Open Finance Brasil
Video
•
25/11/2021
3º Workshop com OpenID Foundation - Relying Party - (23/11/2021) (English)
Transcrição e Conteúdo
like okay workshop banking simultaneously [Music] hi mike thank you for joining us today and for giving us this workshop joseph is a an expert in the floppy specifications he has help at defining the security profile used in the uk open banking and he is actively uh working on the on the security security certification for open bank in brazil so thank you...
like
okay
workshop
banking
simultaneously
[Music]
hi mike thank you for joining us today
and for
giving us this workshop
joseph is a
an expert in the
floppy
specifications he has help at defining
the security profile
used in the uk open banking and he is
actively uh
working on the
on the security
security certification for open bank in
brazil
so
thank you so much for
the workshop
um
i'd like to give it a
give it to you now just if you
want to start
great thank you
let me just try sharing my screen
hey joseph this is mike liz while you're
working to share your screen i'll just
highlight that
during the workshop i will post uh
helpful links uh on topics that joseph
is covering in the chat so be be sure to
monitor the chat window
for links as we go through the workshop
thank you
great thanks mike um
so
yeah i don't have any slides to present
today um so the
the
aim of the workshop is to basically run
through how to set up the rps um and
then how to run them and what to expect
and just a few hints and tips on what
you need to
include in your submission
um so the place to start is always the
instructions area on the open id
website within the certification area
particularly for the brazil rp's there's
a set of
specific instructions here in the open
banking brazil fappy rp conformance
testing and certification overview
so this has a a brief introduction um
you've got the option to either use the
cloud install of the suite or
um for development purposes you can run
it locally
just to get a bit quicker turn around
when you're actually
running for your final set of results to
submit to certification you must use the
cloud installation
so there's a brief bit of introduction
to the test i'm going to run through
this live there's some
hints about exactly which options to
select
various instructions about exactly what
needs to be configured
and
details on how to contact us to get
support
there's a specific section explaining
about the logs that you need to collect
when you're
making your certification request
because unlike the op test there are
some extra logs that you need to supply
to us
and there's also a link to a example
configuration
this just has an example chunk of jason
and some notes about using it
this is what i'm going to use so i'm
just going to
copy
this i can paste it into the conformance
suite later
so this is the conformance suite let me
just log out to show it from scratch so
this this is the home page of the
conformance suite
so you're asked to log in here
there's no registration required or
anything that the point of the login
process is much just to protect
your own data so that other people can't
view your results
um until you're ready to actually
publish them
so you can log in using either a google
account or a gitlab account so i'm just
going to log in with my gitlab lab
account which i'm already logged into so
that takes me straight into the suite
then you go to the create new test plan
because i've already run some tests it's
it's reloaded all the settings i used
the previous time
but normally
you would be presented with a screen
like this
then you need to find the
fappy one advanced final open banking
brazil relying party client test plan
so just select that and then select the
actual
client authentication type you're going
to
test
the other settings you're going to use
so each field has a bit of help if you
hover over the little eye
so i'm going to use the example
configuration so i'm just going to
switch to the json tab and replace
everything that's there with what i
copied from
the web page earlier
and if you switch back to the form view
you'll see that it's all been
populated into the fields as well
you can create your own
configuration as well in particular it's
generally a good idea to change this
alias
um because this is a unique value that
forms part of urls when you're running
on our cloud system if you use the same
alias value as someone else
you'll not be able to run tests if
they're running tests and vice versa
it's best to pick a unique id
so the configuration has various keys
pre-provided
you can use your own if you want instead
which is explained how to do on the
testing instructions and what the
requirements are
you need to provide the client ids
you'll use the
public key for the client the tls
certificate the client will use to
authenticate and there's also a second
client which
for brazil is used with encrypted id
tokens because it's mandatory for rp's
to support
encrypted id tokens in brazil because
the banks are allowed to use them
so once you've got the configuration
filled in you press this create test
plan button
so
that creates
the test
so in
all the tests and the test plans
this blue box
at the top of near the top of the page
tells you exactly
what's going on
um
this particular
plan you basically you end up with uh
all the tests are here
twice
um
once they have the the auth request
method set to by value
which is the usual
method of passing a request object at
the authorization endpoint
but then
halfway down there repeated again with
the the author request method sector
pushed
which is the test that require you to
use the the pushed authorization
endpoint because
again banks are allowed to support
either way or both so clients are
required to show that they can correctly
do both passing a request object at the
authorization
endpoint
or using the pushed authentication
request standard to push the request
object in advance and then using the
request uri at the authorization
endpoint instead
so to run that test
just pick run test
so what happens the test does a little
bit of setup and then it goes into this
waiting state so this waiting state
means it's expecting you to do something
um
and it's also showing you some values
which you may need to configure into
your client
um so your client will likely require
you to configure either the issuer or
the discovery url or possibly both
these go in where you'd normally
put the url for the bank's
issuer or the
the
bank's discovery url
so
what's happening here is that the
conformance suite is essentially
pretending to be a bank
but not a bank that's actually
registered on the brazil directory
obviously
and it has the various endpoints you'll
need so depending on whether you're
testing
for accounts or payments you need to set
up one of these
sets of endpoints
in your client configuration
and yeah the test support either the
accounts or the payments flows and which
one happens just depends on
whether you call the payment consent
endpoint or the
um the the normal consent endpoint
so let's say once you've put that
configuration into your client you tell
your client to start
an authorization
and so depending on exactly what kind of
test environment you've got that might
mean that you go to a
development install of your
relying party or your actual
website app and
launch the process to connect a bank
account
or possibly in some cases it might mean
you've got a command line application
that you run that's going to
try
getting the user to log in
and
collect the results and then make the
necessary calls
as you can see this particular test is
testing what we call a happy path flow
so
the client's expected to call the open
id discovery endpoint
which is the this discovery url here
then
because this is a pushed
uh
authorization request expected to call
the push authorization endpoint to push
the
um
the request to the authorization server
and then call the authorization endpoint
which is where the user would normally
enter their username password whatever
interlink
because the conformance suite has just
been a fake bank in this case it's
it doesn't require you to actually log
in it's just going to immediately
redirect you
to your
relying party's registered redirect url
that was passed in the request
with the authorization code
at least with a test that a
testing that's successful flow
and then you're expected to exchange
that authorization code for an access
token at the token endpoint and then
make a get request to the the accounts
endpoint or if you're using
payments you're expected to call the the
payment initiation api there
correctly signed request and so on
[Music]
so
i have a
slightly
broken client i'm now just going to
run so you can see what happens when you
you run a client
see the test briefly changes to waiting
and then you can see this one's gone to
interrupted and failed
so
if we look at the log you can see
there's
various steps happening and everything
that happens at each point is actually
logged by the suite so
you'll see
the client made an incoming request is
