Open Finance Brasil
Video
•
06/08/2021
Workshop Ferramenta de Certificação OIDF – FAPI Brasil e DCR - Fase 3 (03/08/2021)
Sumário Regulatório
Em linha com o calendário de certificação do Open Banking Brasil, foi realizado o Workshop em inglês sobre a Ferramenta de Certificação da OIDF – FAPI Brasil – Fase 3. (Versão com tradução simultânea: https://youtu.be/1LA_QzmQ0FA) O objetivo deste evento foi fornecer às instituições da Fase 3 uma demonstração dos testes de conformidade do perfil FAPI - Brasil e DCR que são necessários para a emissão do certificado de conformidade de segurança, incluindo também uma sessão de esclarecimento de dúvidas. A plataforma da OIDF com a API da Fase 3 em versão beta foi disponibilizada no dia 02/08 e contempla o mesmo perfil de segurança utilizado na Fase 2.
Transcrição e Conteúdo
[Music] uh [Music] [Music] um [Music] um is um [Music] foreign the know foreign [Music] good morning everyone good afternoon for for for others so now i want to give floor to the openid foundation team i don't know if mike or joseph uh are online sure this is mike les um open id foundation program manager um wanted to first thank all the particip...
[Music]
uh
[Music]
[Music]
um
[Music]
um
is
um
[Music]
foreign
the
know
foreign
[Music]
good morning everyone good afternoon for
for
for others so
now i want to give floor to the openid
foundation
team
i don't know if mike or joseph uh are
online
sure this is mike les um open id
foundation program manager
um wanted to first thank all the
participants for joining us
today um the goal of today's workshop
is to provide a comprehensive
demonstration
of the fappy conformance suite
for brazil in support of phase three
institutions
certifying their deployments of fappy
and secondary goal is to provide ample
time
for questions and answers
so i'll i will cue the answers up you
can uh
come off a mute during the uh joseph
heenan
the uh certification program lead who
will be doing the demonstration
um we'll pause at certain points so
allow for questions
but also feel free to put your questions
in the uh
in the chat and i'll queue those up uh
when appropriate uh for joseph
and others to answer so thank you again
and
i'd like to introduce joseph heenan open
id certification program lead
thanks mike so hi everyone
um so
there's no slides today so i'm going to
jump straight into a demo
um just a reminder though this is a
follow-on from
the previous workshop so i'm not going
to cover the content that we
showed in the previous workshops just
going through the very basics of
running the suite i'm going to
concentrate today on just
what's changed since the last workshop
just share my screen
um so i'm just starting off by showing
you the
releases page for the suite so that this
is the main
place you can look at to get information
when
things are changing in the suite so the
release you can see here is the one we
made
uh yesterday um which is the first
release that supports using the payments
api instead of the accounts api because
i believe a lot of the phase three
institutions will only support the
payments api
hey joseph uh just a second i'm sorry to
interrupt you uh it's just that uh i
think we are having a
a problem here with the with the
translation
uh i'm sorry gesture alex uh can you
please check on that because i think
that we maybe we
we achieved the the maximum capacity on
the
the zoo and uh some are not uh
some people are not able to
to enter the zoom room can you please
help us guys
check this real quick
alex can you can you can you hear us
things
we are we are checking the the problem
here but i think we can move on and
and and go on with the the workshop and
uh and everything is okay so i give you
floor again
thank you okay great thank you
um
so yeah as i was saying um this is the
release we put out at the weekend
so it has payment support and there's a
link here to
an example configuration so you can see
a working configuration for
payments so that's
this page here which now has three
different examples on it
the one using payments is the third one
so this is a json config that you can
just cut and paste
into the conformance suite as before and
this one is just set up to use
payments instead of the data endpoints
so i'm just going to run through some
tests using that configuration now
so i've already logged into the
conformance suite and this is just
the home page so as before we go to
create a new test plan
and it remembers the previous
configuration i've loaded
um which already has many of the things
set correctly
so fappy one advanced final
authorization server test
this example uses private key job client
authentication
we're just using by value for request
objects in this case rather than using
the pushed authentication request option
the profile here has to be open bank in
brazil and we're just using a plain
response
so i will just copy
the configuration from that page
and paste it into the conformance suite
so all the fields are the same as before
but i'll again emphasize
this alias field is used as part of the
redirect fields if you're copying
this example configuration can create
your own
you must change this value
this value is what means that the
redirect url for your
test is unique and
that it doesn't interfere with other
people that are running the same tests
on the same server and so you should put
something like your company name in
there
um if you don't do that you'll quite
often find that your
your test will be interrupted because
somebody else is using that same alias
and
obviously with 400 banks expected to be
testing in this next
phase it's going to be a mess if you
don't all use
unique aliases so just please make sure
you
use a unique value for your company here
so the changes for payments is that we
now specify payments
in the scope here instead of accounts as
always there's a help field here which
uh
tells you more about that and explicitly
says
uh a bit of help for brazil
then if we scroll down there are some
other changes
so so the resource url we're testing
against
is now that the payments initiation
endpoint the consent url we're using is
now
the payment consents and
there is two new fields the
payment consent request json and the
payment initiation request json these
are fields that you just need to put raw
jason into
which will become the body of each of
the requests
so you'll need to refer to
the standards and what is possible on
your own server
to get these set up correctly obviously
these examples
are correct for the mock bank
but you may well need to use different
values on your own bank
so as before once you've
filled everything in you just press
