Versões comparadas

Versão antiga 12

changes.mady.by.user Renan Amorim Costa

Gravado em

comparado com

Nova versão 13

changes.mady.by.user Renan Amorim Costa

Gravado em

Chave

  • Esta linha foi adicionada.
  • Esta linha foi removida.
  • A formatação mudou.

...

In addition to the requirements outlined in Open Finance Brasil security provisions the Authorization Server

  1. shall only issue refresh_accesstokens on presentation of a _refreshtoken when the consent resource the refresh token is bound to is active and with "AUTHORIZED" status;tokens when linked to an active and valid consent;

    1. Must not issue refresh_token when consent status is "CONSUMED" (for phase 3);

    2. Must issue an access_token through the grant_type client credentials when consent status is "CONSUMED"(for phase 3).

  2. shall only share access to resources when presented with an access_accesstoken linked to an active and valid consent; 2.1. In the Invalid Token Receive scenarioconsent and with the status "AUTHORISED“. For tokens generated with the scope: payments, the status of the consent will not be validated.

    1. In the scenario of receiving an invalid token, status code 401 should be returned.

  3. shall revoke refresh tokens and, access tokens where aplicable, when the linked Consent Resource is deleted;

  4. shall ensure access tokens are issued with sufficient scope necessary for access to data specified in the Permission element of a linked Consent Resource object;

  5. shall not reject an authorisation request requesting scopes broader than those necessary to access data specified in the Permissions element of a linked Consent Resource object;

  6. may reduce requested scope to a level sufficient to enable access to data resources specified in the Permissions element of a linked Consent Resource object;

  7. shall retain a complete audit history of the consent resource in accordance with current Central Bank brazilian regulation;

  8. shall return authentication failure and return code _accessdenied in the error parameter (as specified in section 4.1.2.1 of RFC6749) if the CPF of the authenticated user is not the same as indicated in the loggedUser element of the Consent Resource Object;

  9. shall return authentication failure and return code _accessdenied in the error parameter (as specified in section 4.1.2.1 of RFC6749) if the businessEntity element has not been populated in the related Consent Resource Object and the user has selected or authenticated by using a credential related to a business account;

  10. an autenticated or selected business account's CNPJ must match the value present in the businessEntity element of the Consent Resource Object. In case of divergence authorization server shall return authentication failure and return code _accessdenied in the error parameter (as specified in section 4.1.2.1 of RFC6749);

  11. shall ensure _refreshtokens expiration time is at least equal to the linked consent resource expiration time.

...