Comparação de Páginas

Foreword

Este documento também está disponível em português

...

These parts are intended to be used with RFC6749, RFC6750, RFC7636, OIDC, FAPI-1-Baseline and FAPI-1-Advanced

Introduction

The Financial-grade API Standard provides a profile for OAuth 2.0 suitable for use in financial services. The standard OAuth method for the client to send the resource owner to the authorization server is to use an HTTP redirect. Parts 1 and 2 of this specification support this interaction model and are suitable for use cases where the resource owner is interacting with the client on a device they control that has a web browser. There are however many use-cases for initiating payments where the resource owner is not interacting with the client in such a manner. For example, the resource owner may want to authorize a payment at a "point of sale" terminal at a shop or fuel station.

...

Although it is possible to code an OpenID Provider and Relying Party from first principles using this specification, the main audience for this specification is parties who already have a certified implementation of Financial-grade API: Client Initiated Backchannel Authentication Profile and want to achieve certification for the Brasil Open Finance programme.

Notational Conventions

The key words "shall", "shall not", "should", "should not", "may", and "can" in this document are to be interpreted as described in ISO Directive Part 2. These key words are not used as dictionary terms such that any occurrence of them shall be interpreted as key words and are not to be interpreted with their natural language meanings.

1. Scope

This document specifies the method of

...

This document is applicable to all participants engaging in Open Finance in Brasil.

2. Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applied. For undated references, the latest edition of the referenced document (including any amendments) applies.

...

RFC4648 - The Base16, Base32, and Base64 Data Encodings

3. Terms and definitions

For the purpose of this document, the terms defined in RFC6749, RFC6750, RFC7636, OpenID Connect Core, CIBA and ISO29100 apply.

4. Symbols and Abbreviated terms

API - Application Programming Interface

...

MFA - Multi-Factor Authentication

5. Brasil Open Banking Security Profile

5.1. Introduction

The Brasil Open Finance Security profile specifies additional security and identity requirements for high risk API resources protected by the OAuth 2.0 Authorization Framework that consists of RFC6749, RFC6750, RFC7636, FAPI-1-Baseline, FAPI-1-Advanced, FAPI-CIBA and other specifications.

...

• the requirement to convey the Authentication Context Request that was performed by an OpenID Provider to a Client to enable appropriate client management of customer conduct risk.

• the requirement for clients to assert a pre-existing customer relationship by asserting a customer identity claim as part of the CIBA flow.

5.2. Open Banking Brasil CIBA Security provisions

5.2.1. Introduction

Open Finance Brasil has a requirement to adopt Client Initiated Back Channel Authentication as a means of enabling decoupled authentication work flows. In addition this profile describes the specific scope, acr and client management requirements necessary to support the wider Open Finance Brasil ecosystem.

As a profile of the OAuth 2.0 Authorization Framework, this document mandates the following for the Brasil Open Finance Security profile.

5.2.2. Authorization server

The Authorization Server shall support the provisions specified in clause 5.2.2 of Financial-grade API CIBA Security Profile 1.0

...

1. shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in OIDD and [RFC8414]

2. shall support the claims parameter as defined in clause 5.5 OpenID Connect Core

3. shall support the oidc standard claim "cpf" as defined in clause 5.2.2.2 of [FAPI-BR]

4. shall support the oidc standard claim "cnpj" as defined in clause 5.2.2.3 of [FAPI-BR] if providing access to resources where the resource owner is not a natural person

5. shall support the acr "urn:brasil:openbanking:loa2" as defined in clause 5.2.2.4 of FAPI-BR

6. should support the acr "urn:brasil:openbanking:loa3" as defined in clause 5.2.2.4 of [FAPI-BR]]

7. shall implement the userinfo endpoint as defined in clause 5.3 OpenID Connect Core

8. shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern

9. shall support refresh tokens

10. shall issue access tokens with an expiry no greater than 900 seconds and no less than 300 seconds

11. shall always include an acr claim in the id_token

12. shall require the Signed Authentication Request to contain nbf and exp claims that limit the lifetime of the request to no more than 10 minutes

13. shall issue ciba auth request acknowledgements with a minimum expiry of 6 minutes;

14. The acceptance time of consent on the Authorization request received via CIBA shall remain the same as defined for the flow via Hybrid Flow, of 5 minutes;

15. The id_token shall have a minimum expiration of 180 days;

16. The id_token shall be used in the authorization call through the "id_token_hint" parameter

17. The "poll mode" shall be the only mode used to obtain a token for the payment sending via the bc-authorize endpoint.

18. The cancellation of the id_token shall be carried out by the account holder institution in cases of fraud or for security reasons.

19. Error table “HTTP 400 Bad Request”:

...

20. shall issue ciba auth request acknowledgements (response of the consultation of auth_req_id) with a maximum expiry of 5 minutes;

21. Payload validation

...