create test plan
and then we can start running tests
so once the proceed with test button
appears
okay so this test has gone into
interrupted
um so if we scroll to the bottom of the
test
get rid of this first so i can actually
scrub to the bottom
um we'll see the test has been stopped
due to an alias config
so this means that somebody else is
using the example configuration at the
same time as me
um if anybody on the call is doing that
it would be great if you could stop for
a few minutes just so i can run the demo
i'm going to try again and hopefully be
successful next time
so i'll just press the proceed with test
button
i've actually already logged into the
mock bank in this session so it didn't
ask me for a username and password but
if you do need the username and password
they are on
the wiki page with the example
configuration
so i just click the uh that i can send
and press continue
go back to the results page
just wait a second
and then i get another proceed with test
button and just do exactly the same
process
again
and then the test goes to passed
and then as as before you would return
to the plan
and run the next test
just carry on people that have listened
to me before will remember that
the next test requires that you reject
the consent
again this time i don't
select the consent button here and just
press
it continue to be why did i switch that
off and switch this on
unfortunately someone else is still
using the same alias which is why i get
this error again so
i'll just give that a quick go again
just scroll down joseph cancel
is that what it is right sorry thanks
ralph
yeah so i did that wrong so let me just
follow ralph's advice instead
so yeah just click the cancel button
instead
okay i don't know what happened there
but if the cancel button
had worked there then you would have
seen this test go to past but
the important important point was that
for this test you do need to follow a
slightly different flow
so again nothing else has changed in
running in adding the payment support
so you just carry on running through all
the tests as usual
submit a certification as usual
[Music]
so that's really all i had to demo today
um so that the payment support is
currently in beta
we're taking on any feedback we get
during this week about any problems
people have
uh if they try and use it and we'll plan
to publish the the non-beta version
on monday next week and then as soon as
that's published people can start
submitting their certifications
and that's really the the conclusion of
today's
um formal presentation so now we've got
a lot of time
set aside for any questions and answers
people have
just we have a couple of folks raising
their hand feel free to uh speak up and
ask your questions paulo
i believe there are some people here
that are seeing the two for the first
time
there are institutions that are only uh
going live on phase three uh
it would be good if you can give another
overview
on the the fields that are required uh
for the configuration
and mainly be talking about the scopes
and and the apis that should be used
for the the certifications industry
okay sure i can go back and just cover
that in a bit more detail
so this is uh just back to the
configuration
page again
we did walk through this in a lot of
detail in
the previous workshop but just to go
through again so again this is the alias
field i mentioned
um which needs to be used as part of the
redirect urls
this is actually uh explained
quite thoroughly on the
main site which i forgot to show you
earlier
the main open id website
and certification instructions
and how to run the
fappy conformance tests then
there is a bunch of additional notes
here just on
setting up the test so in particular
you need to register some clients with
the system being
tested and you need to register
these two redirect urls for the clients
where
you replace this part of the redirect
url
with the field that you have with the
same value that you've entered in this
field here
um the description field is just a free
form text field that you can use for
your
own reference to so you can tell the
difference between different
configurations or different servers
you're testing
the publish field should just be left as
no
when you're ready to actually submit
your certification you publish your
results then
um this discovery url is the the main
point where we know which server we're
testing so you would replace this with
the dot well known
slash open id configuration file
location on your own
authorization server and see if that
would have to
be somewhere on your bank's domain name
and then there are two different clients
um that you need to create on your
system so
this is the client id on your
authorization server for the first
client
the scope to be used which can either be
open id
and accounts or open id and payments
and this just
alters which api the server believes
it's testing
um so if you put accounts then it
believes it's testing the
data read api and see for payments it's
testing
the payment initiation api there's going
to be a further
tweet to this later this week as well to
cater for
organizations that don't support the the
data
api or at least not the the accounts
read
permission
so there'll be some communication coming
out about that at the same point i think
it's already been
approved by the relevant working group
um the next field is the keys for the
client so
this is the jwks containing the private
key
that needs to be used to sign
the request object and any client
assertions and so on
and then there is the mtls certificates
that need to be used
when connecting to the authorization
server as that client so
there's a certificate the private key
and any
required certificate authority chain
that your authorization server needs
and then this is repeated again for the
a second client
that has a different client id
the reason we need two clients is that
one of the things that
the suite tests is
checking that various things are
correctly bound to
a client so it tries creating an
authorization code with
one client and then using that
authorization code with a different
client
which the specification requires to be
rejected
and then there are a similar test uh
once we've got an access token we'll try
using the access token with the
mtls certificate for a different client
than it was
issued to um and
that will
um that should be rejected uh because
the access token should be bound to the
mtls
certificate for one particular client
and then again there's keys and
certificates
for the second client and then
just the last bit is further brazil
pacific
but again every field has help if you