affects the open id configuration file
you can see what response
the suite gave which is
all the server metadata
here
and then you can see after that
the client's gone on and called the
token endpoint and as you can see the
the incoming call to the token endpoint
the tls certificate that was presented
all the other parameters um
you can also see the the response where
so this was a client credentials grant
so
token endpoint is just responding
directly with an access token
my client then called the consent
endpoint
so you can see this
in this case i configured it to do
payments so center assigned jot as the
incoming body which i can see here so
the test suite then does some
validation on everything you've
passed there
he checks the
jade uh
yeah the jw
s is correctly signed
and then you get a response which see
for payments is a
sign jot as well
then
the client went on
the push request endpoint
you get
and you get to see the exact request
which
you can see the client id and it's
passed in a signed request
object there and then the
conformance suite does various
validation on it and you can see it's
it's stopped at this point saying issue
a mismatch
if you press the more button you can see
what's happened so what it's saying is
that the issue where it's received the
actual one it's test line id this and in
my test configuration i had
a different client id
so in this case i've made a mistake in
my
in either configuring my client or in
configuring my test
let's assume in this case that i've made
a mistake configuring my tests i've got
the client id wrong so i can just take
the one that my client has actually
sent i can go to the top of the page and
edit my test configuration
change the client id
create a new test plan
just scroll back down to the test i was
trying to run and start it again
and then if i run my client again
so you can see this time i've got a
different error but it can't find the
keys used to verify this
signature
so again it's
just this kind of iterative process so
um
the mistake i've made this time is that
uh
given
my
client that i'm running locally a
different key set to the one that the
suite's configured with so
again you need to go through and
fix the configuration of your client
then run the test again
and so on
so as i say that was the happy flow
test if we go back to the test plan
joseph maybe before we switch
from the happy flow um we did receive
one question from
excuse me from leonardo in the chat
may be best for you to take a look at it
but he had a question about
the test plan um
only having the one option but then in
the
certification listings on the oidf
website there's many different options
so he was uh
asking uh where they had to
choose what option uh uh that they're
gonna use
just so yeah so
if um just
edit my configuration and go back to the
start then um
the those options in the different
columns are these different ones here
so it's the type of client
authentication you use so
both uh mtls client authentication and
private key jobs client authentication
are used in brazil so i believe you need
to run tests with
both to show that you can
correctly do both
so i believe brazil always uses open id
so this option is applicable you can
always use it set it to open id
and then there's the option of
the charm response mode as well which is
what the other set of columns is
[Music]
so again i believe in brazil
banks
may or may not support
jam
uh the
jwt secured response mode
so i believe people need to run tests
with both of these
um unless if you run
the different combinations of that then
you should end up with
that set of tests and the other option
is accounts versus payments and that's
not a configuration option it just
depends what your client does first
whether the test does an accounts flow
or a payments flow so if you just call
the normal consent api it will assume
you're trying to do an accounts flow
if you call the
payments um consent endpoint and pass
the
uh signed jwt and so on then it will go
down the payments flow
you only need to do
one of those
if you're supporting payments then you
only need to run
the payments test because they're
essentially a superset of the accounts
test um
it's just testing the behavior of the
signed api requests and responses
if you only want to access the accounts
apis and don't need write access then
you could just run the account set of
tests
thank you
i think that answered alice's question
as well
yeah so you only need to pay one
certification fee to certify for
these
um one software for
all of these
so yeah
because banks can choose either
authentication method
um rp's do have to be slide for both
authentication types
um
and
final question was if uh
you need to submit individual requests
for certification so
we prefer if you just send everything in
a single request
i think that's probably easiest for both
sites um
yeah so you i'll
show the
actual process a little bit
at the end but basically for
each plan you run uh you'll end up
getting a zip file with the results and
you
you can just
sit all the way all four zip files
together and send them to us in a single
ticket on our certification
request form
great joseph we received a follow-up
question from leonardo
asking if you could show on this page um
where to run the payments from
yeah so it's
you don't select anything in the test
configuration for payments or accounts
it's just
when you actually run the test
if you call
this normal consents endpoint as the
first endpoint call then the test will
run
an accounts flow
if you call the payments consent
endpoint then it will assume you're
doing a payments flow so if you want to
test payments uh you just configure that
as your
payments consent endpoint and then
um
yeah the test will run the payments flow
and expect you to provide a signed jot
that both the endpoints and so on
okay uh so
let's just
show some of the other tests that might
get running
uh
so there's a
another happy flow test that uses
encrypted
id tokens that just test that your
client can
correctly decrypt the id token and
continue and do a
happy flow
these tests when you start running them
they have a box at the top that tells
you a little bit about what the test
should be doing so
this test uses the second client which
is not client two which was configured
for
encryption
when we look at the the next test
so that this tries uh
this is a negative test it try sending
an encrypted id token back using the the
rsa one underscore five encryption
algorithm which isn't permitted in the
brazil specs so
the client is expected to
register a failure then
and then there are the more negative
tests so the next one returns an id
token that has a invalid s hash
in it
it expects the client to detect and
abort the flow
and then there's a whole bunch of
these that do different invalid things
in
the id token and expect the client to
detect the error and stop
and then
once you're passed
those tests um
there's some test tests at the token
endpoint
so
checking what happens with uh
if the server fails to return your scope
or returns a valid scope which again the
client is detected to
expect it to detect and stop
a test that covers refresh tokens
make sure that the client is correctly
detecting that a refresh token has been
cycled because that's currently allowed
in brazil
just make sure you
you use the new toe refresh token in a
subsequent call to the
the refresh token grant and then checks
that you use the the access token that
you got back with the last refresh token
to actually access the resource at the
end
and
then there's
another test that requires you to go
through the dcr happy flow
or happy path test
again that's a happy flow test um
it's just running exactly the same as
the others but
the first step here
is that you register a client
as if you were doing
registering a new client at the bank and
then it expects you to follow the normal
with the client that's issued and
successfully get an access token
and then as a
final step this one requires you to make
two calls to
the client configuration endpoint
which is the end point you'd use if you
ever needed to
change the configuration in your client
at a later date
um
so this this is trying to make sure that
everybody that's uh developing an rp is
aware of the existence of particularly
the registration access token
is aware that this can change when you
do a call to read or
write to the client configuration
joseph we have a couple questions i'm
going to go ahead and
cue those up so uh leonardo had a um
a follow-on question if if they run all
um
excuse me if they run all the
different rp tests and submit a
certification request what
certification will they receive
yeah i'm not sure exactly what
it's been referred to as all here um
so i think this is about accounts versus
payments still so um
you only need to run one or the other
if you want to use payments then you
should run payments and that will
also cover you for
accounts
and you only test
payments
so sorry i'm
not following the question here um
if you want to
ask your question in portuguese leonardo
