Open Finance Brasil
Video
•
23/06/2021
3° Workshop OpenID Foundation - Motor de certificação de segurança (22/06/21) - Versão original ENG
Sumário Regulatório
Versão com tradução simultânea em português pode ser acessada no link: https://youtu.be/QVQB_uj3Jlo Material apresentado na reunião pode ser acessado em: https://github.com/OpenBanking-Brasil/conformance/blob/main/documents/20210622_OIDF_WS.pdf Mais detalhes sobre o processo de certificação ao Open Banking pode ser acessado em: https://openbanking-brasil.github.io/areadesenvolvedor/#testes-e-homologacao
Transcrição e Conteúdo
[Applause] [Music] uh me [Music] [Music] foreign m which foundation uh so mike or will you present for us so we first would like to thank you for for joining us on this workshop and we started a meeting discussing with everyone how to set up the the real time translation so we will have this feature on this workshop and i believe you guys can start the prese...
[Applause]
[Music]
uh
me
[Music]
[Music]
foreign
m
which
foundation uh
so mike or
will you present for us so we
first would like to thank you for for
joining us on this workshop
and we started a meeting discussing with
everyone how to set up
the the real time translation so we will
have this feature
on this workshop and i believe you guys
can
start the presentation
hey everyone here let me just share my
presentation
[Music]
so yep so i'm joseph heaton i think most
of you know me by now i'm the
certification technical lead for the
open id foundation
um so today we're just going to cover
three things
i'm just going to go through a quick
update on where we are with the brazil
profile of the the fappy conformance
tests
i'm going to run through a quick demo of
the brazil pacific tests
and then we've got quite a bit of time
set aside for q a
so i'm hoping or expecting that there's
quite a lot of questions from people
um so in terms of where we are on the
timeline again i think most of you know
this
thank you um so on the 11th of june we
put the the beta version of the
brazil fappy uh tests for banks um
into production um so they've been
available for people to test for
11 days now i think
so they're just based on the existing
flappy one advanced final test that
the certificate that the openid
foundation has
i think uh someone put everybody on mute
including the presenter thank you very
much for pointing that out i haven't
spotted that
uh i'm not sure where i got to
uh so 11th of june we launched that the
beta versions of the bank tests they're
based on the
existing fappy advanced final test that
the foundation
has as part of its existing
certification tests
and we're now on a you know bug fixing
and adding
additional tests phase on the 14th
we put the dynamic client registration
test for brazil into beta
um then the 22nd today
we're launching uh the beta version of
the brazil
uh relying party test that's the test
for the fintechs
they should go into production later
today hopefully
and then on the 28th the expectation is
that
the bank tests will leave beta
um and then on the 28th we're expecting
uh we're opening up the certification
program as well and then we're expecting
the
the phase two banks to submit their
certifications between the 28th and the
5th of july
and all certifications that get
submitted by the 5th of july
at the openid foundation will have
processed and
published onto the website by the 15th
of july for the the go live
so next stage i'm just going to run
some quick demos of these tests so this
is just using the example configurations
that i believe my
the people at miro should have shared
out
so i'm just going to run through uh
quickly the
bank tests and the the dcr bank tests
um and just know that i know some people
have tried running these configurations
and have been
unsuccessful that's just there have been
a few
changes but we're making sure these wiki
pages are being kept up to date with
working configuration so if you if you
do see a problem just uh
check the wiki page in an hour or two
and hopefully we'll have
updated and solved it but if not just
get in touch and we'll
help figure out why you can't run the
tests
so let me just switch to my browser
so this is what you see after you've
logged into the
certification suite
what's my page with the example
configuration just grab that
as well
and this is the wiki page with the
instructions for
running the suite so
i'm just going to run through this i'll
just grab the configuration
json go to create a new test plan
and then it's just a case of selecting
the things that this section of the text
of the wiki page tells me to
so i'm just wrapping one advanced final
authorization
server test private key charts
request object by value select the
brazil profile
and just plain response switch to the
json tab paste in the configuration
and you can switch back to the form tab
just to see what's been
and i sorry i just realized that looking
at the wrong wiki page
the other one i was looking at the
dcr configuration was trying to
run the non-dcr test just grab that
configuration
paste it in
that's not the right one either excuse
[Applause]
me
all right there we go so that's the
right configuration so
we walked through this form in the last
workshop so
i don't think there's anything
particularly to comment on
uh apart from perhaps there's some new
