking Passes tests that should be failed according to Customer Experience Guidelines
This relates to tests done under FAPI-RW-ID2 using openbanking_uk profile.
There are a number of tests that submit malformed authorization requests which pass if the response from the Authorization server is a redirect to the TPP with an error condition.
Tests that I believe have this issue: fapi-rw-id2-ensure-request-object-without-exp-fails fapi-rw-id2-ensure-request-object-without-scope-fails fapi-rw-id2-ensure-request-object-without-nonce-fails fapi-rw-id2-ensure-expired-request-object-fails fapi-rw-id2-ensure-request-object-with-bad-aud-fails fapi-rw-id2-ensure-signed-request-object-with-RS256-fails fapi-rw-id2-ensure-request-object-signature-algorithm-is-not-none fapi-rw-id2-ensure-request-object-with-invalid-signature-fails fapi-rw-id2-ensure-matching-key-in-authorization-request fapi-rw-id2-ensure-authorization-request-without-request-object-fails fapi-rw-id2-ensure-response-type-code-fails
However according to the Open Banking Customer Experience Guidelines [1] this is not allowed - because the only way that a user can tell whether a malicious actor is trying to submit invalid requests is by the ASPSP displaying an error message, rather than redirecting to the TPP.
At present the conformance tests allow either redirect or error page.