In the event the Accredited Data Recipient (ADR) fails to obtain an Access or Refresh Token within the allocated Authorisation Code expiry period, what is the expectation on the Data Holder (DH)?
How should the DH present this consent authorisation in the Customer Dashboard? Should the DH display it as inactive, or not display it at all?
Are DHs expected to do anything in this scenario, or is the onus on the ADR to start a new consent authorisation request?
Does the DH need to communicate to the Customer that their consent authorisation has failed, and provide some explanation for the failure?
Where a consumer has given authorisation, but the Authorisation Code has not been successfully exchanged for an access or refresh token, there is no way for the ADR to access the orphaned authorisation. How the DH responds to this situation is at the discretion of the DH.
This issue has been raised and is under consideration. Change requests related to this have been raised on Standards Maintenance:
If the DH identifies these scenarios and provides an explanation to the consumer explaining the issue, this would help the consumer to attempt to re-establish consent.