...
Este documento também está disponível em português
The Open Finance Brasil Initial Structure is responsible for creating standards and specifications necessary to meet the requirements and obligations of the Brasil Open Finance Legislation as originally outlined by the Brasil Central Bank. There is a possibility that some of the elements of this document may be the subject to patent rights. OFBIS shall not be held responsible for identifying any or all such patent rights.
...
This document specifies the method of:
applications to obtain OAuth tokens via a backchannel authentication flow in an appropriately secure manner for higher risk access to data in a manner that meets the requirements of Open Finance Brasil;
applications to use OpenID Connect CIBA to suggest the identity of the customer;
This document is applicable to all participants engaging in Open Finance in Brasil.
...
FAPI-CIBA - Financial-grade API: Client Initiated Backchannel Authentication Profile
FAPI-BR - Open Finance Brasil Financial-grade API Security Profile 1.0
CIBA - OpenID Connect Client Initiated Backchannel Authentication Core
...
In addition, the Authorization Server
...
shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in OIDD and [RFC8414]
...
shall support the claims parameter as defined in clause 5.5 OpenID Connect Core
...
shall support the acr "urn:brasil:openbanking:loa2" as defined in clause 5.2.2.4 of FAPI-BR
...
shall implement the userinfo endpoint as defined in clause 5.3 OpenID Connect Core
shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern
shall support refresh tokens
The acceptance time of consent on the Authorization request received via CIBA shall remain the same as defined for the flow via Hybrid Flow, of 5 minutes;
shall ensure that ‘exp’ in all issued id_tokens is at least 180 days from the time of issue;
The id_token shall be used in the authorization call through the "id_token_hint" parameter;
shall support CIBA poll mode;
shall not support CIBA push mode;
shall not support CIBA ping mode;
The cancellation of the id_token shall be carried out by the account holder institution in cases of fraud or for security reasons.
is going to be added – The routine rotation of signing keys of id tokens SHALL NOT BE a reason to reject a non-expired id token signed with the older key. The authorization server should be prepared to use signing keys with similar validity periods to the ones of the id token.
Error table “HTTP 400 Bad Request”:
invalid_request: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, contains more than one of the hints, or is otherwise malformed
...
;
invalid_scope: The requested scope is invalid, unknown, or malformed
...
;
expired_id_token_hint: The id_token hint provided in the authentication request is not valid because it has expired
...
;
unknown_user_id: The OpenID Provider is not able to identify which end-user the Client wishes to be authenticated by means of the hint provided in the request (id_token_hint)
...
;
unauthorized_client: The Client is not authorized to use this authentication flow
...
;
invalid_id_token_hint: The id_token is invalid and can’t be used in the flow.
Shall issue ciba auth request acknowledgements (response of the consultation of auth_req_id) with a maximum expiry of 5 minutes, as defined for the flow via Hybrid Flow;
...
Id_token payload validation.
Parameters | Validation |
iss |
The Authorization Server must establish an identifier, or set of standard "iss" identifiers for use in CIBA transactions. - The Authorization Server should not accept "iss" different from its own identifier, or set of identifiers, standard. |
sub |
The Authorization Server should check if the "sub" identifier in question has already been issued to a client/account, and if it is valid within its requirements. |
aud |
The Authorization Server should not accept "aud" different from the client_id from where the authorization request for the CIBA flow originates. |
exp |
"exp" should be established according to the risk policies of the Account Holder institution, provided that requirement 5.2.2.15 is respected (minimum of 180 days) - The Authorization Server should not accept authorization requests whose date/time is greater than "exp". |
iat |
No specific validations |
auth_time |
No specific validations |
nonce |
No specific AS validations |
acr |
If present, the AS should only accept values equal to or above the Holder's authentication requirements to authorize payment transactions. |
amr |
If present, the AS should only accept values equal to or better than the Holder's authentication requirements to authorize payment transactions. |
azp |
The Authorization Server should not accept "azp" different from the client_id from where the authorization request for the CIBA flow originates. |
Parameters for signature validation
...
Parameters | Description | Condition | Recommended values |
alg | The "alg" (algorithm) parameter identifies the cryptographic algorithm used to protect the JWS/JWE. The JWS Signature value is invalid if the "alg" value does not represent a supported algorithm or if there is no compatible key for the use of the algorithm associated with the entity that digitally signed the content. | Required | PS256 |
or PS512 | |
kid | The "kid" (Key ID) parameter indicates which key was used to protect the JWS/JWE. This parameter allows senders to explicitly signal a key change to recipients. The "kid" value MUST be a case-sensitive string. When used with a JWK, the "kid" value is used to match a "kid" parameter value of the JWK. |
Required | ||
x5t | x5t#S256 | The "x5t" or “x5t#S256” (X.509 Certificate SHA-1/SHA-256 Thumbprint) parameter is a base64url encoded SHA-1 |
x5t#S256
/SHA-256 thumbprint (hash) of the DER encoding of the X.509 certificate (RFC5280) corresponding to the key used to digitally sign the JWS. |
Required | ||
typ | The "typ" (Type) parameter is used by JWS applications to declare the media type (IANA.MediaTypes) of this complete JWS. It is intended for use by the application when more than one type of object may be present in an application data structure that can contain a JWS; the application can use this value to eliminate ambiguity between the different types of objects that may be present. |
Optional | JWT |
5.2.3. Confidential client
...
shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern
shall support refresh tokens
...
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation, the Open Finance Brasil GT Security Working Group and others. Although the Open Finance Brasil Initial Structure has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The Open Finance Brasil Initial Structure and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The Open Finance Brasil Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The Open Finance Brasil Initial Structure invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.
Author's Address
OFBIS GT Security
Open Finance Brasil Initial Structure