Comparação de Páginas

...

Este documento também está disponível em português

The Open Finance Brasil Initial Structure is responsible for creating standards and specifications necessary to meet the requirements and obligations of the Brasil Open Finance Legislation as originally outlined by the Brasil Central Bank. There is a possibility that some of the elements of this document may be the subject to patent rights. OFBIS shall not be held responsible for identifying any or all such patent rights.

...

This document specifies the method of:

1. applications to obtain OAuth tokens via a backchannel authentication flow in an appropriately secure manner for higher risk access to data in a manner that meets the requirements of Open Finance Brasil;

2. applications to use OpenID Connect CIBA to suggest the identity of the customer;

This document is applicable to all participants engaging in Open Finance in Brasil.

...

FAPI-CIBA - Financial-grade API: Client Initiated Backchannel Authentication Profile

FAPI-BR - Open Finance Brasil Financial-grade API Security Profile 1.0

CIBA - OpenID Connect Client Initiated Backchannel Authentication Core

...

In addition, the Authorization Server

1. shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in OIDD and [RFC8414]

2. shall support the claims parameter as defined in clause 5.5 OpenID Connect Core

3. shall support the oidc standard claim "cpf" as defined in clause 5.2.2.2 of [FAPI-BR]

4. shall support the oidc standard claim "cnpj" as defined in clause 5.2.2.3 of [FAPI-BR] if providing access to resources where the resource owner is not a natural person

5. shall support the acr "urn:brasil:openbanking:loa2" as defined in clause 5.2.2.4 of FAPI-BR

6. should support the acr "urn:brasil:openbanking:loa3" as defined in clause 5.2.2.4 of [FAPI-BR]]

7. shall implement the userinfo endpoint as defined in clause 5.3 OpenID Connect Core

8. shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern

9. shall support refresh tokens

10. shall issue access tokens with an expiry no greater than 900 seconds and no less than 300 seconds

11. shall always include an acr claim in the id_token

12. shall require the Signed Authentication Request to contain nbf and exp claims that limit the lifetime of the request to no more than 10 minutes

13. shall issue ciba auth request acknowledgements with a minimum expiry of 6 minutes;

14. The acceptance time of consent on the Authorization request received via CIBA shall remain the same as defined for the flow via Hybrid Flow, of 5 minutes;

15. shall ensure that ‘exp’ in all issued id_tokens is at least 180 days from the time of issue;

16. The id_token shall be used in the authorization call through the "id_token_hint" parameter

17. shall support CIBA poll mode;

18. shall not support CIBA push mode;

19. shall not support CIBA ping mode;

20. The cancellation of the id_token shall be carried out by the account holder institution in cases of fraud or for security reasons.

    1. is going to be added – The routine rotation of signing keys of id tokens SHALL NOT BE a reason to reject a non-expired id token signed with the older key. The authorization server should be prepared to use signing keys with similar validity periods to the ones of the id token.

21. Error table “HTTP 400 Bad Request”:

    1. invalid_request: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, contains more than one of the hints, or is otherwise malformed.

    2. invalid_scope: The requested scope is invalid, unknown, or malformed.

    3. expired_id_token_hint: The id_token hint provided in the authentication request is not valid because it has expired.

    4. unknown_user_id: The OpenID Provider is not able to identify which end-user the Client wishes to be authenticated by means of the hint provided in the request (id_token_hint).

    5. unauthorized_client: The Client is not authorized to use this authentication flow.

    6. invalid_id_token_hint: The id_token is invalid and can’t be used in the flow

22. Shall issue ciba auth request acknowledgements (response of the consultation of auth_req_id) with a maximum expiry of 5 minutes, as defined for the flow via Hybrid Flow;

23. Payload validation

22. Parameters for signature validation

All parameters must be present in the JWT header.

...

Parameters

...

Description

...

Recommended values

...

alg

...

The "alg" (algorithm) parameter identifies the cryptographic algorithm used to protect the JWS/JWE. The JWS Signature value is invalid if the "alg" value does not represent a supported algorithm or if there is no compatible key for the use of the algorithm associated with the entity that digitally signed the content.

...

PS256 ou PS512

...

kid

...

The "kid" (Key ID) parameter indicates which key was used to protect the JWS/JWE. This parameter allows senders to explicitly signal a key change to recipients. The "kid" value MUST be a case-sensitive string. When used with a JWK, the "kid" value is used to match a "kid" parameter value of the JWK. (OPTIONAL)

...

x5t

...

The "x5t" (X.509 Certificate SHA-1 Thumbprint) parameter is a base64url encoded SHA-1 thumbprint (hash) of the DER encoding of the X.509 certificate (RFC5280) corresponding to the key used to digitally sign the JWS. (OPTIONAL)

...

x5t#S256

...

The "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) parameter is a base64url encoded SHA-256 thumbprint (hash) of the DER encoding of the X.509 certificate (RFC5280) corresponding to the key used to digitally sign the JWS. It can be used as an alternative to "x5t" (OPTIONAL)

...

typ

...