brazil values that
only went live on the 11th so just the
resource use
url to use which is the accounts
endpoint which the help
tells you to use that just the url for
the consent endpoint as well
and the cpf value to be used when
creating the consent
we're going to have a change that should
hopefully go into production
later today that also offers the option
of uh
the other kind of identifier as cnpf
possibly if i got that right um just
that you have the option to
use that if your bank only supports
business accounts i believe you'd use
that value instead of the cpf
so just create the test plan and then we
just start
running tests so the first test is very
simple and just
us some basic checks of the
configuration endpoints
just continue running tests
and the next one is a lot more involved
we see the proceed to test button comes
up
so we just press that and we'll just
sign into the mock banks
again the username and password to use
are
listed on the wiki page
we just need to extend this section to
authorize access to at least
one bank account and consent
hit continue we get redirected back to
the suite
does some interactions with the bank
after a second auto you see the proceed
with test button appear again so
just press that again and do exactly the
same process
it's just doing two different types of
or two slight variations on the same
test and getting two sets of
valid access tokens and then one of the
things it does at the end once it's got
both is check that certificate bound
access tokens are working correctly and
using uh access token from one client
with
a different client's tls certificate
does
correctly get rejected so as you can see
that test passed and
there's a very detailed log that shows
everything that went on
the log has some heading sections if you
keep an eye on that gives you a good
idea
of what's happening in each section
and as i say it's quite long because
this particular test has quite a lot of
steps but so you can see this final step
is the
step i mentioned of trying the access
token with the wrong
client certificate just checking that we
do get an error back
you can see the actual http error that
we get
um and then it's just a case of going
back to the test and
carrying on with running the tests
so it's a good idea to pay attention to
this blue text here
that occasionally contains explicit
instructions for example this test
requires that you reject the authority
authentication or consent again you
proceed with consent but
i think i just switch that off and
switch that one
redirects but back but
i have to do that twice for this test as
well
and again you just carry on running the
tests like this and
following the instructions so for some
of the tests
let's just find an example
it may actually end up displaying an
error in the browser so if we try the
test
for the redirect url being registered
then when we press the proceed with test
button
uh we should get an error back
uh we don't uh but if
i had got an error back then i'd just
take a screenshot of it
and i'd go back to the test and hit the
upload button
just select my screenshot
upload it uh return to the test
log it was on the right screenshot
uploaded but never mind
uh and then just give it a few seconds
and that the test will
move into finished and reduced state
and then again you just carry on running
the rest of the tests in the plan
it will move into the review statement
on it
sorry into the finish stay on this just
just take a few seconds
uh yep there we go
and then for running the dcr test it's a
very
similar process select the brazil
dynamic client registration test there
select the right variants
and just take the config from the wiki
page
just joseph yep
um just noticing some questions are
coming in from the group
and um the speed might be a little fast
for people to keep up uh you're so
cool with it uh some people won't be
following
english as quickly as you can tap
through the screens
um so two questions in the chat one was
are we planning to include the app to
app demonstration
and um a request to repeat the consent
step again
and how to choose the mock bank not sure
if you can see the chat
on the side uh
[Laughter]
um are we going to cover app app
demonstration
yeah uh so i don't have a test
environment set up for
app to app here um
i i can briefly talk about how you'd run
that which
the process is exactly the same
except you'd run the test and
we recommend using a tablet size device
because
if you run on an actual phone device
you struggle to actually use the
conformance suite ui just because of
limited screen space so
you just access the conformance suite
website on a
tablet when you press the proceed to
test button
if the app is correctly installed and
set up
then that button will switch to the app
and then at the end of the process
that will switch back to the
certification suite
so obviously that's technically testing
web to app
rather than app to app um but we've not
found any cases yet where that
um where web to app works but
app to app fails so it seems to be a
valid way of testing it
great and then the second question was
if it's not too much trouble
is it possible to repeat the consent
step again
absolutely uh so
i've just started up the dcr test so as
part of that
um i need to run the consent test as
well
so i've just got this receipt test
button