then one of my colleagues dominguez
might be able to
help us get an answer to your question
feel free to just ask on the chat
we have a question from mathias uh about
the tests uh with uh
uh wrong scope and token endpoint
response
um
i cannot remember exactly what that test
returns uh let's see if it actually says
uh so it just returns a random scope
value um so that means
literally random as in it'll be like a
eu id or something um
so it's wrong because you've received
more than you requested or
um
yeah
okay
we have a question joseph from gilherm
uh about the rp accounts mode and
payments mode
i think there's a fair amount of
confusion um around that
yeah um
so i don't know we can maybe try um
getting a
an answer written up for this and
translated into portuguese to see if
that helps um but
um yeah if if you
want access to the payments apis
then you should certify using
payments mode
that will also
give you access to accounts
so the only difference between accounts
mode and payments mode really is that in
payments mode signed api requests and
signed api responses are used so
essentially if you can demonstrate that
you can successfully make signed api
responses
so if you can make signed api requests
and deal with signed api responses
correctly
then you've proved that you can do
either variant correctly and you get
access to both sets of apis if you're
if you only want access to accounts then
just run the accounts test and you don't
have to worry about signed requests and
responses
obviously you won't then get access to
the payments apis
um joseph just two other points uh
victor had a question about the logs um
when sending uh submissions so probably
best to table that until we get to that
point
um
when you walk through the submission
process and i'll just also note that
fabian just shared with me that there is
a
number of questions uh that came in
prior to the workshop yesterday that uh
will queue up at the end of the
demonstration
okay great um
so leonardo has posted some more images
so i'll just try and cover this
um so if you run with payments um then
you will get an entry somewhere in one
of these four columns but you need to
run the tests four times to get
each payments column so
when you're running with payments
or whichever you're using you need to
run
multiple test plans so you need to run
once with mtls you need to run once with
a private key jot
and
then you need to repeat those
um
using the plane response mode and using
charm to get
all four sets of
submissions
and so yeah so i
finished going through the test
modules
basically covered all the the major
different variants you see so i just uh
covered the
actual certification process a little
bit
uh
so if we just go back to the
website then uh
there's a set of instructions on how to
request certification after successfully
completing conformance for fact
rp's
so
this has a number of steps and you just
need to
follow the steps
essentially what happens is that from
this view on
the plan once you run all the tests and
they all show past and like my ones um
there's this certification
package button here
so when you press that it asks you to
upload two files
so the first one is the certificate
certification of conformance file
so again that's
covered in the instructions um
there's a form here
you need to download it
fill out the fields
and
the the one field that everybody
struggles with is the certification
profile but you can just copy exactly
what's shown on the test result
here
into the pdf form
the form that needs to be signed it can
be a electronic signature um
either a proper kind of docusign style
real structure or
putting uh equivalent to a wet signature
as an image it's it's fine as well
if you need to you can
print it out do a wet signature and scan
it
as long as it ends up with a signature
there of the appropriate
person that's what we need
[Music]
so then once you've got that file you
just
upload it here
because you would normally
upload a file and then there's another
field which is the client data for
rp tests only um so this is the the
client side logs um so you need to
manually generate these
explicitly mentioned here and point four
on the submission instructions that this
is evidence demonstrating the
correct behavior
so
to generate these logs you probably find
that you need to
enable some extra debug in your client
probably because it may not be logging
all the errors by default
but what we're looking for here is
evidence that when the conformance suite
has say issued an id token with a bad
signature
we're looking to see that your client
has processed that id token and
has figured out that the signature is
invalid
if you're kind of running the
your client from a command window or
something that would expect it to be
printing out the steps as it goes and
the final step would be an error message
saying something along those lines
um if you're interacting it with it as a
website
then we'd expect a screenshot and
again the screenshot should show the
error expected in the test so you may
need to enable some
debugging the web app because by default
it probably wouldn't show these errors
to end users
it might
send them to a log file or something
instead
if you can make it display on the web
page that's fine
if the backend log file just
contains enough evidence for us to see
what the client was doing and that it
did result in an error in that test and
sending the backend log file is fine too
so once you have all those tests just
give them sensible names so we can
figure out which log file relates to
which of the tests zip them up
and
just upload them here
and then press press the prepare
certification package button
so
that will download a website sorry that
will download a zip file to your local
machine
and that that's basically the zip file
that you'll then send to our website if
you look at
the end of here there's a link to the
certification request form
so this again
you should be fairly straightforward to
fill out just put
your organization name on the name of
the software in the summary file
include in the description
anything that we might need to know um
just hopefully select that your tests
have all passed or have only warnings
and tell us how you've paid for your
certification um
so i think for most people in brazil um
you're going to pay on
our fees page
which is linked here
so it's just a form where you need to
put in a few details if you're a member
of the
brazil wine party slack community
um which is highly recommended and
there should be a link to join it like
uh around somewhere uh then anybody
that's in that community can request a
discount code that gives access to
um
the open id foundation membership
pricing for
these tests without you actually needing
to join as a member of the foundation
[Music]
and then you need to select the flappy
rp tab here
i'm logged in as a member here so i'm
getting the the 1000 dollar pricing and
then you can just make a payment with
paypal um or if you prefer you can
request a
manual invoice
to be paid by a bank transfer
if you're going for that option uh i
recommend doing that option now and
getting the paperwork process kicked off
as that tends to take a while
uh not a far cider it tends to be uh
the banks
pregnant teams that
slow things down so if you can pay with
a credit card via paypal that's
definitely the best way
um the other option is i think there's
about eight relying parties who have
chosen to make a payment via
the chicago advisory central payment
mechanism in which case just select this
option which still mentions miro
will know what you mean
i think that should cover all the
choices as there's a feel for regulatory
regime and if you just fill that as a
in as brazilian financial institution
that just lets us
know which
requirements you were trying to meet and
then you just drop
the certification zip file
onto this bit here and wait for it to
upload and then send the form
um
i didn't miss out doing a step here
which is one once you've got the file
downloaded from the conformance you just
need to rename it to
have your
company name and software name in it
which is mentioned on the the
instructions
yeah that's the certification process so
i guess we'll switch back to any
questions
hey j so there was a couple of questions
that uh came through um on the chat um
while you were going through the
submission process
excuse me i suggest we go ahead and
cover those and then maybe uh request
fabian to put up the
questions that were posed prior to the
workshop
so i'm going to go up to a question from
marcus
during our dcr testing we identified
that certification.openid.net
ca does not have an authorized or listed
is that a bug
no that that is expected behavior so
the conformance suite is
doing its best impersonation of a
brazilian
bank but obviously it doesn't have the
brazilian pacific certificates
so there is
mention somewhere on the instructions
example config
that yeah you may need to just disable a
couple of checks in your client your
cert accepts um
the
public pki certificates that the
