...
shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in OIDD and [RFC8414]
shall support the claims parameter as defined in clause 5.5 OpenID Connect Core
shall support the oidc standard claim "cpf" as defined in clause 5.2.2.2 of [FAPI-BR]shall support the oidc standard claim "cnpj" as defined in clause 5.2.2.3 of [FAPI-BR] if providing access to resources where the resource owner is not a natural personshall support the acr "urn:brasil:openbanking:loa2" as defined in clause 5.2.2.4 of FAPI-BR
should support the acr "urn:brasil:openbanking:loa3" as defined in clause 5.2.2.4 of [FAPI-BR]]
shall implement the userinfo endpoint as defined in clause 5.3 OpenID Connect Core
shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern
shall support refresh tokens
shall issue access tokens with an expiry no greater than 900 seconds and no less than 300 secondsshall always include an acr claim in the id_tokenshall require the Signed Authentication Request to contain nbf and exp claims that limit the lifetime of the request to no more than 10 minutesshall issue ciba auth request acknowledgements with a minimum expiry of 6 minutes;The acceptance time of consent on the Authorization request received via CIBA shall remain the same as defined for the flow via Hybrid Flow, of 5 minutes;
The id_token shall have a minimum expiration of 180 days;
The id_token shall be used in the authorization call through the "id_token_hint" parameter
The "poll mode" shall be the only mode used to obtain a token for the payment sending via the bc-authorize endpoint.
The cancellation of the id_token shall be carried out by the account holder institution in cases of fraud or for security reasons.
Error table “HTTP 400 Bad Request”:
...
5.2.4.1.1. Authorisation Server Generated - Login Hint Token
This login hint can be used where it is not possible for the Resource Owner to provide a Login Hint to the Consumption Device or where the Resource Owner wishes to claim the authentication request by independently reaching out to the Authorisation Server out of band to claim this authentication request.
urn:brasil:openbanking:ciba:login-hint-token-type:as-generated
The use of a binding message is mandatory if this token type is to be leveraged.
...
audthe Authorization Servers advertised issuer as perOIDD;issthe receiver of the message shall validate if the value of theissfield matches the clientId of the sender;jtithe value of thejtifield shall be filled with the UUID defined by the institution according to [RFC4122] version 4;iattheiatfield shall be filled with the message generation time and according to the standard established inRFC7519to theNumericDateformat.*
exptheexpfield shall be filled with the message expiry time and according to the standard established inRFC7519to theNumericDateformat with an maximum value not greater than 5 minutes;auth_request_idthe authentication request id returned from the Authorisation Server CIBA requst.
The JOSE header must contain the following attributes:alg- shall be filled with the value PS256";kid- shall be filled with the key identifier value used for the signature listed on the software statement keystore on the Open Finance Brasil Directory of Participants;typ- shall be filled with the value cibabr+jwt.
JWE Creation
The JOSE header must contain the following attributes:alg- shall be filled with the value RSA-OAEP";enc- shall be filled with the value A256GCM";kid- shall be filled with the encryption key identifier kid value used to encrypt the JWE with the encryption key advertised on the authorisation servers jwks endpoint;cty- shall be filled with the value JWT.
5.2.4.1.2. Authentication Device Generated - Login Hint Token
This login hint token should be used when Client has requested a unique identifier be provided by the Resource Owner to the Consumption Device. It is recommended that this identifier be dynamic, time based, have sufficient entropy and short lived to prevent replay attacks.
{ "format": "urn:brasil:openbanking:ciba:login-hint-token-type:ad-generated", "id": "11112222333344445555" }
The use of a binding message is mandatory if this token type is to be leveraged.
5.2.4.1.2. Authentication Device Generated - Login Hint Token
This login hint token should be used when Client has requested a unique identifier be provided by the Resource Owner to the Consumption Device. It is recommended that this identifier be dynamic, time based, have sufficient entropy and short lived to prevent replay attacks.
{ "format": "urn:brasil:openbanking:ciba:login-hint-token-type:ad-generated", "id": "11112222333344445555" }
The use of a binding message is mandatory if this token type is to be leveraged.
...