Client Registration & Management for Open Finance, Open Banking, and Open Insurance Brazil

As per Brasil Open Finance/Banking/Insurance specifications, Data Recipients must register with Data Transmitter according to the OAuth 2.0 Dynamic Client Registration protocol. The SecureAuth platform is part of Data Holder ecosystem facilitating all the security profile requirements, including all the OAuth capabilities to handle the dynamic client registration of Data Recipient entities. Once registered, Data Recipients can utilize the registered client information to mint CDR-compliant tokens from the SecureAuth authorization platform to retrieve consumer data from the Data Holder in a secure manner.

Open Banking Brasil Directory (Brasil ICP or the Directory of Participants) issues software statements to accredited TPP/Data reciever organizations. DCR requests against the data provider must contain a software statement which has been issued by the Open Banking Brasil Directory. This means that the API caller must obtain a software statement in advance before making a DCR request.

SecureAuth implementation validates the software statement included in a DCR request. The most important part of the validation is to confirm that the software statement has been signed by the Open Banking Brasil Directory.

A Software Statement Assertion(SSA) issued by the Directory is a digitally signed JSON Web Token (JWT) created in accordance with a JWT that asserts metadata values about the client software.

A sample SSA (decoded view) issued by the by the Open Finance Brasil directory of participants looks like the following:

{
  "alg": "PS256",
  "kid": "542A9B91600488088CD4D816916A9F4488DD2651",
  "typ": "JWT"
}

{
   "software_mode":"Live",
   "software_redirect_uris":[
      "https://www.tpp.com/accounting/cb"
   ],
   "software_statement_roles":[
      {
         "role":"DADOS",
         "authorisation_domain":"Open Banking",
         "status":"Active"
      },
      {
         "role":"PAGTO",
         "authorisation_domain":"Open Banking",
         "status":"Active"
      }
   ],
   "software_client_name":"TPP App",
   "org_status":"Active",
   "software_client_id":"Cki1EbvjwyhPB12NGLlz2",
   "iss":"Open Banking Open Banking Brasil prod SSA issuer",
   "software_tos_uri":"https://www.tpp.com/accounting/tos.html",
   "software_client_description":"TPP App that brings you real time up to date views of your finances",
   "software_jwks_uri":"https://keystore.directory.openbankingbrasil.org.br/b961c4eb-509d-4edf-afeb-35642b38185d/25556d5a-b9dd-4e27-aa1a-cce732fe74de/application.jwks",
   "software_policy_uri":"https://www.tpp.com/accounting/policy.html",
   "software_id":"25556d5a-b9dd-4e27-aa1a-cce732fe74de",
   "software_client_uri":"https://www.tpp.com/accounting.html",
   "software_jwks_inactive_uri":"https://keystore.directory.openbankingbrasil.org.br/b961c4eb-509d-4edf-afeb-35642b38185d/25556d5a-b9dd-4e27-aa1a-cce732fe74de/inactive/application.jwks",
   "software_jwks_transport_inactive_uri":"https://keystore.directory.openbankingbrasil.org.br/b961c4eb-509d-4edf-afeb-35642b38185d/25556d5a-b9dd-4e27-aa1a-cce732fe74de/inactive/transport.jwks",
   "software_jwks_transport_uri":"https://keystore.directory.openbankingbrasil.org.br/b961c4eb-509d-4edf-afeb-35642b38185d/25556d5a-b9dd-4e27-aa1a-cce732fe74de/transport.jwks",
   "software_logo_uri":"https://www.tpp.com/accounting/logo.png",
   "org_id":"b961c4eb-509d-4edf-afeb-35642b38185d",
   "org_number":"112233445566",
   "software_environment":"production",
   "software_version":"1.1",
   "software_roles":[
      "DADOS",
      "PAGTO"
   ],
   "org_name":"Open Banking Brasil",
   "iat":1620060821,
   "organisation_competent_authority_claims":[
      {
         "authorisation_domain":"Open Banking",
         "authorisations":[],
         "registration_id":"13353236-OBB-CONTA",
         "authority_id":"687a1c94-b360-4e04-9589-0fa5cb16451b",
         "authority_name":"Banco Central",
         "authorisation_role":"CONTA",
         "authority_code":"BCB",
         "status":"Active"
      },
      {
         "authorisation_domain":"Open Banking",
         "authorisations":[],
         "registration_id":"13353236-OBB-DADOS",
         "authority_id":"687a1c94-b360-4e04-9589-0fa5cb16451b",
         "authority_name":"Banco Central",
         "authorisation_role":"DADOS",
         "authority_code":"BCB",
         "status":"Active"
      },
      {
         "authorisation_domain":"Open Banking",
         "authorisations":[],
         "registration_id":"13353236-OBB-PAGTO",
         "authority_id":"687a1c94-b360-4e04-9589-0fa5cb16451b",
         "authority_name":"Banco Central",
         "authorisation_role":"PAGTO",
         "authority_code":"BCB",
         "status":"Active"
      }
   ]
}

The Open Finance Brasil directory of participants has chosen to use PS256 as the signing algorithm, conforming to FAPI-RW Section 8.6 for signing the Software Statement Assertion (SSA). SecureAuth verifies the signature of this PS256 signed Software Statement Assertion(SSA) presented in DCR request body.

DCR is enabled by default in SecureAuth when the Open Finance Brasil compliant workspace is created.

To register with a Data Provider, TPP sends an HTTP POST request to the Data provider registration endpoint. SecureAuth platform provides the DCR endpoint. As per the DCR API specification the registration request must be passed as body param in the request.

As the Infosec provider component of a Data Holder, the SecureAuth platform exposes all the Data Recipient Client Registration Management endpoints as defined in the APIs.

OIDC configuration endpoints can be located easily within the SecureAuth administrative portal.

Within the OIDC Discovery configuration endpoint, DCR endpoint location is specified under registration_endpoint key

"registration_endpoint": "https://authorization.cloudentity.com:8443/default/openbanking_brasil/oauth2/register"         

SecureAuth provides all the DR compliant DCR APIs as in the specification for TPP dynamic client registration within the Data Provider ecosystem.