certification is suite is using
very good
um
we then had a question from wesley can
we use a different client certificate
like a third certificate and config for
the fappy one advanced final client
uh test
it's like the op tests that currently
use a different client for the dcr flow
test different from the configured
so we can use a different software
statement and a pair of certificate and
jwks keys or just for the dcr flow
[Applause]
there is no option to do that currently
um
if it's an absolute hard requirement uh
can you raise uh an issue in the suites
issue tracker and
explain
why
i think we've already had about five
certifications through so i think
people are certainly finding it possible
to
pass all the tests with without needing
to use that separate certificate
okay uh shall i uh stop sharing my
screen then and uh fabian can put up the
other questions maybe
yeah i think that's probably best fabian
do you want to put up the uh the slides
with the questions that you shared with
me
sure just a second
thank you
so yeah last third we sent um
a forms for the ecosystem to to send
previous questions to to the workshop
and we've got 15 questions that are two
slides here so
the first one i believe it was covered
but just to go through all of them does
the payment initiation certification
includes the tpp scope for the data
receivers
um i don't actually quite understand
that
question um
here would be if the phase 3 rp scope
the certification also includes the
certification for the phase two
uh yes that's correct yes
the second one are image error logs
needed for the available tasks because
this
the person who
who
asked a dad said that
they didn't find a
where to
where to share the
images or the logs during the tests
yeah so that was just the final step i
showed at the end when you after you
press the prepare set
after you press the certification
package button at that point
you upload a zip file with the logs for
all the tests in that test plan
great thank you joseph
uh the third question do the tasks need
to be implemented with the application
used for the user
um so my understanding is that
they need to be the final
software stack that will be the one used
by the user um
but exactly what that is will obviously
vary between
institutions depending on exactly how
their application works i think
so the fourth one
it's related with the
the questions you were answering
previously so how is it going to be
validated if the certification is for
payments or accounts
or
is it by the url use it by decline the
certification logs
so when is
someone submit a certification how do
you know how they indicate if it if it
is for sign it or unsigned at scope
yeah so it's really by looking at the
the url that they used um
which you can see on on on the results
page in the conformance so you can see
if the first endpoint recalled was the
accounts consent endpoint or the
payments consent endpoints
the fifth one could you retire the
redirect uri parameter please
[Music]
um
it's potentially quite a long answer
depending on
what amount of existing knowledge we're
assuming um
[Music]
so i mean the the redirect uri would
be a
url on
the tpp
forget which terms we're using in brazil
uh in the relying party's website
um that is the one that the bank would
normally send the authorization code to
so it's it's just that url um
so
if you've reconfigured the
software and you've deployed it locally
on your machine then there's a good
chance that would be a local host url or
something of that nature
[Music]
joseph
the sixth one is is the rp certification
mandatory for tpps
uh for data receivers
is there a regulatory deadline
this one i'm gonna share with you the
the group on the on the chat
the
the link with all the details for the
certification both for
gpps and for the banks
yes it is mandatory
and
going to the
seventh question how many tasks are
executed for rba certification both on
signing and signing scopes
um
so i think uh the the test set is about
25 tests um and you need to run them for
the different combinations i
i
think that would work out to be uh
200 tests in total i mean
once you've gone through
so the expectation would be that you've
fixed any problems in your your client
and
you should just find that the later ones
pass unless you've done something wrong
in one of the
um
cases that's been
changed if that makes sense sorry
um
[Music]
so yeah and it's
it's the same number of tests for both
sign and unsigned as i said you only
need to run either the unsigned or the
sign test you don't have to run both
going to the last one in this page is
there a spreadsheet website description
detailing each of the tasks
um
so the page i was showing after you uh
earlier after you've created the plan
that that has a list of all the tests on
it and if you hover over the question
mark on each one it has a description of
the test in more detail
and so yeah you just get on the
conformance suite website basically
going to the next page do i need to be
registered on production to run the
tasks or can i run it on sandbox
uh you must not run these tests using
any production certificates
um is my understanding so yeah it needs
to be run on sandbox
what are the technical prorex that's
needed before running the test
example digital certificate
so i don't believe there's any
particular prerequisites you should be
able to run using the example
configuration we provided
does the rp certification must consider
all the implementation methods mtls
private key intellistorm private
keychart here
yes so you will need to um run through
them all because basically the the banks
are allowed to use any of these and
that they're not required to support
all of them which means the tpps or the
relying parties so i have to be able to
support
all the different options
how long does it take for open id
foundation to process the certification
after submitting the logs
so it varies a little bit
we usually quote five working days
but
around the time of any
deadlines i think a bit slower so i know
um around
the end of october or something i think
it was much closer to two weeks for
anybody that submitted very late in
october
um
so yeah but
it should be under five days unless we
get another
deadline that's resulting in lots of
submissions
does this time consider
the time to
for the publication on the website on
the open id
website
yeah so as soon as we've uh processed
the certification and determined
you've met the requirements and
submitted the right log files and have
paid and so on then
the publication onto the website is
essentially a media
it's the north stepper just after we've
verified your results
and the last one here after getting the
certificate what do i need to do before
acting as a tpp for example registering
the certificate in production
so yeah i presume that questions
for a non-idf person on the brazil side
[Applause]
i presume there's some kind of process
of
asking the service
desk to enable your production access or
something like that
uh
i'll try
hi can you hear me
uh sorry i was on mute actually that's a
very good question um
but in any case
part of that is there's there's been
actually a central bank
uh proposing and where we will be
discussing a a formal process of
of uh tests
uh uh for the
uh before entering in into into
production so that will still be defined
thanks andre
joseph we have a couple of follow-up
questions from leonardo in the chat um
he posted one right before
um
fabian posted the github
link
um
it's about private key
uh
i think you might have covered that when
you showed where you could select the
different tests right
yeah so um
yeah that's a different profile sorry
this is dominguez so that's a different
profile you need to submit a new request
but there's no fee on it
right
you can also submit every run every of
the
combinations of the profiles and
submitted in one single request
uploading the entire logs and each
profile we will process it and
grant different
uh different profiles and one thing we
request it also works
thank you dominguez thank you dominguez
let's see
i think that answered leonardo's
question we got another quite following
question in the chat um
joseph from talus um
is charm response mode mandatory for all
brazil rp certification
um okay so i did not know that the uh
about the second
part that uh
tells um quotes there so
um
if the
asp's
asp sps are required to support a
non-charm profile profile
then i guess it probably isn't mandatory
for
relying parties to certify for jam
yeah we may just need to double check
that one with the andre or something as
as part of this
process for getting
people onto production
yeah thanks for that extra image pal so
yeah if that's correct then
um
i presume relying parties would only
want
need to certify for jarm if they wanted
to use jarm for some reason
are there additional questions
if you have a question you can
raise your hand
or send them to chat or open your
microphone
carlos said uh
one here if he pays the certification
fee today
could he submit the certification
request in july 22.
