As the first phase of Open Banking Brazil (OBB) is rolled out, we have been receiving many inquiries about how we comply with the specific regulatory requirements of the initiative. For this reason, we wanted to update everyone on the status of our product and where we stand. The current version, 6.2, of our product, the Curity Identity Server, is already very close to being compliant. This is because it supports the basic profile of OpenID Connect and the more advanced ones, like the dynamic and hybrid OpenID Provider (OP) profiles. In addition, it also supports several important financial-grade profiles like FAPI and CIBA. As the regulations evolve, we continue to closely align our product functionality and comply with the OBB requirements.
There are two specifications in OBB:
For the first, the gap between what is already available in 6.2 and what is required includes support for:
- JWT Secured Authorization Request (JAR)
- Pushed Authorization Requests (PAR)
- Encrypted request objects
All of these will be included in version 6.3. They have already been coded and are now in the testing and documentation phase. The OBB test suite from the OpenID Foundation was merged into the main development line on Friday, June 11. We started testing with that suite on June 8 while it was still unmerged. That testing will conclude in the next week or so, after which we will submit our results to the foundation.
Version 6.3 will ship on July 5. We had planned to go out with it on June 28, but delayed due to vacations. However, since we’re making such good time, we will try to pull this date back. July 5 is the latest, though, that 6.3 will ship.
In 6.3, we’re also hoping to have support for JWT Secured Authorization Response Mode (JARM). If this doesn’t make it into 6.3, it will be in 6.4, which will ship in mid-August. 6.4 and subsequent releases may have other functionality that will help comply with non-mandatory aspects of the OBB regulations.
Compliance with the DCR specification does not require anything to be added to our product. It does, however, require that certain OBB-specific things be handled by an API gateway or integration service positioned in front of the Dynamic-OP-compliant DCR endpoint of our product. Specifically, the requirements listed below (which are taken from section 7 of the OBB DCR draft) must be handled by an intermediary:
- shall validate that the request contains software_statement [sic] jwt signed using using the PS256 alg issued by the open banking brasil directory of participants
- shall validate that the software_statement was issued (iat) not more than 5 minutes prior to the request being received
- shall validate that a jwks (key set by value) was not included
- shall require and validate that the jwks_uri matches the software_jwks_uri provided in the software statement
- shall require and validate that redirect_uris match or contain a [sic] sub set of softwareredirecturis provided in the software statement
- shall validate that requested scopes are appropriate for the softwares authorized regulatory roles
- should where possible validate client asserted metadata against metadata provided in the software_statement
- shall populate defaults from values within the software statement assertion where possible
- shall grant the client permission to the complete set of potential scopes based on the softwares regulatory permissions included in the software_statement
All other requirements of the authorization server listed in the OBB DCR spec (e.g., related to discovery) are supported by the current version of the Curity Identity Server. In the future, we may add new features that will allow the above requirements to be met directly in our product’s DCR endpoint. Even if we do, it will not come this summer, so customers should plan to proxy DCR requests through an integration service or API gateway that can address the above requirements.
It’s exciting times in the financial industry, and the work that Brazil is doing is pushing many sectors and geographies forward. It’s a bit stressful for all involved ATM, though. Hopefully, this insight into our plans will help alleviate some of that.
If you are interested in OBB specifically, we’ve created an overview of how we can help address the regulatory requirements as they evolve. See how we support Open Banking Brazil.
Update: Open Banking Brazil Compliance
Curity Identity Server 6.3.0 is fully compliant with Open Banking Brazil. Learn more about what is included in this version in the release notes and learn about how to handle dynamic client registration in the resource library.