hover over this
i end point
and currently you can specify either
the payment cons at the payment
initiation api for this resource url
this is the main url that the test
uses to test the access token that's
issued
is correct and correctly bound to the
tls certificate
so you can also use the accounts api and
with the change coming later this week
there's also the option to use the
resources
endpoint here and the consents url
again you can specify the payments
consent endpoint or the accounts one
and then there is cpf
and cnpj values so
depending on the requirements of your
your bank or your server
you'll be specifying one or other of
these to represent
the users
or the companies that owns the bank
account
and then these last two fields are only
used if you're
selecting payments so if you're testing
using the accounts api you would leave
these two blank
this is mike we have um if this is a
good point to pause we do have a couple
of uh
questions um
sure um bernardo did you have a question
i i noted that you uh
raised wonderfully
okay um i have two questions actually um
first if um let's assume that we are
certifying with a single profile
um like uh by value mtls plain response
and later on we find a problem with that
profile
um let's assume that for prod
uh because of that problem you want to
use like private key jobs
will i be able to go proud with a
different profile
than the one i certify that's the first
one
um so that's partly a policy question i
believe
um but my understanding is that you
should be certifying the exact
stack that you were running on
production in exactly the same
configuration
so obviously if you're changing the
configuration
you'll need to re-certify
okay and which leads to my next question
so if i certify in all profiles
um then if i want to remove some of them
or disable some of them to go prod
is that okay because then i'm certifying
in all profiles
and if i have a problem with a a
specific profile i can then disable to
gopro
[Music]
okay provided your profile is correctly
advertised on your well-known
configuration endpoint file
that's fine and it's something that we
do actually recommend to
different banks is to certify as many as
you can but yes you can
you can switch profiles provided your
discovery metadata
complex which profile you want to
support
right so that's okay that's a good
strategy then you certify in all of the
all of the profiles that you can and
then if you want to disable it's fine
because you're certified in all of them
that's correct right
that's correct so look the ecosystems
put a lot of pain and attention to make
sure that the discovery mechanisms that
you
that the ecosystem has supports a very
large number of banks
for example there are some scenarios
where tpps will have to update
their clients at 800 banks that's why
dynamic client registration is mandated
and so is dynamic client
modification so you can
uh you know you can support those now
support those changes remember
that some of these can't necessarily
make that
unilateral change for example if you
have clients registered with tls client
auth
and you turn off tls client auth you'll
have to manage that messaging and manage
that migration with your
with your clients if you you know it's
not so much of an issue to switch
between
and redirect but it is there are tpp
impact
and tpp considerations that you have to
think about if you decided to do that
post go live
yeah yeah my plan is to decide that
before to go live no we now we focus on
certifying all profiles and then
before i go live we decide the one we
want to use in production
because of that exam the problem that
you are describing
yeah but again just to emphasize people
should be
certifying exactly what is in production
so
you shouldn't be discovering new
problems as you make a production
system um if you do that then your
certification is invalid
because you've changed the software
or the hardware or the architecture or
something
so one question is
what is exactly the process once you're
past the test
how can you like ask for the the
and what is the process for asking the
like the official certification
so this is covered on the website so if
i just go back to where i was on the
instruction
page that's a how to request
certification at
eop's link just here
that describes the exact process for
certifying um but the quick summary is
that you
you download your results from the suite
uh using a button that's labeled uh
actually i can just show you
the button back to my test results
uh so there's a button here my
certification package which
once you're ready to certify uh you
press that button
um you upload
the terms and conditions page and just a
signed document uh
that's referenced in the instructions
that's just you asserting that you are
fully compliant with the api
and is signed by someone from the bank
then you press this prepare
certification package button
and that gives you a zip file that you
then upload to our
our service desk and then we process
that and
publish it if it all looks okay
and so just to confirm so it's the the
one certification uh is about
one specific profile so if i want to
like to comply with mtls and private
jwk i need you to have two
certifications
yes you'll end up with two zip files in
that case and we just submit them both
you can submit both of them to us in a
single service desk ticket
okay this is mike liz with the open id
foundation please note i put the
submission instructions link um in the
chat so you can capture it there
and we have a couple of other folks uh
carlos you have your
uh hand up did you have a question for
joseph
yeah uh joseph said that
the test with payments is even better
right
so if we if we do
today the substitution process can we do
it
and resource endpoints
as well or we need to wait until
the payments endpoint goes
on on our release status
uh so do you support the uh account read
permission
yes yes uh so
um yeah it would be fine for you to
certify
just using the account read the end
point
so there will be no difference between
between
topic profiles for for data sharing
reading
in payments will be the same profile
used for both
cases right correct yeah the the
security profile is exactly the same
there will no big difference like
because on the
open id website we saw
profiles like a f api and f api
rw for so for the
open bank in brazil we will we will have
just one one type of floppy profile
right correct yeah it's a
little bit complicated because the
flappy profile
changed name at the beginning of the
year
so the previous draft of the
specification was called
uh flappy read write but this has now