um
so there's no need to actually select
the mock bank um i'll explain that after
i've actually
done this bit um so press the proceed to
test
so you just need to expand this bank
account information screen
and then enable sharing for at least one
of the bank accounts
just click to consent to sharing the
above data
and then press continue
press that wrong
i think one of these days something
quite right there well it's loading i
didn't say it earlier joseph just a
reminder to everyone and we've got a big
group please feel free to raise any
questions
no questions a bad question and the
meeting chat's a good way to share
that those questions if you want to
write it in portuguese we'll have
someone help translate for us
yeah um so if stuff like that seems to
go randomly wrong then what you do is
just
go back to the the tab that has the test
running in it just hit the
repeat test button and
you can just try it again and with any
luck it will work the second time
we had another question along the way to
please repeat the step that did the
screenshot upload
i know that didn't actually load fast
enough but again
again um
there we go so that that that's the dcr
test passed
um so obviously uh the
dcr test plan only has this one test in
it at the moment which just tests the
happy flow
uh we'll add at least one negative test
just to check
check that dcr without a software
statement assertion
fails and we'll also add something that
just does a quick
test that the client management endpoint
seems to be working as well
uh so
uh sorry what was the
step you just asked me to repeat gail
i've lost trust
yes um we had a request to a piece
repeat the step that did the screenshot
upload and then i've got a couple other
questions after that
cool so let me just go back to that
previous
test i was running so just go to view
all test plans and then
i'll go back into the
plan i was running before and then i'll
just run that same
registered redirect uri screen again
and just press proceed with
test um again
i'm not getting an error message for
some reason but i'll just take a
a screenshot of this so i'm on a mac so
it's just
uh command shift
for space
take the screenshot then go back to the
test log you can either hit the upload
images button here
or if you scroll to the bottom of the
test then there's a attach image to log
file button here as well
the question regarding the upload
screenshot is about
what exactly are we testing here is it
that
the the the tool checks if the
the the screen i got is the same
that the tool uh
has when it calls the the
the redirect to url is that okay
the screens match yeah so
uh what should have happened in this
case
is that the authorization server showed
an error saying
the uh redirect url that
the request object use isn't actually
registered so it can't proceed and
it can't redirect back to the test suite
so what happens then is you upload a
screenshot of that error
and then that becomes part of your
certification submission
showing that you were actually showing
an error as a result of this test
and then when you submit your results to
the open id foundation
one of the things that we go through on
our checklist is just making sure the
screenshots do
seem to match up with what was meant to
happen so
it only gets checked manually right at
the point of you submitting your
certification okay
yeah just uploaded that and returned to
the test log we'll
move through uh
so that was that there was a question at
some point about how to select
the mock bank uh so you select the bank
you're
testing against as part of the
configuration so just hit the edit
configuration button so i can go back
and show you that
um so that the the mock bank was
selected as a result of that
configuration json i passed in so to
test your own bank
you change this discovery url that all
the endpoints
are found from to the discovery url for
your bank
and then you put the client id and the
keys
that are the ones that are actually
registered and work with your bank
and you do that twice
i can ask the stupid question so the
discovery url has
been um named for all the participating
phase two banks do they know what their
discovery urls are
i would hope so um it's the location
where they're publishing this
open id configuration file which is
one of the the specs that is a
requirement to support
for brazil it's just a simple file that
lists all the endpoints and the keys
that will be used and so on
so it hopefully shouldn't be a surprise
to anyone that's
testing if they've got as far as uh
having something to test against
it this is my class um maybe if we can
pause just for a second
a couple things ralph bragg raised his
hand so let's uh
see if ralph has a question comment
ralph
hi uh thanks joseph there was a question
earlier somebody was asking
how can i test different using the
morphine
different combination once and it might
be worthwhile explaining how you can
dcr tests to register your client and
then use those
that client configuration inside the
subsequent tests
um
yeah well that might be a little bit too
complicated for me to demo on the fly
but yeah certainly in the dcr test you
can just change
the values here and
um the the dcr configuration
sorry the test will then register for
the different type of client
authentication and it will run
through and as ralph says you could then
