Versões comparadas

Versão antiga 14

changes.mady.by.user Renan Amorim Costa

Gravado em

comparado com

Nova versão 15

changes.mady.by.user Renan Amorim Costa

Gravado em

Chave

  • Esta linha foi adicionada.
  • Esta linha foi removida.
  • A formatação mudou.

...

  1. shall support a signed and encrypted JWE request object passed by value or shall require pushed authorization requests PAR;

  2. shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in OIDD and [RFC8414] (".well-known");

  3. shall support the claims parameter as defined in clause 5.5 OpenID Connect Core;

  4. shall support the oidc standard claim "cpf" as defined in clause "sub" Claim clarifications of this document;

  5. shall support the oidc standard claim "cnpj" as defined in clause Requesting the "cpf" Claim of this document if the institution provides accounts for legal person;

  6. shall support the acr "urn:brasil:openbanking:loa2" as defined in clause Requesting the "cnpj" Claim of this document;

  7. should support the acr "urn:brasil:openbanking:loa3" as defined in clause Requesting the "cnpj" Claim of this document;

  8. shall implement the userinfo endpoint as defined in clause 5.3 OpenID Connect Core;

  9. shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern;

  10. may support Financial-grade API: Client Initiated Backchannel Authentication Profile;

  11. (withdrawn temporarily);

  12. shall support refresh tokens;

  13. shall issue access tokens with an expiry no greater than 900 seconds and no less than 300 seconds;

  14. shall always include an acr claim in the id_token;

  15. shall support the response_type value code id_token;

  16. may support response_type value code in conjunction with the response_mode value jwt;

  17. should offer the possibility to disable the rotation of refresh token;

  18. shall ensure that, in case of sharing the Authorization Server for other services, in addition to Open Finance, it does not disclose and/or allow the use of non-certified methods in the Open Finance environment;

  19. shall ensure that the settings disclosed to other participants through OpenID Discovery (indicated by the Well-Known file registered in the Directory) are restricted to the operating modes to which the institution has certified;

    1. shall keep in your settings the methods for which there are still active clients;

    2. shall update the records that use non-certified methods, through bilateral treatment between the institutions involved;

  20. shall refuse requests, for the Open Finance environment, that are outside the modes of operation to which the institution has certified its Authorization Server;

  21. must refuse authentication requests that include an id_token_hint, as the id_token held by the requester may contain Personally Identifiable Information, which could be sent unencrypted by the public client;

  22. the minimum expiration time of request_uri must be 60 seconds;

  23. shall deny all requests without header x-fapi-interaction-id on FAPI endpoints;

...