changed name to fappy advanced
okay um so yeah that they're essentially
the same profile except that's advanced
is the final version of the
specification and
brazil is always using advanced the
latest
final version okay and my next question
is about the payment process with miro
uh can can i do in portuguese
is
um
accounts
specifically
is
foreign
bernardo okay um
so the first one is it's i understand
that you have
it's multiple submissions one per
profile
but it's a single payment right or
do i need to pay for each profile like
one for private key another from mtls
and so on
or it's a single payment it's a single
payment for all the profiles
the only case where an extra payment is
needed if you're certifying for
fappy sieber as well but i think that's
not happening until around the november
time frame right and
and my next next and hopefully final
question is
you got me a little bit confused with
your last statement
regarding my question um so
the thing that i'm worried is if i
certify no profiles
this does not mean that i must support
all these profiles in production right
if i want to certify
all of them and later on use a single
profile in production
it is okay right
um yes that's basically okay
um you should probably let us know and
we'll remove the certifications for the
profiles you're not using
um but i will again emphasize the point
that
uh you're going to be making an
assertion to
the central bank that you certified what
is your
actual production architecture and so on
so
um i'm not quite following the logic of
following this process
just so like i don't know if uh
you want to reply to this question or
can i move to another one
all right so like one question is you i
i don't know
exactly who said it but once i
i'm certified uh with a certain profile
and with a certain configuration
uh if i change anything in that
configuration for example i don't know
if i change the
the dns or something like that
uh my my certification is now invalid
what's like what does that mean like my
once that happens what what uh what is
the
[Music]
what are the consequences if i just
change something
and not and not certify again
um i guess that's quite an involved
question that has different angles
from the open id foundation point of
view
if we became aware of that you were no
longer in
compliance with the profile then
we'd contact you and perhaps ask you to
re-certify or see that the eventual
position would be that if we were sure
you weren't compliant the certification
would be
revoked
the other angle is that my understanding
is that the banks have to make an
assertion to the central bank that
what they have the system they have
fappi certified
is to all intents and purposes
identical to their production system
so i presume
sending something to the central bank
that may turn out not to be true
would have particular consequences but
not being brazilian i can't speak to
what those are
yeah it makes it makes sense i wasn't
aware of this assertion
about uh like asserting that our
configuration production is the same as
the
notification but i'm gonna look for that
later thanks
okay so if we have a couple questions in
the chat we should queue up
you might want to switch over there just
to take a look i'll highlight the um
there was a question about the uh
the test with payment endpoint is still
in beta right question
so can we do the certification process
with the consents
v1 consents and resources v1
resources endpoints
so this um i think i did try to answer
this
earlier uh so if i remember correctly
the current suite requires that you
support the accounts
read permission um if you don't support
that permission you can't
certify at the moment
so if you do support that account read
permission you can certify
there's no way
in the brazilian security profile to get
access to just the resources endpoint so
you can't test using
purely the resources endpoints
the two options on the table at the
moment are the accounts endpoint
or the payment initiation endpoint
um there are i believe one or two banks
that don't support the accounts
re-permission but do support a different
read commission
so we're expecting a release later this
week hopefully that
should enable those banks to certify
i think that will use the
resources endpoint but it will still
require the bank to
give a permission other than just the
resources read permission
thanks for that joseph there was a
second question um
in the chat um
it's from julio the question is i don't
know if it was clear to me but for
certification does the front end also
have to be built or would it be enough
for the back end to be ready for us to
be certified
um i mean you will definitely need some
front end
um from the open id foundation point of
view
um you don't need a awfully
comprehensive
front-end built to be able to certify um
[Music]
but this does go back to the the same
point i was making that
um you're making an assertion to the
central bank that
what you are doing your fappy
certification
for is to all intents and purposes
identical to what you're going to be
putting into production
and that sounds like it's that latter
point where
certifying without a complete front end
could
come unstuck
just just to comment on that remember
this is only part one of the
certification process
you also have to pass the functional
certification suite for payments which
uses
a very similar setup and in that setup
one of the tests is to take a screenshot
of your consent screens and processes
and they'll be passed to the i believe
to the
ux working group to make sure that they
meet the ux and customer experience
guidelines
so whilst you may be able to pass the
oidf tests you won't be able to pass the
functional tests without that
appropriate
check and that's those screens and
customer elements being built
thanks for that ralph um we have another
question i go please go ahead
i mean this is uh this is not a question
i'm going to switch you to portuguese
because this is a question for
miro not necessarily for
for you guys
[Music]
you know
thank you
[Music]
so
foreign
is
[Music]
foreign
is
so yeah that was it for mine this is
some
regulatory specific operating brazil
questions but you can go ahead
carlos did you have another question
yeah
you know
uh
is
apache
uh
um
carlos did you have another question i
see your hands still raised
no no sorry
i think we've covered all the questions
in both the chat
and uh hans rays are there
are there any other questions miro team
are there any questions on the zoom
session that we need to address
i believe not mike
okay if there's no other questions um
mira team i trust that uh
this session will be uh published both