yep we're gonna have to take that
offline the original intent was for the
discount codes to expire at the end of
december
i know there's been some shifting
milestones so we'll need to reconsider
what the
time frame is for that and we'll
communicate that to uh
chicago advisory so that they can
communicate to the ecosystem
oh fabio don't you
foreign
uh but if he gets the
the discount
and he pays this year
uh but he only wants the certificate uh
six months from now
when he's paying it now
does it work
i think we'll need to confirm that one
offline because
that is not a situation we had
um
expected to happen um
yeah if uh whoever was asking sorry i
lost track i could maybe drop us an
email at the
certification team address then we'll
make sure he gets an answer
yeah so the question the the
the question
came up is because they might not they
believe they might not be able to be
ready to get their certificate before
the end of the year and in in the
understanding the discount only applies
until the end of this this calendar year
um they obviously would be maybe
interested in paying upfront to
ensuring that they get the discount and
only being certified sometime next year
yeah for sure so witnessed the stanley
ask we just need to
check the answer before we give it
[Music]
so
my
so i understand we we don't have further
questions
uh i'd like to thank you
again let me have something i'm doing
this from now i guess
so let me ask something does the banks
have any idea of the timeline for
submitting because we are seeing some
submission then we know how close the
banks are we need to better understand
the workload that's ahead of us
do you have any idea
yes i've shared
i a shared a link uh
on the chat i'm gonna send a
send it again
it has some guidelines for certification
[Music]
for both uh unsigned and signed its
scope
the
the the deadline
for the deadline for unsigned scope to
access it for
a data receiver it's 3rd of november
[Music]
the deadline for relying party is just
prerequisite to act as a payment
initiation
and all the details around this
document
i'm sending on a chat
any other questions
so i really would like to thank both
joseph mike and dominguez for
participating here in the workshop
um
[Music]
both of the
portuguese and english versions of the
workshop were recorded and we're gonna
share that on the
we're gonna publish that on open banking
brazil youtube page
and we're gonna send the links to the
informs
thank you so much wish you a good day
thank you
thank you
thanks everyone
bye
[Music]
okay
workshop
banking
simultaneously
[Music]
hi mike thank you for joining us today
and for
giving us this workshop
joseph is a
an expert in the
floppy
specifications he has help at defining
the security profile
used in the uk open banking and he is
actively uh
working on the
on the security
security certification for open bank in
brazil
so
thank you so much for
the workshop
um
i'd like to give it a
give it to you now just if you
want to start
great thank you
let me just try sharing my screen
hey joseph this is mike liz while you're
working to share your screen i'll just
highlight that
during the workshop i will post uh
helpful links uh on topics that joseph
is covering in the chat so be be sure to
monitor the chat window
for links as we go through the workshop
thank you
great thanks mike um
so
yeah i don't have any slides to present
today um so the
the
aim of the workshop is to basically run
through how to set up the rps um and
then how to run them and what to expect
and just a few hints and tips on what
you need to
include in your submission
um so the place to start is always the
instructions area on the open id
website within the certification area
particularly for the brazil rp's there's
a set of
specific instructions here in the open
banking brazil fappy rp conformance
testing and certification overview
so this has a a brief introduction um
you've got the option to either use the
cloud install of the suite or
um for development purposes you can run
it locally
just to get a bit quicker turn around
when you're actually
running for your final set of results to
submit to certification you must use the
cloud installation
so there's a brief bit of introduction
to the test i'm going to run through
this live there's some
hints about exactly which options to
select
various instructions about exactly what
needs to be configured
and
details on how to contact us to get
support
there's a specific section explaining
about the logs that you need to collect
when you're
making your certification request
because unlike the op test there are
some extra logs that you need to supply
to us
and there's also a link to a example
configuration
this just has an example chunk of jason
and some notes about using it
this is what i'm going to use so i'm
just going to
copy
this i can paste it into the conformance
suite later
so this is the conformance suite let me
just log out to show it from scratch so
this this is the home page of the
conformance suite
so you're asked to log in here
there's no registration required or
anything that the point of the login
process is much just to protect
your own data so that other people can't
view your results
um until you're ready to actually
publish them
so you can log in using either a google
account or a gitlab account so i'm just
going to log in with my gitlab lab
account which i'm already logged into so
that takes me straight into the suite
then you go to the create new test plan
because i've already run some tests it's
it's reloaded all the settings i used
the previous time
but normally
you would be presented with a screen
like this
then you need to find the
fappy one advanced final open banking
brazil relying party client test plan
so just select that and then select the
actual
client authentication type you're going
to
test
the other settings you're going to use
so each field has a bit of help if you
hover over the little eye
so i'm going to use the example
configuration so i'm just going to
switch to the json tab and replace
everything that's there with what i
copied from
the web page earlier
and if you switch back to the form view
you'll see that it's all been
populated into the fields as well
you can create your own
configuration as well in particular it's
generally a good idea to change this
alias
um because this is a unique value that
forms part of urls when you're running
on our cloud system if you use the same
alias value as someone else
you'll not be able to run tests if
they're running tests and vice versa
it's best to pick a unique id
so the configuration has various keys
pre-provided
you can use your own if you want instead
which is explained how to do on the
testing instructions and what the
requirements are
you need to provide the client ids
you'll use the
public key for the client the tls
certificate the client will use to
authenticate and there's also a second
client which
for brazil is used with encrypted id
tokens because it's mandatory for rp's
to support
encrypted id tokens in brazil because
the banks are allowed to use them
so once you've got the configuration
filled in you press this create test
plan button
so
that creates
the test
so in
all the tests and the test plans
this blue box
at the top of near the top of the page
tells you exactly
what's going on
um
this particular
plan you basically you end up with uh
all the tests are here
twice
um
once they have the the auth request
method set to by value
which is the usual
method of passing a request object at
the authorization endpoint
but then
halfway down there repeated again with
the the author request method sector
pushed
which is the test that require you to
use the the pushed authorization
endpoint because
again banks are allowed to support
either way or both so clients are
required to show that they can correctly
do both passing a request object at the
authorization
endpoint
or using the pushed authentication
request standard to push the request
object in advance and then using the
request uri at the authorization
endpoint instead
so to run that test
just pick run test
so what happens the test does a little
bit of setup and then it goes into this
waiting state so this waiting state
means it's expecting you to do something
um
and it's also showing you some values
which you may need to configure into
your client
um so your client will likely require
you to configure either the issuer or
the discovery url or possibly both
these go in where you'd normally
put the url for the bank's
issuer or the
the
bank's discovery url
so
what's happening here is that the
conformance suite is essentially
pretending to be a bank
but not a bank that's actually
registered on the brazil directory
obviously
and it has the various endpoints you'll
need so depending on whether you're
testing
for accounts or payments you need to set
up one of these
sets of endpoints
in your client configuration
and yeah the test support either the
accounts or the payments flows and which
one happens just depends on
whether you call the payment consent
endpoint or the
um the the normal consent endpoint
so let's say once you've put that
configuration into your client you tell
your client to start
an authorization
and so depending on exactly what kind of
test environment you've got that might
mean that you go to a
development install of your
relying party or your actual
website app and
launch the process to connect a bank
account
or possibly in some cases it might mean
you've got a command line application
that you run that's going to
try
getting the user to log in
and
collect the results and then make the
necessary calls
as you can see this particular test is
testing what we call a happy path flow
so
the client's expected to call the open
id discovery endpoint
which is the this discovery url here
then
because this is a pushed
uh
authorization request expected to call
the push authorization endpoint to push
the
um
the request to the authorization server
and then call the authorization endpoint
which is where the user would normally
enter their username password whatever
interlink
because the conformance suite has just
been a fake bank in this case it's
it doesn't require you to actually log
in it's just going to immediately
redirect you
to your
relying party's registered redirect url
