...
Este documento também está disponível em português
The Open Finance Brasil Initial Structure is responsible for creating standards and specifications necessary to meet the requirements and obligations of the Brasil Open Finance Legislation as originally outlined by the Brasil Central Bank. There is a possibility that some of the elements of this document may be the subject to patent rights. OFBIS shall not be held responsible for identifying any or all such patent rights.
...
shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in OIDD and [RFC8414]
shall support the claims parameter as defined in clause 5.5 OpenID Connect Core
shall support the oidc standard claim "cpf" as defined in clause 5.2.2.2 of [FAPI-BR]shall support the oidc standard claim "cnpj" as defined in clause 5.2.2.3 of [FAPI-BR] if providing access to resources where the resource owner is not a natural personshall support the acr "urn:brasil:openbanking:loa2" as defined in clause 5.2.2.4 of FAPI-BR
should support the acr "urn:brasil:openbanking:loa3" as defined in clause 5.2.2.4 of [FAPI-BR]]
shall implement the userinfo endpoint as defined in clause 5.3 OpenID Connect Core
shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern
shall support refresh tokens
shall issue access tokens with an expiry no greater than 900 seconds and no less than 300 secondsshall always include an acr claim in the id_tokenshall require the Signed Authentication Request to contain nbf and exp claims that limit the lifetime of the request to no more than 10 minutesshall issue ciba auth request acknowledgements with a minimum expiry of 6 minutes;The acceptance time of consent on the Authorization request received via CIBA shall remain the same as defined for the flow via Hybrid Flow, of 5 minutes;
shall ensure that ‘exp’ in all issued id_tokens is at least 180 days from the time of issue;
The id_token shall be used in the authorization call through the "id_token_hint" parameter
shall support CIBA poll mode;1
shall not support CIBA push mode;
shall not support CIBA ping mode;The "poll mode" shall be the only mode used to obtain a token for the payment sending via the bc-authorize endpoint.
The cancellation of the id_token shall be carried out by the account holder institution in cases of fraud or for security reasons.
is going to be added – The routine rotation of signing keys of id tokens SHALL NOT BE a reason to reject a non-expired id token signed with the older key. The authorization server should be prepared to use signing keys with similar validity periods to the ones of the id token.
Error table “HTTP 400 Bad Request”:
invalid_request: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, contains more than one of the hints, or is otherwise malformed.
invalid_scope: The requested scope is invalid, unknown, or malformed.
expired_id_token_hint: The id_token hint provided in the authentication request is not valid because it has expired.
unknown_user_id: The OpenID Provider is not able to identify which end-user the Client wishes to be authenticated by means of the hint provided in the request (id_token_hint).
unauthorized_client: The Client is not authorized to use this authentication flow.
invalid_id_token_hint: The id_token is invalid and can’t be used in the flow
Shall issue ciba auth request acknowledgements (response of the consultation of auth_req_id) with a maximum expiry of 5 minutes, as defined for the flow via Hybrid Flow;
Payload validation
...