in uh
english and portuguese and shared with
the
open banking ecosystem we'll do the same
on the
open id foundation site as well
yeah so thank you for your time uh mike
joseph and and all the other
participants
if we if you have any questions uh you
can send them
as email and we try to to answer uh as
quick
as possible and i i think that's it
thank you thank you for your time
everyone
thank you all
great thanks everyone thank you
my
uh
[Music]
[Music]
um
[Music]
um
is
um
[Music]
foreign
the
know
foreign
[Music]
good morning everyone good afternoon for
for
for others so
now i want to give floor to the openid
foundation
team
i don't know if mike or joseph uh are
online
sure this is mike les um open id
foundation program manager
um wanted to first thank all the
participants for joining us
today um the goal of today's workshop
is to provide a comprehensive
demonstration
of the fappy conformance suite
for brazil in support of phase three
institutions
certifying their deployments of fappy
and secondary goal is to provide ample
time
for questions and answers
so i'll i will cue the answers up you
can uh
come off a mute during the uh joseph
heenan
the uh certification program lead who
will be doing the demonstration
um we'll pause at certain points so
allow for questions
but also feel free to put your questions
in the uh
in the chat and i'll queue those up uh
when appropriate uh for joseph
and others to answer so thank you again
and
i'd like to introduce joseph heenan open
id certification program lead
thanks mike so hi everyone
um so
there's no slides today so i'm going to
jump straight into a demo
um just a reminder though this is a
follow-on from
the previous workshop so i'm not going
to cover the content that we
showed in the previous workshops just
going through the very basics of
running the suite i'm going to
concentrate today on just
what's changed since the last workshop
just share my screen
um so i'm just starting off by showing
you the
releases page for the suite so that this
is the main
place you can look at to get information
when
things are changing in the suite so the
release you can see here is the one we
made
uh yesterday um which is the first
release that supports using the payments
api instead of the accounts api because
i believe a lot of the phase three
institutions will only support the
payments api
hey joseph uh just a second i'm sorry to
interrupt you uh it's just that uh i
think we are having a
a problem here with the with the
translation
uh i'm sorry gesture alex uh can you
please check on that because i think
that we maybe we
we achieved the the maximum capacity on
the
the zoo and uh some are not uh
some people are not able to
to enter the zoom room can you please
help us guys
check this real quick
alex can you can you can you hear us
things
we are we are checking the the problem
here but i think we can move on and
and and go on with the the workshop and
uh and everything is okay so i give you
floor again
thank you okay great thank you
um
so yeah as i was saying um this is the
release we put out at the weekend
so it has payment support and there's a
link here to
an example configuration so you can see
a working configuration for
payments so that's
this page here which now has three
different examples on it
the one using payments is the third one
so this is a json config that you can
just cut and paste
into the conformance suite as before and
this one is just set up to use
payments instead of the data endpoints
so i'm just going to run through some
tests using that configuration now
so i've already logged into the
conformance suite and this is just
the home page so as before we go to
create a new test plan
and it remembers the previous
configuration i've loaded
um which already has many of the things
set correctly
so fappy one advanced final
authorization server test
this example uses private key job client
authentication
we're just using by value for request
objects in this case rather than using
the pushed authentication request option
the profile here has to be open bank in
brazil and we're just using a plain
response
so i will just copy
the configuration from that page
and paste it into the conformance suite
so all the fields are the same as before
but i'll again emphasize
this alias field is used as part of the
redirect fields if you're copying
this example configuration can create
your own
you must change this value
this value is what means that the
redirect url for your
test is unique and
that it doesn't interfere with other
people that are running the same tests
on the same server and so you should put
something like your company name in
there
um if you don't do that you'll quite
often find that your
your test will be interrupted because
somebody else is using that same alias
and
obviously with 400 banks expected to be
testing in this next
phase it's going to be a mess if you
don't all use
unique aliases so just please make sure
you
use a unique value for your company here
so the changes for payments is that we
now specify payments
in the scope here instead of accounts as
always there's a help field here which
uh
tells you more about that and explicitly
says
uh a bit of help for brazil
then if we scroll down there are some
other changes
so so the resource url we're testing
against
is now that the payments initiation
endpoint the consent url we're using is
now
the payment consents and
there is two new fields the
payment consent request json and the
payment initiation request json these
are fields that you just need to put raw
jason into
which will become the body of each of
the requests
so you'll need to refer to
the standards and what is possible on
your own server
to get these set up correctly obviously
these examples
are correct for the mock bank
but you may well need to use different
values on your own bank
so as before once you've
filled everything in you just press
create test plan
and then we can start running tests
so once the proceed with test button
appears
okay so this test has gone into
interrupted
um so if we scroll to the bottom of the
test
get rid of this first so i can actually
scrub to the bottom
um we'll see the test has been stopped
due to an alias config
so this means that somebody else is
using the example configuration at the
same time as me
um if anybody on the call is doing that
it would be great if you could stop for
a few minutes just so i can run the demo
i'm going to try again and hopefully be
successful next time
so i'll just press the proceed with test
button
i've actually already logged into the
mock bank in this session so it didn't
ask me for a username and password but
