Self-contained access tokens, typically JWT access tokens, contain associated data in themselves. If the following conditions meet, as a logical consequence, personal information leaks directly from such access tokens.

  1. Personal information is contained
  2. Nonencrypted
  3. Stateless
  4. Stolen by unintended parties

“Stateless” here means that an access token does not have any…

This article explains technical details of Open Banking Brasil (OBB), especially differences between OBB extensions and global standard specifications.

July 24, 2021: I greatly appreciate Carol Morais and Skalena translating this article into Portuguese and publishing it at “Notas de um implementador sobre Open Banking Brasil”.

OBB Financial-grade API Security Profile

Specification Stack


1. Digital Signature (Prior Knowledge)

What happens if ID tokens issued by external OpenID providers (IdP) are used for API protection? The following diagram is my understanding.

  • A client that has no relationship with the resource server can access APIs of the resource server using an ID token that the client has legitimately obtained in an utterly irrelevant context.
  • The user has granted a permission for the client to get an ID token, but she didn’t imagine that the permission would enable the client to call APIs of the irrelevant resource server.
  • Because an ID token has no concept of scope and the aud claim holds the ID of the client (i.e., the aud claim cannot be used to restrict accessible resources as RFC 8707 proposes), possible options for API protection are just “all allowed” or “all denied”.

If I’m missing something, please correct me.

Takahiko Kawasaki

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store