Versões comparadas

Versão antiga 23

changes.mady.by.user Bruno Ferreira Assis

Gravado em

comparado com

Nova versão 24

changes.mady.by.user Former user

Gravado em

Chave

  • Esta linha foi adicionada.
  • Esta linha foi removida.
  • A formatação mudou.

...

  1. shall perform client authentication using private_key_jwt;

  2. shall require requests of the type "pushed authorization requests" PAR;

  3. shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in OIDD and [RFC8414] (".well-known");

  4. shall support the claims parameter as defined in clause 5.5 OpenID Connect Core;

  5. shall support the acr "urn:brasil:openbanking:loa2" as defined in section 5.2.2.3;

  6. should support the acr "urn:brasil:openbanking:loa3" as defined in section 5.2.2.3;

  7. shall implement the userinfo endpoint as defined in clause 5.3 OpenID Connect Core;

  8. shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern;

  9. may support Financial-grade API: Client Initiated Backchannel Authentication Profile;

  10. (withdrawn temporarily);

  11. shall support refresh tokens;

  12. shall issue access tokens with an expiry no greater than 900 seconds and no less than 300 seconds;

  13. shall always include an acr claim in the id_token;

  14. shall support the response_type value code id_token;

  15. shall not allow refresh token rotation;

  16. shall ensure that, in case of sharing the Authorization Server for other services, in addition to Open Finance, it does not disclose and/or allow the use of non-certified methods in the Open Finance environment;

  17. shall ensure that the settings disclosed to other participants through OpenID Discovery (indicated by the Well-Known file registered in the Directory) are restricted to the operating modes to which the institution has certified;

    1. shall keep in your settings the methods for which there are still active clients;

    2. shall update the records that use non-certified methods, through bilateral treatment between the institutions involved;

  18. shall refuse requests, for the Open Finance environment, that are outside the modes of operation to which the institution has certified its Authorization Server;

  19. the minimum expiration time of request_uri must be 60 seconds;

  20. shall deny all requests without header x-fapi-interaction-id on FAPI protected resources endpoints;

  21. must require the use of Proof Key for Code Exchange (PKCE);

  22. must require the use of subject_type “public”;

  23. must require the use of response_mode “fragment;

  24. shall issue exclusively opaque refresh_tokens with no associated expiration date;

5.2.2.1. ID Token as detached signature

...