if you do need the username and password
they are on
the wiki page with the example
configuration
so i just click the uh that i can send
and press continue
go back to the results page
just wait a second
and then i get another proceed with test
button and just do exactly the same
process
again
and then the test goes to passed
and then as as before you would return
to the plan
and run the next test
just carry on people that have listened
to me before will remember that
the next test requires that you reject
the consent
again this time i don't
select the consent button here and just
press
it continue to be why did i switch that
off and switch this on
unfortunately someone else is still
using the same alias which is why i get
this error again so
i'll just give that a quick go again
just scroll down joseph cancel
is that what it is right sorry thanks
ralph
yeah so i did that wrong so let me just
follow ralph's advice instead
so yeah just click the cancel button
instead
okay i don't know what happened there
but if the cancel button
had worked there then you would have
seen this test go to past but
the important important point was that
for this test you do need to follow a
slightly different flow
so again nothing else has changed in
running in adding the payment support
so you just carry on running through all
the tests as usual
submit a certification as usual
[Music]
so that's really all i had to demo today
um so that the payment support is
currently in beta
we're taking on any feedback we get
during this week about any problems
people have
uh if they try and use it and we'll plan
to publish the the non-beta version
on monday next week and then as soon as
that's published people can start
submitting their certifications
and that's really the the conclusion of
today's
um formal presentation so now we've got
a lot of time
set aside for any questions and answers
people have
just we have a couple of folks raising
their hand feel free to uh speak up and
ask your questions paulo
i believe there are some people here
that are seeing the two for the first
time
there are institutions that are only uh
going live on phase three uh
it would be good if you can give another
overview
on the the fields that are required uh
for the configuration
and mainly be talking about the scopes
and and the apis that should be used
for the the certifications industry
okay sure i can go back and just cover
that in a bit more detail
so this is uh just back to the
configuration
page again
we did walk through this in a lot of
detail in
the previous workshop but just to go
through again so again this is the alias
field i mentioned
um which needs to be used as part of the
redirect urls
this is actually uh explained
quite thoroughly on the
main site which i forgot to show you
earlier
the main open id website
and certification instructions
and how to run the
fappy conformance tests then
there is a bunch of additional notes
here just on
setting up the test so in particular
you need to register some clients with
the system being
tested and you need to register
these two redirect urls for the clients
where
you replace this part of the redirect
url
with the field that you have with the
same value that you've entered in this
field here
um the description field is just a free
form text field that you can use for
your
own reference to so you can tell the
difference between different
configurations or different servers
you're testing
the publish field should just be left as
no
when you're ready to actually submit
your certification you publish your
results then
um this discovery url is the the main
point where we know which server we're
testing so you would replace this with
the dot well known
slash open id configuration file
location on your own
authorization server and see if that
would have to
be somewhere on your bank's domain name
and then there are two different clients
um that you need to create on your
system so
this is the client id on your
authorization server for the first
client
the scope to be used which can either be
open id
and accounts or open id and payments
and this just
alters which api the server believes
it's testing
um so if you put accounts then it
believes it's testing the
data read api and see for payments it's
testing
the payment initiation api there's going
to be a further
tweet to this later this week as well to
cater for
organizations that don't support the the
data
api or at least not the the accounts
read
permission
so there'll be some communication coming
out about that at the same point i think
it's already been
approved by the relevant working group
um the next field is the keys for the
client so
this is the jwks containing the private
key
that needs to be used to sign
the request object and any client
assertions and so on
and then there is the mtls certificates
that need to be used
when connecting to the authorization
server as that client so
there's a certificate the private key
and any
required certificate authority chain
that your authorization server needs
and then this is repeated again for the
a second client
that has a different client id
the reason we need two clients is that
one of the things that
the suite tests is
checking that various things are
correctly bound to
a client so it tries creating an
authorization code with
one client and then using that
authorization code with a different
client
which the specification requires to be
rejected
and then there are a similar test uh
once we've got an access token we'll try
using the access token with the
mtls certificate for a different client
than it was
issued to um and
that will
um that should be rejected uh because
the access token should be bound to the
mtls
certificate for one particular client
and then again there's keys and
certificates
for the second client and then
just the last bit is further brazil
pacific
but again every field has help if you
hover over this
i end point
and currently you can specify either
the payment cons at the payment
initiation api for this resource url
this is the main url that the test
uses to test the access token that's
issued
is correct and correctly bound to the
tls certificate
so you can also use the accounts api and
with the change coming later this week
there's also the option to use the
resources
endpoint here and the consents url
again you can specify the payments
consent endpoint or the accounts one
and then there is cpf
and cnpj values so
depending on the requirements of your
your bank or your server
you'll be specifying one or other of
these to represent
the users
or the companies that owns the bank
account
