...
shall support a signed and encrypted JWE request object passed by value or shall require pushed authorization requests PAR;
shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in OIDD and [RFC8414] (".well-known");
shall support the claims parameter as defined in clause 5.5 OpenID Connect Core;
shall support the oidc standard claim "cpf" as defined in clause "sub" Claim clarifications of this document;
shall support the oidc standard claim "cnpj" as defined in clause Requesting the "cpf" Claim of this document if the institution provides accounts for legal person;
shall support the acr "urn:brasil:openbanking:loa2" as defined in clause Requesting the "cnpj" Claim of this document;
should support the acr "urn:brasil:openbanking:loa3" as defined in clause Requesting the "cnpj" Claim of this document;
shall implement the userinfo endpoint as defined in clause 5.3 OpenID Connect Core;
shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern;
may support Financial-grade API: Client Initiated Backchannel Authentication Profile;
(withdrawn temporarily);
shall support refresh tokens;
shall issue access tokens with an expiry no greater than 900 seconds and no less than 300 seconds;
shall always include an acr claim in the
id_token
;shall support the
response_type
valuecode id_token
;may support
response_type
valuecode
in conjunction with theresponse_mode
valuejwt
;should offer the possibility to disable the rotation of
refresh token
;shall ensure that, in case of sharing the Authorization Server for other services, in addition to Open Finance, it does not disclose and/or allow the use of non-certified methods in the Open Finance environment;
shall ensure that the settings disclosed to other participants through
OpenID Discovery
(indicated by theWell-Known
file registered in the Directory) are restricted to the operating modes to which the institution has certified;shall keep in your settings the methods for which there are still active clients;
shall update the records that use non-certified methods, through bilateral treatment between the institutions involved;
shall refuse requests, for the Open Finance environment, that are outside the modes of operation to which the institution has certified its Authorization Server;
must refuse authentication requests that include an id_token_hint, as the id_token held by the requester may contain Personally Identifiable Information, which could be sent unencrypted by the public client;the minimum expiration time of
request_uri
must be 60 seconds;shall deny all requests without header
x-fapi-interaction-id
on FAPI endpoints;
...