that was passed in the request
with the authorization code
at least with a test that a
testing that's successful flow
and then you're expected to exchange
that authorization code for an access
token at the token endpoint and then
make a get request to the the accounts
endpoint or if you're using
payments you're expected to call the the
payment initiation api there
correctly signed request and so on
[Music]
so
i have a
slightly
broken client i'm now just going to
run so you can see what happens when you
you run a client
see the test briefly changes to waiting
and then you can see this one's gone to
interrupted and failed
so
if we look at the log you can see
there's
various steps happening and everything
that happens at each point is actually
logged by the suite so
you'll see
the client made an incoming request is
affects the open id configuration file
you can see what response
the suite gave which is
all the server metadata
here
and then you can see after that
the client's gone on and called the
token endpoint and as you can see the
the incoming call to the token endpoint
the tls certificate that was presented
all the other parameters um
you can also see the the response where
so this was a client credentials grant
so
token endpoint is just responding
directly with an access token
my client then called the consent
endpoint
so you can see this
in this case i configured it to do
payments so center assigned jot as the
incoming body which i can see here so
the test suite then does some
validation on everything you've
passed there
he checks the
jade uh
yeah the jw
s is correctly signed
and then you get a response which see
for payments is a
sign jot as well
then
the client went on
the push request endpoint
you get
and you get to see the exact request
which
you can see the client id and it's
passed in a signed request
object there and then the
conformance suite does various
validation on it and you can see it's
it's stopped at this point saying issue
a mismatch
if you press the more button you can see
what's happened so what it's saying is
that the issue where it's received the
actual one it's test line id this and in
my test configuration i had
a different client id
so in this case i've made a mistake in
my
in either configuring my client or in
configuring my test
let's assume in this case that i've made
a mistake configuring my tests i've got
the client id wrong so i can just take
the one that my client has actually
sent i can go to the top of the page and
edit my test configuration
change the client id
create a new test plan
just scroll back down to the test i was
trying to run and start it again
and then if i run my client again
so you can see this time i've got a
different error but it can't find the
keys used to verify this
signature
so again it's
just this kind of iterative process so
um
the mistake i've made this time is that
uh
given
my
client that i'm running locally a
different key set to the one that the
suite's configured with so
again you need to go through and
fix the configuration of your client
then run the test again
and so on
so as i say that was the happy flow
test if we go back to the test plan
joseph maybe before we switch
from the happy flow um we did receive
one question from
excuse me from leonardo in the chat
may be best for you to take a look at it
but he had a question about
the test plan um
only having the one option but then in
the
certification listings on the oidf
website there's many different options
so he was uh
asking uh where they had to
choose what option uh uh that they're
gonna use
just so yeah so
if um just
edit my configuration and go back to the
start then um
the those options in the different
columns are these different ones here
so it's the type of client
authentication you use so
both uh mtls client authentication and
private key jobs client authentication
are used in brazil so i believe you need
to run tests with
both to show that you can
correctly do both
so i believe brazil always uses open id
so this option is applicable you can
always use it set it to open id
and then there's the option of
the charm response mode as well which is
what the other set of columns is
[Music]
so again i believe in brazil
banks
may or may not support
jam
uh the
jwt secured response mode
so i believe people need to run tests
with both of these
um unless if you run
the different combinations of that then
you should end up with
that set of tests and the other option
is accounts versus payments and that's
not a configuration option it just
depends what your client does first
whether the test does an accounts flow
or a payments flow so if you just call
the normal consent api it will assume
you're trying to do an accounts flow
if you call the
payments um consent endpoint and pass
the
uh signed jwt and so on then it will go
down the payments flow
you only need to do
one of those
if you're supporting payments then you
only need to run
the payments test because they're
essentially a superset of the accounts
test um
it's just testing the behavior of the
signed api requests and responses
if you only want to access the accounts
apis and don't need write access then
you could just run the account set of
tests
thank you
i think that answered alice's question
as well
yeah so you only need to pay one
certification fee to certify for
these
um one software for
all of these
so yeah
because banks can choose either
authentication method
um rp's do have to be slide for both
authentication types
um
and
final question was if uh
you need to submit individual requests
for certification so
we prefer if you just send everything in
a single request
i think that's probably easiest for both
sites um
yeah so you i'll
show the
actual process a little bit
at the end but basically for
each plan you run uh you'll end up
getting a zip file with the results and
you
you can just
sit all the way all four zip files
together and send them to us in a single
ticket on our certification
request form
great joseph we received a follow-up
question from leonardo
asking if you could show on this page um
where to run the payments from
yeah so it's
you don't select anything in the test
configuration for payments or accounts
it's just
when you actually run the test
if you call
this normal consents endpoint as the
first endpoint call then the test will
run
an accounts flow
if you call the payments consent
endpoint then it will assume you're
doing a payments flow so if you want to
test payments uh you just configure that
as your
payments consent endpoint and then
um
yeah the test will run the payments flow
and expect you to provide a signed jot
that both the endpoints and so on
okay uh so
let's just
show some of the other tests that might
get running
uh
so there's a
another happy flow test that uses
encrypted
id tokens that just test that your
client can
correctly decrypt the id token and
continue and do a
happy flow
these tests when you start running them
they have a box at the top that tells
you a little bit about what the test
should be doing so
this test uses the second client which
is not client two which was configured
for
encryption
when we look at the the next test
so that this tries uh
this is a negative test it try sending
an encrypted id token back using the the
rsa one underscore five encryption
algorithm which isn't permitted in the
brazil specs so
the client is expected to
register a failure then
and then there are the more negative
tests so the next one returns an id
token that has a invalid s hash
in it
it expects the client to detect and
abort the flow
and then there's a whole bunch of
these that do different invalid things
in
the id token and expect the client to
detect the error and stop
and then
once you're passed
those tests um
there's some test tests at the token
endpoint
so
checking what happens with uh
if the server fails to return your scope
or returns a valid scope which again the
client is detected to
expect it to detect and stop
a test that covers refresh tokens
make sure that the client is correctly
detecting that a refresh token has been
cycled because that's currently allowed
in brazil
just make sure you
you use the new toe refresh token in a
subsequent call to the
the refresh token grant and then checks
that you use the the access token that
you got back with the last refresh token
to actually access the resource at the
end
and
then there's
another test that requires you to go
through the dcr happy flow
or happy path test
again that's a happy flow test um
it's just running exactly the same as
the others but
the first step here
is that you register a client
as if you were doing
registering a new client at the bank and
then it expects you to follow the normal
with the client that's issued and
successfully get an access token
and then as a
final step this one requires you to make
two calls to
the client configuration endpoint
which is the end point you'd use if you
ever needed to
change the configuration in your client
at a later date
um
so this this is trying to make sure that
everybody that's uh developing an rp is
aware of the existence of particularly
the registration access token
is aware that this can change when you
do a call to read or
write to the client configuration
joseph we have a couple questions i'm
going to go ahead and
cue those up so uh leonardo had a um
a follow-on question if if they run all
um
excuse me if they run all the
different rp tests and submit a
certification request what
certification will they receive
yeah i'm not sure exactly what
it's been referred to as all here um
so i think this is about accounts versus
payments still so um
you only need to run one or the other
if you want to use payments then you
should run payments and that will
also cover you for
accounts
and you only test
payments
so sorry i'm
not following the question here um
if you want to
ask your question in portuguese leonardo
then one of my colleagues dominguez
might be able to
help us get an answer to your question
feel free to just ask on the chat
we have a question from mathias uh about
the tests uh with uh
uh wrong scope and token endpoint
response
um
i cannot remember exactly what that test
returns uh let's see if it actually says
uh so it just returns a random scope
value um so that means