and then these last two fields are only
used if you're
selecting payments so if you're testing
using the accounts api you would leave
these two blank
this is mike we have um if this is a
good point to pause we do have a couple
of uh
questions um
sure um bernardo did you have a question
i i noted that you uh
raised wonderfully
okay um i have two questions actually um
first if um let's assume that we are
certifying with a single profile
um like uh by value mtls plain response
and later on we find a problem with that
profile
um let's assume that for prod
uh because of that problem you want to
use like private key jobs
will i be able to go proud with a
different profile
than the one i certify that's the first
one
um so that's partly a policy question i
believe
um but my understanding is that you
should be certifying the exact
stack that you were running on
production in exactly the same
configuration
so obviously if you're changing the
configuration
you'll need to re-certify
okay and which leads to my next question
so if i certify in all profiles
um then if i want to remove some of them
or disable some of them to go prod
is that okay because then i'm certifying
in all profiles
and if i have a problem with a a
specific profile i can then disable to
gopro
[Music]
okay provided your profile is correctly
advertised on your well-known
configuration endpoint file
that's fine and it's something that we
do actually recommend to
different banks is to certify as many as
you can but yes you can
you can switch profiles provided your
discovery metadata
complex which profile you want to
support
right so that's okay that's a good
strategy then you certify in all of the
all of the profiles that you can and
then if you want to disable it's fine
because you're certified in all of them
that's correct right
that's correct so look the ecosystems
put a lot of pain and attention to make
sure that the discovery mechanisms that
you
that the ecosystem has supports a very
large number of banks
for example there are some scenarios
where tpps will have to update
their clients at 800 banks that's why
dynamic client registration is mandated
and so is dynamic client
modification so you can
uh you know you can support those now
support those changes remember
that some of these can't necessarily
make that
unilateral change for example if you
have clients registered with tls client
auth
and you turn off tls client auth you'll
have to manage that messaging and manage
that migration with your
with your clients if you you know it's
not so much of an issue to switch
between
and redirect but it is there are tpp
impact
and tpp considerations that you have to
think about if you decided to do that
post go live
yeah yeah my plan is to decide that
before to go live no we now we focus on
certifying all profiles and then
before i go live we decide the one we
want to use in production
because of that exam the problem that
you are describing
yeah but again just to emphasize people
should be
certifying exactly what is in production
so
you shouldn't be discovering new
problems as you make a production
system um if you do that then your
certification is invalid
because you've changed the software
or the hardware or the architecture or
something
so one question is
what is exactly the process once you're
past the test
how can you like ask for the the
and what is the process for asking the
like the official certification
so this is covered on the website so if
i just go back to where i was on the
instruction
page that's a how to request
certification at
eop's link just here
that describes the exact process for
certifying um but the quick summary is
that you
you download your results from the suite
uh using a button that's labeled uh
actually i can just show you
the button back to my test results
uh so there's a button here my
certification package which
once you're ready to certify uh you
press that button
um you upload
the terms and conditions page and just a
signed document uh
that's referenced in the instructions
that's just you asserting that you are
fully compliant with the api
and is signed by someone from the bank
then you press this prepare
certification package button
and that gives you a zip file that you
then upload to our
our service desk and then we process
that and
publish it if it all looks okay
and so just to confirm so it's the the
one certification uh is about
one specific profile so if i want to
like to comply with mtls and private
jwk i need you to have two
certifications
yes you'll end up with two zip files in
that case and we just submit them both
you can submit both of them to us in a
single service desk ticket
okay this is mike liz with the open id
foundation please note i put the
submission instructions link um in the
chat so you can capture it there
and we have a couple of other folks uh
carlos you have your
uh hand up did you have a question for
joseph
yeah uh joseph said that
the test with payments is even better
right
so if we if we do
today the substitution process can we do
it
and resource endpoints
as well or we need to wait until
the payments endpoint goes
on on our release status
uh so do you support the uh account read
permission
yes yes uh so
um yeah it would be fine for you to
certify
just using the account read the end
point
so there will be no difference between
between
topic profiles for for data sharing
reading
in payments will be the same profile
used for both
cases right correct yeah the the
security profile is exactly the same
there will no big difference like
because on the
open id website we saw
profiles like a f api and f api
rw for so for the
open bank in brazil we will we will have
just one one type of floppy profile
right correct yeah it's a
little bit complicated because the
flappy profile
changed name at the beginning of the
year
so the previous draft of the
specification was called
uh flappy read write but this has now
changed name to fappy advanced
okay um so yeah that they're essentially
the same profile except that's advanced
is the final version of the
specification and
brazil is always using advanced the
latest
final version okay and my next question
is about the payment process with miro
uh can can i do in portuguese
is
um
accounts
specifically
is
foreign
bernardo okay um
so the first one is it's i understand
that you have
it's multiple submissions one per
profile
but it's a single payment right or
do i need to pay for each profile like
one for private key another from mtls
and so on
or it's a single payment it's a single
payment for all the profiles
the only case where an extra payment is
needed if you're certifying for
fappy sieber as well but i think that's
