Documentação das especificações do GT de Segurança do Open Banking Brasil. As especificações ainda estão em versão draft e não devem ser utilizadas para implementação.
shall ensure that, in case of sharing the Authorization Server for other services, in addition to Open Finance, it does not disclose and/or allow the use of non-certified methods in the Open Finance environment;
shall ensure that the settings disclosed to other participants through OpenID Discovery (indicated by the Well-Known file registered in the Directory) are restricted to the operating modes to which the institution has certified;
shall keep in your settings the methods for which there are still active clients;
shall update the records that use non-certified methods, through bilateral treatment between the institutions involved.
shall refuse requests, for the Open Finance environment, that are outside the modes of operation to which the institution has certified its Authorization Server;
must refuse authentication requests that include an id_token_hint, as the id_token held by the requester may contain Personally Identifiable Information, which could be sent unencrypted by the public client.
the minimum expiration time of request_uri must be 60 seconds.
Adição das informações no item 5.2.2:
OpenID Discovery(indicated by theWell-Knownfile registered in the Directory) are restricted to the operating modes to which the institution has certified;request_urimust be 60 seconds.