| Índice | ||||
|---|---|---|---|---|
|
Foreword
Este documento também está disponível em português:[PT] Open Finance Brasil Financial-grade API Security Profile 1.0 Implementers Draft 3
The Open Finance Brasil Initial Structure is responsible for creating standards and specifications necessary to meet the requirements and obligations of the Brasil Open Finance Legislation as originally outlined by the Brasil Central Bank. There is a possibility that some of the elements of this document may be the subject to patent rights. OFBIS shall not be held responsible for identifying any or all such patent rights.
Open Finance Brasil Financial-grade API Security Profile 1.0 consists of the following parts:
Open Finance Brasil Financial-grade API Security Profile 1.0
These parts are intended to be used with RFC6749, RFC6750, RFC7636, OIDC, FAPI-1-Baseline and FAPI-1-Advanced
...
"sub" Claim clarifications
This profile uses the official openId definition found at: https://github.com/OpenBanking-Brasil/specs-seguranca/tree/main/idtoken_review Analise requisitos de criptografia ID_TOKEN. This means the sub is a never reassigned identifier for the end user. The value for a given user should never change within an institution, even across diferents consents.
Requesting the "cpf" Claim
...
The receiver shall validate the consistency of the JWS message's digital signature exclusively based on the information obtained from the directory, that is, based on the keys published in the institution's JWKS in the directory.
Signatures must be performed using the digital signature certificate specified in the Open Finance Brazil Certificates Standard;
the iat claim must be numeric in Unix Time format GMT+0 with a tolerance of +/- 60 seconds;
the jti claim must be unique for a clientId within a time frame of 86,400 seconds (24h), and cannot be reused within this period. In case of reuse, the HTTP error code 403 shall be return. Any other case must follow RFC 6749 instructions in item 5.2.
...