The "typ" (Type) parameter is used by JWS applications to declare the media type (IANA.MediaTypes) of this complete JWS. It is intended for use by the application when more than one type of object may be present in an application data structure that can contain a JWS; the application can use this value to eliminate ambiguity between the different types of objects that may be present. (OPTIONAL)

...

JWT

5.2.3. Confidential client

In addition, the confidential client

1. shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern

2. shall support refresh tokens

5.2.3.1.1. Authorisation Server Generated - Login Hint Token

This login hint can be used where it is not possible for the Resource Owner to provide a Login Hint to the Consumption Device or where the Resource Owner wishes to claim the authentication request by independently reaching out to the Authorisation Server out of band to claim this authentication request.

urn:brasil:openbanking:ciba:login-hint-token-type:as-generated

The use of a binding message is mandatory if this token type is to be leveraged.

5.2.3.1.1.1. Authorisation Server Generated - Login Hint Presentation

Presentation of the Authorisation Server Generated Token must be in the format of a JWE displayed as a QR Code with the following properties in the following way.

JWS Creation

1. The payload of signed messages (request JWT) shall include the following claims as defined at RFC7519:

• aud the Authorization Servers advertised issuer as per OIDD;

• iss the receiver of the message shall validate if the value of the iss field matches the clientId of the sender;

• jti the value of the jti field shall be filled with the UUID defined by the institution according to [RFC4122] version 4;

• iat the iat field shall be filled with the message generation time and according to the standard established in RFC7519 to the NumericDate format.

• *exp the exp field shall be filled with the message expiry time and according to the standard established in RFC7519 to the NumericDate format with an maximum value not greater than 5 minutes;

• auth_request_id the authentication request id returned from the Authorisation Server CIBA requst.

2. The JOSE header must contain the following attributes:

   • alg - shall be filled with the value PS256";

   • kid - shall be filled with the key identifier value used for the signature listed on the software statement keystore on the Open Finance Brasil Directory of Participants;

   • typ - shall be filled with the value cibabr+jwt.

JWE Creation

1. The JOSE header must contain the following attributes:

   • alg - shall be filled with the value RSA-OAEP";

   • enc - shall be filled with the value A256GCM";

   • kid - shall be filled with the encryption key identifier kid value used to encrypt the JWE with the encryption key advertised on the authorisation servers jwks endpoint;

   • cty - shall be filled with the value JWT.

5.2.4.1.2. Authentication Device Generated - Login Hint Token

This login hint token should be used when Client has requested a unique identifier be provided by the Resource Owner to the Consumption Device. It is recommended that this identifier be dynamic, time based, have sufficient entropy and short lived to prevent replay attacks.

{ "format": "urn:brasil:openbanking:ciba:login-hint-token-type:ad-generated", "id": "11112222333344445555" }

The use of a binding message is mandatory if this token type is to be leveraged.

5.2.4.1.2. Authentication Device Generated - Login Hint Token

This login hint token should be used when Client has requested a unique identifier be provided by the Resource Owner to the Consumption Device. It is recommended that this identifier be dynamic, time based, have sufficient entropy and short lived to prevent replay attacks.

{ "format": "urn:brasil:openbanking:ciba:login-hint-token-type:ad-generated", "id": "11112222333344445555" }

...

1. The acceptance time of consent on the Authorization request received via CIBA shall remain the same as defined for the flow via Hybrid Flow, of 5 minutes;

2. shall ensure that ‘exp’ in all issued id_tokens is at least 180 days from the time of issue;

3. The id_token shall be used in the authorization call through the "id_token_hint" parameter;

4. shall support CIBA poll mode;

5. shall not support CIBA push mode;

6. shall not support CIBA ping mode;

7. The cancellation of the id_token shall be carried out by the account holder institution in cases of fraud or for security reasons.

8. Error table “HTTP 400 Bad Request”:

• invalid_request: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, contains more than one of the hints, or is otherwise malformed;

• invalid_scope: The requested scope is invalid, unknown, or malformed;

• expired_id_token_hint: The id_token hint provided in the authentication request is not valid because it has expired;

• unknown_user_id: The OpenID Provider is not able to identify which end-user the Client wishes to be authenticated by means of the hint provided in the request (id_token_hint);

• unauthorized_client: The Client is not authorized to use this authentication flow;

• invalid_id_token_hint: The id_token is invalid and can’t be used in the flow.

9. Shall issue ciba auth request acknowledgements (response of the consultation of auth_req_id) with a maximum expiry of 5 minutes, as defined for the flow via Hybrid Flow;

10. Id_token payload validation.

11. Parameters for signature validation

5.2.3. Confidential client

In addition, the confidential client

1. shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern

2. shall support refresh tokens

6. Security considerations

...

The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation, the Open Finance Brasil GT Security Working Group and others. Although the Open Finance Brasil Initial Structure has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The Open Finance Brasil Initial Structure and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The Open Finance Brasil Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The Open Finance Brasil Initial Structure invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.

Author's Address

OFBIS GT Security

Open Finance Brasil Initial Structure

Email: gt-seguranca@openfinancebrasil.org.br

URI: https://openfinancebrasil.org.br