Versões comparadas

Chave

  • Esta linha foi adicionada.
  • Esta linha foi removida.
  • A formatação mudou.
Índice
minLevel1
maxLevel7

Foreword

Este documento também está disponível em português

The Open Finance Brasil Initial Structure is responsible for creating standards and specifications necessary to meet the requirements and obligations of the Brasil Open Finance Legislation as originally outlined by the Brasil Central Bank. There is a possibility that some of the elements of this document may be the subject to patent rights. OFBIS shall not be held responsible for identifying any or all such patent rights.

Open Finance Brasil Financial-grade API Security Profile 1.0 consists of the following parts:

These parts are intended to be used with RFC6749, RFC6750, RFC7636, OIDC, OIDR, RFC7591, RFC7592, FAPI-1-Baseline and FAPI-1-Advanced

...

  1. shall reject dynamic client registration requests not performed over a connection secured with mutual tls using certificates issued by Brazil ICP (production) or the Directory of Participants (sandbox);

  2. shall validate that the request contains software_statement JWT signed using the PS256 algorithim issued by the Open Finance Brasil directory of participants;

  3. shall validate that the software_statement was issued (iat) not more than 5 minutes prior to the request being received;

  4. shall validate that the attribute jwks (key set by value) was not included; but declared as a reference in the jwks_uri attribute;

  5. shall, when informed, validate that jwks_uri matches the software_jwks_uri provided in the software_statement;

  6. shall require and validate that redirect_uris matches or contains a sub set of software_redirect_uris provided in the software_statement;

  7. shall require and validate that all client authentication mechanism adhere to the requirements defined in RFC7591 and RFC7592, validating the registration_access_token and, through a secure connection, the certificate chain of ICP-Brasil;

  8. removed;

  9. shall validate that the requested scopes are adequate for accredited institutions and their regulatory roles and contained in the software_statement. The list of regulatory permissions and the corresponding scopes are described in the following sections;

  10. where possible, shall compare client metadata asserted by a client to the metadata provided in the software_statement, choosing values in the SSA with precedence;

  11. shall accept all x.500 AttributeType name strings defined in the Distinguished Name of the x.509 Certificate Profiles defined in Open Finance Brasil x.509 Certificate Standards;

  12. if supporting tls_client_auth client authentication mechanism as defined in RFC8705 shall only accept tls_client_auth_subject_dn as an indication of the certificate subject value as defined in clause 2.1.2 RFC8705;

  13. The value of the field UID of the certificate should match the one sent in the SSA, where the UID field should contain the value of the software_id field of the SSA.

  14. The organizationIdentifier field will be found in the subject_DN in ASN.1 format and must be decoded respecting the corresponding encoding string. The value of the organizationIdentifier field of the certificate which must contain the prefix corresponding to the Registration Reference OFBBR- followed by the value of the org_id field of the SSA. You must convert the values ​​of the OID 2.5.4.97 field from ASN.1 format to human-readable text. For certificates issued before August 31, 2022: The value of the OR field of the certificate must contain the value of the org_id field of the SSA.

  15. shall, during the TLS handshake process, use the distinguishedNameMatch rule to compare the DN values as defined in RFC4517.

  16. shall ensure the integrity of the stock of active consents, even after any systemic changes, so that such changes are transparent to the data receiver institutions (TPP).

  17. shall perform a recertification on OIDF FAPI and DCR after any systemic changes.

...

Clause 3 of Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names defines the mandatory OIDs whose AttributeType strings (descriptors) must be recognized by implementers. This mandatory list does not include several of the OIDs defined in Open Finance Brasil x.509 Certificate Standards nor is there a defined mechanism for Authorisation Servers to publish information regarding the format that they would expect a Dynamic Client Registration request that includes a tls_client_auth_subject_dn to be presented in.

To address this ambiguity, the Authorization Server shall accept only the AttributeTypes (descriptors) defined in the last paragraph of clause 3 RFC4514 in string format, it shall also accept in OID format, with their values in ASN.1, all the AttributeTypes defined in Distinguished Name Open Finance Brasil x.509 Certificate Standards or added by the Certificate Authority.

In case of non-compliance with these requirements, the Authorization Server shall reject the registration.

...