not happening until around the november
time frame right and
and my next next and hopefully final
question is
you got me a little bit confused with
your last statement
regarding my question um so
the thing that i'm worried is if i
certify no profiles
this does not mean that i must support
all these profiles in production right
if i want to certify
all of them and later on use a single
profile in production
it is okay right
um yes that's basically okay
um you should probably let us know and
we'll remove the certifications for the
profiles you're not using
um but i will again emphasize the point
that
uh you're going to be making an
assertion to
the central bank that you certified what
is your
actual production architecture and so on
so
um i'm not quite following the logic of
following this process
just so like i don't know if uh
you want to reply to this question or
can i move to another one
all right so like one question is you i
i don't know
exactly who said it but once i
i'm certified uh with a certain profile
and with a certain configuration
uh if i change anything in that
configuration for example i don't know
if i change the
the dns or something like that
uh my my certification is now invalid
what's like what does that mean like my
once that happens what what uh what is
the
[Music]
what are the consequences if i just
change something
and not and not certify again
um i guess that's quite an involved
question that has different angles
from the open id foundation point of
view
if we became aware of that you were no
longer in
compliance with the profile then
we'd contact you and perhaps ask you to
re-certify or see that the eventual
position would be that if we were sure
you weren't compliant the certification
would be
revoked
the other angle is that my understanding
is that the banks have to make an
assertion to the central bank that
what they have the system they have
fappi certified
is to all intents and purposes
identical to their production system
so i presume
sending something to the central bank
that may turn out not to be true
would have particular consequences but
not being brazilian i can't speak to
what those are
yeah it makes it makes sense i wasn't
aware of this assertion
about uh like asserting that our
configuration production is the same as
the
notification but i'm gonna look for that
later thanks
okay so if we have a couple questions in
the chat we should queue up
you might want to switch over there just
to take a look i'll highlight the um
there was a question about the uh
the test with payment endpoint is still
in beta right question
so can we do the certification process
with the consents
v1 consents and resources v1
resources endpoints
so this um i think i did try to answer
this
earlier uh so if i remember correctly
the current suite requires that you
support the accounts
read permission um if you don't support
that permission you can't
certify at the moment
so if you do support that account read
permission you can certify
there's no way
in the brazilian security profile to get
access to just the resources endpoint so
you can't test using
purely the resources endpoints
the two options on the table at the
moment are the accounts endpoint
or the payment initiation endpoint
um there are i believe one or two banks
that don't support the accounts
re-permission but do support a different
read commission
so we're expecting a release later this
week hopefully that
should enable those banks to certify
i think that will use the
resources endpoint but it will still
require the bank to
give a permission other than just the
resources read permission
thanks for that joseph there was a
second question um
in the chat um
it's from julio the question is i don't
know if it was clear to me but for
certification does the front end also
have to be built or would it be enough
for the back end to be ready for us to
be certified
um i mean you will definitely need some
front end
um from the open id foundation point of
view
um you don't need a awfully
comprehensive
front-end built to be able to certify um
[Music]
but this does go back to the the same
point i was making that
um you're making an assertion to the
central bank that
what you are doing your fappy
certification
for is to all intents and purposes
identical to what you're going to be
putting into production
and that sounds like it's that latter
point where
certifying without a complete front end
could
come unstuck
just just to comment on that remember
this is only part one of the
certification process
you also have to pass the functional
certification suite for payments which
uses
a very similar setup and in that setup
one of the tests is to take a screenshot
of your consent screens and processes
and they'll be passed to the i believe
to the
ux working group to make sure that they
meet the ux and customer experience
guidelines
so whilst you may be able to pass the
oidf tests you won't be able to pass the
functional tests without that
appropriate
check and that's those screens and
customer elements being built
thanks for that ralph um we have another
question i go please go ahead
i mean this is uh this is not a question
i'm going to switch you to portuguese
because this is a question for
miro not necessarily for
for you guys
[Music]
you know
thank you
[Music]
so
foreign
is
[Music]
foreign
is
so yeah that was it for mine this is
some
regulatory specific operating brazil
questions but you can go ahead
carlos did you have another question
yeah
you know
uh
is
apache
uh
um
carlos did you have another question i
see your hands still raised
no no sorry
i think we've covered all the questions
in both the chat
and uh hans rays are there
are there any other questions miro team
are there any questions on the zoom
session that we need to address
i believe not mike
okay if there's no other questions um
mira team i trust that uh
this session will be uh published both
in uh
english and portuguese and shared with
the
open banking ecosystem we'll do the same
on the
open id foundation site as well
yeah so thank you for your time uh mike
joseph and and all the other
participants
if we if you have any questions uh you
can send them
as email and we try to to answer uh as
quick
as possible and i i think that's it
thank you thank you for your time
everyone
thank you all
great thanks everyone thank you
my
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Acesso Exclusivo para Assinantes
Cadastre-se ou faça login com sua conta do Radar Finsiders Brasil para visualizar esta regulação na íntegra, fazer download dos arquivos e ter acesso a relatórios exclusivos do mercado financeiro.