literally random as in it'll be like a
eu id or something um
so it's wrong because you've received
more than you requested or
um
yeah
okay
we have a question joseph from gilherm
uh about the rp accounts mode and
payments mode
i think there's a fair amount of
confusion um around that
yeah um
so i don't know we can maybe try um
getting a
an answer written up for this and
translated into portuguese to see if
that helps um but
um yeah if if you
want access to the payments apis
then you should certify using
payments mode
that will also
give you access to accounts
so the only difference between accounts
mode and payments mode really is that in
payments mode signed api requests and
signed api responses are used so
essentially if you can demonstrate that
you can successfully make signed api
responses
so if you can make signed api requests
and deal with signed api responses
correctly
then you've proved that you can do
either variant correctly and you get
access to both sets of apis if you're
if you only want access to accounts then
just run the accounts test and you don't
have to worry about signed requests and
responses
obviously you won't then get access to
the payments apis
um joseph just two other points uh
victor had a question about the logs um
when sending uh submissions so probably
best to table that until we get to that
point
um
when you walk through the submission
process and i'll just also note that
fabian just shared with me that there is
a
number of questions uh that came in
prior to the workshop yesterday that uh
will queue up at the end of the
demonstration
okay great um
so leonardo has posted some more images
so i'll just try and cover this
um so if you run with payments um then
you will get an entry somewhere in one
of these four columns but you need to
run the tests four times to get
each payments column so
when you're running with payments
or whichever you're using you need to
run
multiple test plans so you need to run
once with mtls you need to run once with
a private key jot
and
then you need to repeat those
um
using the plane response mode and using
charm to get
all four sets of
submissions
and so yeah so i
finished going through the test
modules
basically covered all the the major
different variants you see so i just uh
covered the
actual certification process a little
bit
uh
so if we just go back to the
website then uh
there's a set of instructions on how to
request certification after successfully
completing conformance for fact
rp's
so
this has a number of steps and you just
need to
follow the steps
essentially what happens is that from
this view on
the plan once you run all the tests and
they all show past and like my ones um
there's this certification
package button here
so when you press that it asks you to
upload two files
so the first one is the certificate
certification of conformance file
so again that's
covered in the instructions um
there's a form here
you need to download it
fill out the fields
and
the the one field that everybody
struggles with is the certification
profile but you can just copy exactly
what's shown on the test result
here
into the pdf form
the form that needs to be signed it can
be a electronic signature um
either a proper kind of docusign style
real structure or
putting uh equivalent to a wet signature
as an image it's it's fine as well
if you need to you can
print it out do a wet signature and scan
it
as long as it ends up with a signature
there of the appropriate
person that's what we need
[Music]
so then once you've got that file you
just
upload it here
because you would normally
upload a file and then there's another
field which is the client data for
rp tests only um so this is the the
client side logs um so you need to
manually generate these
explicitly mentioned here and point four
on the submission instructions that this
is evidence demonstrating the
correct behavior
so
to generate these logs you probably find
that you need to
enable some extra debug in your client
probably because it may not be logging
all the errors by default
but what we're looking for here is
evidence that when the conformance suite
has say issued an id token with a bad
signature
we're looking to see that your client
has processed that id token and
has figured out that the signature is
invalid
if you're kind of running the
your client from a command window or
something that would expect it to be
printing out the steps as it goes and
the final step would be an error message
saying something along those lines
um if you're interacting it with it as a
website
then we'd expect a screenshot and
again the screenshot should show the
error expected in the test so you may
need to enable some
debugging the web app because by default
it probably wouldn't show these errors
to end users
it might
send them to a log file or something
instead
if you can make it display on the web
page that's fine
if the backend log file just
contains enough evidence for us to see
what the client was doing and that it
did result in an error in that test and
sending the backend log file is fine too
so once you have all those tests just
give them sensible names so we can
figure out which log file relates to
which of the tests zip them up
and
just upload them here
and then press press the prepare
certification package button
so
that will download a website sorry that
will download a zip file to your local
machine
and that that's basically the zip file
that you'll then send to our website if
you look at
the end of here there's a link to the
certification request form
so this again
you should be fairly straightforward to
fill out just put
your organization name on the name of
the software in the summary file
include in the description
anything that we might need to know um
just hopefully select that your tests
have all passed or have only warnings
and tell us how you've paid for your
certification um
so i think for most people in brazil um
you're going to pay on
our fees page
which is linked here
so it's just a form where you need to
put in a few details if you're a member
of the
brazil wine party slack community
um which is highly recommended and
there should be a link to join it like
uh around somewhere uh then anybody
that's in that community can request a
discount code that gives access to
um
the open id foundation membership
pricing for
these tests without you actually needing
to join as a member of the foundation
[Music]
and then you need to select the flappy
rp tab here
i'm logged in as a member here so i'm
getting the the 1000 dollar pricing and
then you can just make a payment with
paypal um or if you prefer you can
request a
manual invoice
to be paid by a bank transfer
if you're going for that option uh i
recommend doing that option now and
getting the paperwork process kicked off
as that tends to take a while
uh not a far cider it tends to be uh
the banks
pregnant teams that
slow things down so if you can pay with
a credit card via paypal that's
definitely the best way
um the other option is i think there's
about eight relying parties who have
chosen to make a payment via
the chicago advisory central payment
mechanism in which case just select this
option which still mentions miro
will know what you mean
i think that should cover all the
choices as there's a feel for regulatory
regime and if you just fill that as a
in as brazilian financial institution
that just lets us
know which
requirements you were trying to meet and
then you just drop
the certification zip file
onto this bit here and wait for it to
upload and then send the form
um
i didn't miss out doing a step here
which is one once you've got the file
downloaded from the conformance you just
need to rename it to
have your
company name and software name in it
which is mentioned on the the
instructions
yeah that's the certification process so
i guess we'll switch back to any
questions
hey j so there was a couple of questions
that uh came through um on the chat um
while you were going through the
submission process
excuse me i suggest we go ahead and
cover those and then maybe uh request
fabian to put up the
questions that were posed prior to the
workshop
so i'm going to go up to a question from
marcus
during our dcr testing we identified
that certification.openid.net
ca does not have an authorized or listed
is that a bug
no that that is expected behavior so
the conformance suite is
doing its best impersonation of a
brazilian
bank but obviously it doesn't have the
brazilian pacific certificates
so there is
mention somewhere on the instructions
example config
that yeah you may need to just disable a
couple of checks in your client your
cert accepts um
the
public pki certificates that the
certification is suite is using
very good
um
we then had a question from wesley can
we use a different client certificate
like a third certificate and config for
the fappy one advanced final client
uh test
it's like the op tests that currently
use a different client for the dcr flow
test different from the configured
so we can use a different software
statement and a pair of certificate and
jwks keys or just for the dcr flow
[Applause]
there is no option to do that currently
um
if it's an absolute hard requirement uh
can you raise uh an issue in the suites
issue tracker and
explain
why
i think we've already had about five
certifications through so i think
people are certainly finding it possible
to
pass all the tests with without needing
to use that separate certificate
okay uh shall i uh stop sharing my
screen then and uh fabian can put up the
other questions maybe
yeah i think that's probably best fabian
do you want to put up the uh the slides
with the questions that you shared with
me
sure just a second
thank you
so yeah last third we sent um
a forms for the ecosystem to to send
previous questions to to the workshop
and we've got 15 questions that are two
slides here so
the first one i believe it was covered
but just to go through all of them does
the payment initiation certification
includes the tpp scope for the data
receivers
um i don't actually quite understand
that
question um
here would be if the phase 3 rp scope
the certification also includes the
certification for the phase two
uh yes that's correct yes
the second one are image error logs
needed for the available tasks because
