...
shall perform client authentication using private_key_jwt;
shall require requests of the type "pushed authorization requests" PAR;
shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in OIDD and [RFC8414] (".well-known");
shall support the claims parameter as defined in clause 5.5 OpenID Connect Core;
shall support the acr "urn:brasil:openbanking:loa2" as defined in section 5.2.2.3;
should support the acr "urn:brasil:openbanking:loa3" as defined in section 5.2.2.3;
shall implement the userinfo endpoint as defined in clause 5.3 OpenID Connect Core;
shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern;
may support Financial-grade API: Client Initiated Backchannel Authentication Profile;
(withdrawn temporarily);
shall support refresh tokens;
shall issue access tokens with an expiry no greater than 900 seconds and no less than 300 seconds;
shall always include an acr claim in the id_token;
shall support the response_type value code id_token;
shall not allow refresh token rotation;
shall ensure that, in case of sharing the Authorization Server for other services, in addition to Open Finance, it does not disclose and/or allow the use of non-certified methods in the Open Finance environment;
shall ensure that the settings disclosed to other participants through OpenID Discovery (indicated by the Well-Known file registered in the Directory) are restricted to the operating modes to which the institution has certified;
shall keep in your settings the methods for which there are still active clients;
shall update the records that use non-certified methods, through bilateral treatment between the institutions involved;
shall refuse requests, for the Open Finance environment, that are outside the modes of operation to which the institution has certified its Authorization Server;
the minimum expiration time of request_uri must be 60 seconds;
shall deny all requests without header x-fapi-interaction-id on FAPI endpoints;
must require the use of Proof Key for Code Exchange (PKCE);
must require the use of subject_type “public”;
must require the use of response_mode “fragment”;
shall issue exclusively opaque refresh_tokens with no associated expiration date;
5.2.2.1. ID Token as detached signature
...