Implementer’s note about Open Banking Brasil

OBB Financial-grade API Security Profile

Specification Stack

Open Banking Brasil Financial-grade API Security Profile 1.0 on top of the FAPI 1.0 specification

OBB Authorization Server Requirements

Passing a Request Object by Value
Overview of OAuth 2.0 Pushed Authorization Requests (PAR)
“Encryption in Front Channel” Option in Authlete
Supported Claims (Screenshot of Authlete’s Service Owner Console)
Supported ACR Values (Screenshot of Authlete’s Service Owner Console)
A “regex” attribute to support the Dynamic Consent Scope
Concept of CIBA

OBB Algorithm Requirements

{Header}.{Payload}.{Signature}
  • HS256 — HMAC using SHA-256
  • HS384 — HMAC using SHA-384
  • HS512 — HMAC using SHA-512
  • RS256 — RSASSA-PKCS1-v1_5 using SHA-256
  • RS384 — RSASSA-PKCS1-v1_5 using SHA-384
  • RS512 — RSASSA-PKCS1-v1_5 using SHA-512
  • ES256 — ECDSA using P-256 and SHA-256
  • ES384 — ECDSA using P-384 and SHA-384
  • ES512 — ECDSA using P-521 and SHA-512
  • PS256 — RSASSA-PSS using SHA-256 and MGF1 with SHA-256
  • PS384 — RSASSA-PSS using SHA-384 and MGF1 with SHA-384
  • PS512 — RSASSA-PSS using SHA-512 and MGF1 with SHA-512
  • none — No digital signature or MAC performed
Two-Step Encryption
Options for Request Object Encryption Algorithms

Dynamic Consent Scope

Consent API Call + Authorization Request
Consent API Call + PAR Request + Authorization Request

OBB Dynamic Client Registration

Specification Stack

Open Banking Brasil Dynamic Client Registration on top of standards

Basics of Dynamic Client Registration

Client Registration Endpoint
Client Registration Request Using a Software Statement

OBB Discovery Requirements

Example of the mtls_endpoint_aliases Server Metadata
Configuration of MTLS Endpoint Aliases

OBB Dynamic Client Registration Requirements

Verification of Signature of Software Statement
{
"iat": 1620060821,
......
}
  • private_key_jwt (defined in RFC 7523)
  • tls_client_auth (defined in RFC 8705)
  • self_signed_tls_client_auth (defined in RFC 8705)
"software_roles": [
"DADOS",
"PAGTO"
],
  • CN2.5.4.3 (commonName)
  • L2.5.4.7 (localityName)
  • ST2.5.4.8 (stateOrProvinceName)
  • O2.5.4.10 (organizationName)
  • OU2.5.4.11 (organizationalUnitName)
  • C2.5.4.6 (countryName)
  • STREET2.5.4.9 (streetAddress)
  • DC0.9.2342.19200300.100.1.25 (domainComponent)
  • UID0.9.2342.19200300.100.1.1 (userId)
  • serialNumber2.5.4.5
  • businessCategory2.5.4.15
  • jurisdictionCountryName1.3.6.1.4.1.311.60.2.1.3
// The pre-registered value of tls_client_auth_subject_dn.
String tlsClientAuthSubjectDn = ...;
// Convert the string into a form suitable for comparison.
X500Pricipal expectedPrincipal =
new X500Princial(tlsClientAuthSubjectDn);
// Mappings from descriptor to OID
Map<String, String> map = new HashMap<>();
map.put("JURISDICTIONCOUNTRYNAME", "1.3.6.1.4.1.311.60.2.1.3");
map.put("BUSINESSCATEGORY", "2.5.4.15");

// Convert a string to an X500Principal instance with additional
// information about mappings from descriptor (AttributeType name
// string) to OID so that the Distinguished Name parser under the
// X500Principal class can recognize the descriptors.
X500Principal expectedPrincipal =
new X500Principal(tlsClientAuthSubjectDn, map);
  • tls_client_auth_subject_dn
  • tls_client_auth_san_dns
  • tls_client_auth_san_uri
  • tls_client_auth_san_ip
  • tls_client_auth_san_email

Custom Client Metadata

Supported Custom Client Metadata

Vendor-Specific Client Properties

"authlete:frontChannelRequestObjectEncryptionRequired":true

Implementation for OBB DCR Requirements

  1. [customer] Implement a front Client Registration Endpoint that accepts DCR requests from outside.
  2. [customer] Extract a software statement from a DCR request and perform OBB-specific validation.
  3. [customer] Construct a DCR request by merging the client metadata inside the software statement and ones outside.
  4. [customer] Send the newly constructed DCR request (which does not include software_statement) to the Client Registration Endpoint of the authorization server (e.g. a vendor solution) sitting behind.
  5. [vendor solution] Process the flatten DCR request as required by global standards.
  6. [customer] Get a response from the backend authorization server and pass the response to the original API caller.
Client Registration Endpont for OBB-Specific Requirements

Sample Implementation

Finally

--

--

--

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Takahiko Kawasaki

Takahiko Kawasaki

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/

More from Medium

AWS Account Migration Journey — Part 2

About Kubernetes architecture (2)

Global Load Balancer 🌎

How to scale Gitlab Runners into Kubernetes using HPA based on external metrics throughout…