5.2.3. Confidential client

In addition, the confidential client

1. shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern

2. shall support refresh tokens

5.2.4. Resource Owner identity hint mechanisms

5.2.4.1. Introduction

As described in FAPI-CIBA, there are many mechanisms that can be used to convey a Resource Owners identity from the Consumption Device to the Authorization Server however in call cases this identity attestation must be treated as a hint only. There are naturally limitations on the types of id hints that can be captured by the consumption device based on the input and output contraints of the device being used. In addition to input and output challenges, there are several key privacy and security conerns that must be evaluated when defining id conveyance processes. This profile defines several login hint types that must be supported by authorisation servers.

FAPI-CIBA requires requests to be signed, there is no requirement in Brazil to additionally sign these hints as they are all asserted by the Client.

5.2.4.1.1. Authorisation Server Generated - Login Hint Token

This login hint can be used where it is not possible for the Resource Owner to provide a Login Hint to the Consumption Device or where the Resource Owner wishes to claim the authentication request by independently reaching out to the Authorisation Server out of band to claim this authentication request.

urn:brasil:openbanking:ciba:login-hint-token-type:as-generated

The use of a binding message is mandatory if this token type is to be leveraged.

5.2.4.1.1.1. Authorisation Server Generated - Login Hint Presentation

Presentation of the Authorisation Server Generated Token must be in the format of a JWE displayed as a QR Code with the following properties in the following way.

JWS Creation

1. The payload of signed messages (request JWT) shall include the following claims as defined at RFC7519:

• aud the Authorization Servers advertised issuer as per OIDD;

• iss the receiver of the message shall validate if the value of the iss field matches the clientId of the sender;

• jti the value of the jti field shall be filled with the UUID defined by the institution according to [RFC4122] version 4;

• iat the iat field shall be filled with the message generation time and according to the standard established in RFC7519 to the NumericDate format.

• *exp the exp field shall be filled with the message expiry time and according to the standard established in RFC7519 to the NumericDate format with an maximum value not greater than 5 minutes;

• auth_request_id the authentication request id returned from the Authorisation Server CIBA requst.

2. The JOSE header must contain the following attributes:

   • alg - shall be filled with the value PS256";

   • kid - shall be filled with the key identifier value used for the signature listed on the software statement keystore on the Open Finance Brasil Directory of Participants;

   • typ - shall be filled with the value cibabr+jwt.

JWE Creation

1. The JOSE header must contain the following attributes:

   • alg - shall be filled with the value RSA-OAEP";

   • enc - shall be filled with the value A256GCM";

   • kid - shall be filled with the encryption key identifier kid value used to encrypt the JWE with the encryption key advertised on the authorisation servers jwks endpoint;

   • cty - shall be filled with the value JWT.

5.2.4.1.2. Authentication Device Generated - Login Hint Token

This login hint token should be used when Client has requested a unique identifier be provided by the Resource Owner to the Consumption Device. It is recommended that this identifier be dynamic, time based, have sufficient entropy and short lived to prevent replay attacks.

{ "format": "urn:brasil:openbanking:ciba:login-hint-token-type:ad-generated", "id": "11112222333344445555" }

The use of a binding message is mandatory if this token type is to be leveraged.

5.2.4.1.2. Authentication Device Generated - Login Hint Token

This login hint token should be used when Client has requested a unique identifier be provided by the Resource Owner to the Consumption Device. It is recommended that this identifier be dynamic, time based, have sufficient entropy and short lived to prevent replay attacks.

{ "format": "urn:brasil:openbanking:ciba:login-hint-token-type:ad-generated", "id": "11112222333344445555" }

The use of a binding message is mandatory if this token type is to be leveraged.

6. Security considerations

Participants shall support all security considerations specified in all clauses and sub clauses of [FAPI-BR] and FAPI-CIBA

7. Data Sharing Considerations

Participants shall support all data sharing considerations specified in [FAPI-BR]

8. Registration and Discovery Metadata

OpenID Provider Metadata

The following authorization server metadata parameters are introduced by this specification for OPs publishing their support of the Brazil CIBA flow and details thereof.

• backchannel_endpoint_login_hint_token_types_supported: REQUIRED. 

  • JSON array containing one or more of the following values:

    • urn:brasil:openbanking:ciba:login-hint-token-type:cpf,

    • urn:brasil:openbanking:ciba:login-hint-token-type:ephemeral or urn:brasil:openbanking:ciba:login-hint-token-type:credit-proposition.

    • urn:brasil:openbanking:ciba:login-hint-token-type:id-token.

9. Acknowledgements

With thanks to all who have set the foundations for secure and safe data sharing through the formation of the OpenID Foundation FAPI Working Group, the Open Finance Brasil GT Security and to the pioneers who will stand on their shoulders.

...

• Gustavo Cunha (Banco do Brasil)

• Karina Cabral (Mercado Pago)

• Nic Marcondes (Quanto)

• Ralph Bragg (Raidiam)

Appendix A. Notices

Copyright (c) 2023 Open Finance Brasil Initial Structure.

...

The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation, the Open Finance Brasil GT Security Working Group and others. Although the Open Finance Brasil Initial Structure has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The Open Finance Brasil Initial Structure and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The Open Finance Brasil Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The Open Finance Brasil Initial Structure invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.

Author's Address

OFBIS GT Security

Open Finance Brasil Initial Structure

...