Foreword
Este documento também está disponível em português
The Open Finance Brasil Initial Structure is responsible for creating standards and specifications necessary to meet the requirements and obligations of the Brasil Open Finance Legislation as originally outlined by the Brasil Central Bank. There is a possibility that some of the elements of this document may be the subject to patent rights. OFBIS shall not be held responsible for identifying any or all such patent rights.
Open Finance Brasil Financial-grade API Security Profile 1.0 consists of the following parts:
Open Finance Brasil Financial-grade API Security Profile 1.0
Open Finance Brasil Dynamic Client Registration Profile 1.0
These parts are intended to be used with RFC6749, RFC6750, RFC7636, OIDC, OIDR, RFC7591, RFC7592, FAPI-1-Baseline and FAPI-1-Advanced
...
shall reject dynamic client registration requests not performed over a connection secured with mutual tls using certificates issued by Brazil ICP (production) or the Directory of Participants (sandbox);
shall validate that the request contains software_statement JWT signed using the
PS256
algorithim issued by the Open Finance Brasil directory of participants;shall validate that the
software_statement
was issued (iat) not more than 5 minutes prior to the request being received;shall validate that the attribute
jwks
(key set by value) was not included; but declared as a reference in thejwks_uri
attribute;shall, when informed, validate that
jwks_uri
matches thesoftware_jwks_uri
provided in thesoftware_statement
;shall require and validate that
redirect_uris
matches or contains a sub set of software_redirect_uris provided in thesoftware_statement
;shall require and validate that all client authentication mechanism adhere to the requirements defined in RFC7591 and RFC7592, validating the
registration_access_token
and, through a secure connection, the certificate chain of ICP-Brasil;removed;
shall validate that the requested scopes are adequate for accredited institutions and their regulatory roles and contained in the
software_statement
. The list of regulatory permissions and the corresponding scopes are described in the following sections;where possible, shall compare client metadata asserted by a client to the metadata provided in the
software_statement
, choosing values in the SSA with precedence;shall accept all x.500 AttributeType name strings defined in the Distinguished Name of the x.509 Certificate Profiles defined in Open Finance Brasil x.509 Certificate Standards;
if supporting
tls_client_auth
client authentication mechanism as defined in RFC8705 shall only accepttls_client_auth_subject_dn
as an indication of the certificate subject value as defined in clause 2.1.2 RFC8705;The value of the field UID of the certificate should match the one sent in the SSA, where the UID field should contain the value of the software_id field of the SSA.
The organizationIdentifier field will be found in the subject_DN in ASN.1 format and must be decoded respecting the corresponding encoding string. The value of the organizationIdentifier field of the certificate which must contain the prefix corresponding to the Registration Reference OFBBR- followed by the value of the org_id field of the SSA. You must convert the values of the OID 2.5.4.97 field from ASN.1 format to human-readable text. For certificates issued before August 31, 2022: The value of the OR field of the certificate must contain the value of the org_id field of the SSA.
shall, during the TLS handshake process, use the
distinguishedNameMatch
rule to compare the DN values as defined in RFC4517.shall ensure the integrity of the stock of active consents, even after any systemic changes, so that such changes are transparent to the data receiver institutions (TPP).
shall perform a recertification on OIDF FAPI and DCR after any systemic changes.
...
Clause 3 of Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names defines the mandatory OIDs whose AttributeType strings (descriptors) must be recognized by implementers. This mandatory list does not include several of the OIDs defined in Open Finance Brasil x.509 Certificate Standards nor is there a defined mechanism for Authorisation Servers to publish information regarding the format that they would expect a Dynamic Client Registration request that includes a tls_client_auth_subject_dn
to be presented in.
To address this ambiguity, the Authorization Server shall accept only the AttributeTypes (descriptors) defined in the last paragraph of clause 3 RFC4514 in string format, it shall also accept in OID format, with their values in ASN.1, all the AttributeTypes defined in Distinguished Name Open Finance Brasil x.509 Certificate Standards or added by the Certificate Authority.
In case of non-compliance with these requirements, the Authorization Server shall reject the registration.
...
Processing of the Dynamic Client Registration claim
...
The steps of the subject_DN extraction process are described in section Certificate Distinguished Name Parsing