ASPSP End To End User Guide

1. Registering a Bank

1.1. Directory Overview

The trust framework services provided by Open Finance Brasil provide all of the discovery services necessary for a TPPs and ASPSPs to interact with each other without being required to validate the authenticity of each others Identity, Authorizations, Consumer Offerings (Apps), APIs or Credentials

An Authorization Server or AS as defined by RFC 6749 - The OAuth 2.0 Authorization Framework perform several functions in a Data Sharing ecosystem like Open Finance. Please read ensure that the concepts roles and responsibilities defined in the original RFC are well understood before proceeding. In addition please ensure that the concepts, roles and responsibilities defined in OpenID Connect Core and how they extended the concepts defined in RFC 6749 are equally as well understood.

1.2. Registering an Authorization Server and OpenID Provider

Banks, typically large banks, will not be a single entity from a technology operations point of view. They may have different brands, security and IT infrastructure for different customer segments or they may have some IT infrastructure that supports multiple brands or customer segments. This means that the technical ecosystem needs to be flexible enough to support a wide variety of Banks Infrastructure Deployments whilst ensuring that the necessary services are discoverable both Third Parties customers that need to interact with it.

...

• A customer can recognise the Authorization Server as a place that they would normally Bank with.

• The Authorization Server can issue tokens for the resource and services that a customer or TPP is looking for.

• For transmiting/account holder institutions whose Authorization Server supports more than one brand, it must accept more than one registry (client_ids creation) for the same software statement. If your Authorization Server implementation does not supports this behaviour, it must be suitable to support multiple brands and the registration of brands in the directory must be annotated according to each brand.

1.3. Registering Resources

Once a Bank has registered an Authorization Server, it needs to advertise what resources, APIs or Services it can provide authorization for.

...

Correctly advertising what resources are offered by each server is important to achieving the scale envisaged by Brasil Open Finance and critical for ensuring that customers can identify their banking service easily and that TPPs can route customers to the correct Authorization Service based on the resources that protected by each service.

2. Validating a client registration request

Using OpenID Connect Discovery and the Brasil Open Finance Dynamic Client Registration specification. A TPP can register their application at each of the Authorization Servers available in the ecosystem.

2.1. OpenID Connect Registration and OAuth 2.0 Dynamic Client Registration

Please see Open Finance Brasil Dynamic Client Registration Specification Clause 7 for more details:

https://openfinancebrasil.atlassian.net/wiki/spaces/DraftOF/pages/76709980/EN+Open+Finance+Brasil+Financial-grade+API+Dynamic+Client+Registration+1.0+Implementers+Draft+3#Open-Finance-Brasil-OpenID-Connect-Registration-Provisions

2.2. Software Statement Assertion Processing

Please see Open Finance Brasil Dynamic Client Registration Specification Clause 8 for more details:

https://openfinancebrasil.atlassian.net/wiki/spaces/DraftOF/pages/76709980/EN+Open+Finance+Brasil+Financial-grade+API+Dynamic+Client+Registration+1.0+Implementers+Draft+3#Software-Statement-Assertion

3. Validating an Authorization Request

Please see Open Finance Security Profile Clause 5 for more details:

https://openfinancebrasil.atlassian.net/wiki/spaces/DraftOF/pages/76283925/EN+Open+Finance+Brasil+Financial-grade+API+Security+Profile+1.0+Implementers+Draft+3#Brasil-Open-Finance-Security-Profile