this
the person who
who
asked a dad said that
they didn't find a
where to
where to share the
images or the logs during the tests
yeah so that was just the final step i
showed at the end when you after you
press the prepare set
after you press the certification
package button at that point
you upload a zip file with the logs for
all the tests in that test plan
great thank you joseph
uh the third question do the tasks need
to be implemented with the application
used for the user
um so my understanding is that
they need to be the final
software stack that will be the one used
by the user um
but exactly what that is will obviously
vary between
institutions depending on exactly how
their application works i think
so the fourth one
it's related with the
the questions you were answering
previously so how is it going to be
validated if the certification is for
payments or accounts
or
is it by the url use it by decline the
certification logs
so when is
someone submit a certification how do
you know how they indicate if it if it
is for sign it or unsigned at scope
yeah so it's really by looking at the
the url that they used um
which you can see on on on the results
page in the conformance so you can see
if the first endpoint recalled was the
accounts consent endpoint or the
payments consent endpoints
the fifth one could you retire the
redirect uri parameter please
[Music]
um
it's potentially quite a long answer
depending on
what amount of existing knowledge we're
assuming um
[Music]
so i mean the the redirect uri would
be a
url on
the tpp
forget which terms we're using in brazil
uh in the relying party's website
um that is the one that the bank would
normally send the authorization code to
so it's it's just that url um
so
if you've reconfigured the
software and you've deployed it locally
on your machine then there's a good
chance that would be a local host url or
something of that nature
[Music]
joseph
the sixth one is is the rp certification
mandatory for tpps
uh for data receivers
is there a regulatory deadline
this one i'm gonna share with you the
the group on the on the chat
the
the link with all the details for the
certification both for
gpps and for the banks
yes it is mandatory
and
going to the
seventh question how many tasks are
executed for rba certification both on
signing and signing scopes
um
so i think uh the the test set is about
25 tests um and you need to run them for
the different combinations i
i
think that would work out to be uh
200 tests in total i mean
once you've gone through
so the expectation would be that you've
fixed any problems in your your client
and
you should just find that the later ones
pass unless you've done something wrong
in one of the
um
cases that's been
changed if that makes sense sorry
um
[Music]
so yeah and it's
it's the same number of tests for both
sign and unsigned as i said you only
need to run either the unsigned or the
sign test you don't have to run both
going to the last one in this page is
there a spreadsheet website description
detailing each of the tasks
um
so the page i was showing after you uh
earlier after you've created the plan
that that has a list of all the tests on
it and if you hover over the question
mark on each one it has a description of
the test in more detail
and so yeah you just get on the
conformance suite website basically
going to the next page do i need to be
registered on production to run the
tasks or can i run it on sandbox
uh you must not run these tests using
any production certificates
um is my understanding so yeah it needs
to be run on sandbox
what are the technical prorex that's
needed before running the test
example digital certificate
so i don't believe there's any
particular prerequisites you should be
able to run using the example
configuration we provided
does the rp certification must consider
all the implementation methods mtls
private key intellistorm private
keychart here
yes so you will need to um run through
them all because basically the the banks
are allowed to use any of these and
that they're not required to support
all of them which means the tpps or the
relying parties so i have to be able to
support
all the different options
how long does it take for open id
foundation to process the certification
after submitting the logs
so it varies a little bit
we usually quote five working days
but
around the time of any
deadlines i think a bit slower so i know
um around
the end of october or something i think
it was much closer to two weeks for
anybody that submitted very late in
october
um
so yeah but
it should be under five days unless we
get another
deadline that's resulting in lots of
submissions
does this time consider
the time to
for the publication on the website on
the open id
website
yeah so as soon as we've uh processed
the certification and determined
you've met the requirements and
submitted the right log files and have
paid and so on then
the publication onto the website is
essentially a media
it's the north stepper just after we've
verified your results
and the last one here after getting the
certificate what do i need to do before
acting as a tpp for example registering
the certificate in production
so yeah i presume that questions
for a non-idf person on the brazil side
[Applause]
i presume there's some kind of process
of
asking the service
desk to enable your production access or
something like that
uh
i'll try
hi can you hear me
uh sorry i was on mute actually that's a
very good question um
but in any case
part of that is there's there's been
actually a central bank
uh proposing and where we will be
discussing a a formal process of
of uh tests
uh uh for the
uh before entering in into into
production so that will still be defined
thanks andre
joseph we have a couple of follow-up
questions from leonardo in the chat um
he posted one right before
um
fabian posted the github
link
um
it's about private key
uh
i think you might have covered that when
you showed where you could select the
different tests right
yeah so um
yeah that's a different profile sorry
this is dominguez so that's a different
profile you need to submit a new request
but there's no fee on it
right
you can also submit every run every of
the
combinations of the profiles and
submitted in one single request
uploading the entire logs and each
profile we will process it and
grant different
uh different profiles and one thing we
request it also works
thank you dominguez thank you dominguez
let's see
i think that answered leonardo's
question we got another quite following
question in the chat um
joseph from talus um
is charm response mode mandatory for all
brazil rp certification
um okay so i did not know that the uh
about the second
part that uh
tells um quotes there so
um
if the
asp's
asp sps are required to support a
non-charm profile profile
then i guess it probably isn't mandatory
for
relying parties to certify for jam
yeah we may just need to double check
that one with the andre or something as
as part of this
process for getting
people onto production
yeah thanks for that extra image pal so
yeah if that's correct then
um
i presume relying parties would only
want
need to certify for jarm if they wanted
to use jarm for some reason
are there additional questions
if you have a question you can
raise your hand
or send them to chat or open your
microphone
carlos said uh
one here if he pays the certification
fee today
could he submit the certification
request in july 22.
yep we're gonna have to take that
offline the original intent was for the
discount codes to expire at the end of
december
i know there's been some shifting
milestones so we'll need to reconsider
what the
time frame is for that and we'll
communicate that to uh
chicago advisory so that they can
communicate to the ecosystem
oh fabio don't you
foreign
uh but if he gets the
the discount
and he pays this year
uh but he only wants the certificate uh
six months from now
when he's paying it now
does it work
i think we'll need to confirm that one
offline because
that is not a situation we had
um
expected to happen um
yeah if uh whoever was asking sorry i
lost track i could maybe drop us an
email at the
certification team address then we'll
make sure he gets an answer
yeah so the question the the
the question
came up is because they might not they
believe they might not be able to be
ready to get their certificate before
the end of the year and in in the
understanding the discount only applies
until the end of this this calendar year
um they obviously would be maybe
interested in paying upfront to
ensuring that they get the discount and
only being certified sometime next year
yeah for sure so witnessed the stanley
ask we just need to
check the answer before we give it
[Music]
so
my
so i understand we we don't have further
questions
uh i'd like to thank you
again let me have something i'm doing
this from now i guess
so let me ask something does the banks
have any idea of the timeline for
submitting because we are seeing some
submission then we know how close the
banks are we need to better understand
the workload that's ahead of us
do you have any idea
yes i've shared
i a shared a link uh
on the chat i'm gonna send a
send it again
it has some guidelines for certification
[Music]
for both uh unsigned and signed its
scope
the
the the deadline
for the deadline for unsigned scope to
access it for
a data receiver it's 3rd of november
[Music]
the deadline for relying party is just
prerequisite to act as a payment
initiation
and all the details around this
document
i'm sending on a chat
any other questions
so i really would like to thank both
joseph mike and dominguez for
participating here in the workshop
um
[Music]
both of the
portuguese and english versions of the
workshop were recorded and we're gonna
share that on the
we're gonna publish that on open banking
brazil youtube page
and we're gonna send the links to the
informs
thank you so much wish you a good day
thank you
thank you
thanks everyone
bye
[Music]
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Acesso Exclusivo para Assinantes
Cadastre-se ou faça login com sua conta do Radar Finsiders Brasil para visualizar esta regulação na íntegra, fazer download dos arquivos e ter acesso a relatórios exclusivos do mercado financeiro.
