...
JWS standad defined in RFC7515 shall be adopted to ensure integrity and non-repudiation of information processed in sensitive API's (message sign requirement is indicated at API's documentation/swagger), which includes:
Header (JSON Object Signing and Encryption - JOSE Header), which defines the algorithm used and includes information about the public key or certificate that can be used to validate the signature;
Payload (JWS Payload): content itself as detailed in the API specification;
Digital signature (JWS Signature): digital signature, performed according to header parameters.
Each of elements above must be encoded using the Base64url pattern RFC4648 and the elements must be concatenated with "." (JWS Compact Serialization method as defined in RFC7515).
The payload of signed messages (request JWT and response JWT) shall include the following claims as defined at RFC7519:
aud (in the JWT request): the Resource Provider (eg the institution holding the account) must validate if the value of the aud field matches the endpoint being triggered;
aud (in JWT response): the API client (eg initiating institution) shall validate if the value of the aud field matches its own
organisationIdlisted in the directory;iss (in the JWT request and in the JWT response): the receiver of the message shall validate if the value of the iss field matches the
organisationIdof the sender;jti (in the JWT request and in the JWT response): the value of the jti field shall be filled with the UUID defined by the institution according to [RFC4122] version 4;
iat (in the JWT request and in the JWT response): the iat field shall be filled with the message generation time and according to the standard established in RFC7519 to the NumericDate format.
cty (in the JWT request and in the JWT response): the cty field shall be filled in the normal case in which nested signing or encryption operations are not employed, the use of this Header Parameter is not recommended. In the case that nested signing or encryption is employed, this Header Parameter must be present; in this case, the value must be "JWT", to indicate that a Nested JWT is carried in this JWT. While media type names are not case sensitive, it is recommended that "JWT" always be spelled using uppercase characters for compatibility with legacy implementations.
The HTTP content-type of requests and responses with JWS messages shall be defined as: "application/jwt".
The JOSE header must contain the following attributes:
alg - shall be filled with the value
PS256";kid - shall be filled with the key identifier value used for the signature;
typ - shall be filled with the value
JWT.In case of error in signature validation by
Resource Providerthe API provider shall return HTTP error message withstatus code400 and theResponseErrorcontent shall include, in thecodeproperty, the contentBAD_SIGNATURE.Errors in validating the signed messages received by the client application (eg payment initiator) must be logged and the
Resource Provider(eg account holding institution) must be notified.
The receiver shall validate the consistency of the JWS message's digital signature exclusively based on the information obtained from the directory, that is, based on the keys published in the institution's JWKS in the directory.
Signatures must be performed using the digital signature certificate specified in the Open Finance Brazil Certificates Standard;
the iat claim must be numeric in Unix Time format GMT+0 with a tolerance of +/- 60 seconds;
the jti claim must be unique for a clientId within a time frame of 86,400 seconds (24h), and cannot be reused within this period. In case of reuse, the HTTP error code 403 shall be return. Any other case must follow RFC 6749 instructions in item 5.2.
...