take
the resulting client id if you find it
in the
test log which i can just show you where
to find it
that's the wrong test
uh let me go back to my dcr test
so yeah if you look at the test log for
the
the dcr test then
if you scroll down uh you'll see the
first step it's getting an access token
and retrieving a software statement
then we do the dynamic client
registration
and at the end of this that you'll see a
past
registration endpoint response
part of which will be the client id and
if you take that client id
and paste it into the
configuration form for the non-dcr tests
then that client will be registered to
use mtls and you can then run
the tests against the mock bank using
mtls
um we can probably actually just publish
a
example configuration using mtls that
works if that would be helpful for
people
i'll add a couple questions here and um
ralph i i think the last question i did
uh you're referring to might be
this one so forgive me if i'm wrong but
there was a question earlier would it be
possible to have
a working example from radium's mach 4
client auth type
mtls fappyoff request method by value
i think you've covered that right ralph
in your comments
yeah we can probably you can either
register one yourself which is what
joseph has just shown you
uh or we can just publish a
by reference plain response mode
pls which is essentially the option
super thank you and i saw a question
about
is it possible to test with my bank
screens instead of the mock
joystick yeah uh
so that is the case where as i was
showing you just
edit the configuration and make sure
that you put the discovery url
for your own bank the necessary client
credentials and just make sure you
update the resource url
the consent url the cpf value
and so that they they match for what's
valid for
your own bank
and then i i see a question in uh
portuguese denio that came in at 7
26 a.m in the chat um not sure if you
caught that one you'd like to speak to
it
for uh for us all
actually yeah i think daniel is is
answering a previous question
it's not exactly a question to the
question
all okay i think that takes us through
the open questions right now then
okay i have a couple of questions if i i
may
uh first one is uh i we we've run some
tests using the tool for for a couple of
days now
and there's there's a a problem that we
found
with the client certificates in the
dcr and the fapi flows that are
evaluating the the distinguished name
in an incorrect way uh based on the
the icp brazil requirements and
it's a simple matter of just
regenerating the certificates in order
to comply with the with the tests
but in fact i think the test should
comply with the
the right uh uh
brazilian certificate profile so where
should i raise this
issue should i open a ticket in the
gitlab or should i send it through
email uh yeah if you can't
open a ticket in the gitlab that's best
okay so i did have a final slide that
happens to answer that question
it's just a minor issue though is that
uh the the the
the tests are using the the common name
and they're expecting the common name to
be the software id
and in fact uh the the common name for
the brazilian uh
client certificate is the it is a
fkdn and the the software
id should be taken from the uh
i believe the serial
number i would just check okay
alexa i've raised this with the security
team before and i've raised this with
marcos
this is the specifications the
specification that this
the security team and joseph is applying
is correct
the specification for tls client auth is
an explicit
dn match which means the common name
which is part of the distinguished name
in the icp
must match so this isn't an issue with
either the specifications or the
certification test suite
it's an issue with the icp
uh specific specification for the brazil
transport certificate now the radium
mock bank
deliberately recognizes this problem
and is deliberately not spec 100
compliant yeah because if you use
certificates as you designed
if you change the common name at all it
changes the dn and if you change the
it chain it isn't an exa it isn't an
exact match
so the mock bank handles it fine but the
expected names for the conformance and
certification suite are 100
as per the ietf specification for mtls
so i've raised i've raised this
previously but
and i've said you have to address this
with guidance
but this is one that needs to come
through the security working group of
brazil
first before it comes out because you
couldn't you could change the specs
but as they're written at the moment it
must be an explicit dn
match distinguished name full string of
which
of which you have a common name which
you can change whenever you like
and because it's part of the dn it means
you're changing the credential
id no i i'm good with that and i think
you're right we should
take this uh back to the table
but uh for instance uh if
i i i managed to to to create a new
certificate
using the the cn as the software id
in order to pass the tests but
when i when i'm going through the
certification steps and i use that nice
ep brazil
certificate it's going to fail so
i'm not sure exactly how how could we
handle this
so if you're going to go through it
shouldn't fail if you're using the fappy
conformance suite
if you're if it does fail it's not a
factory conformance suite issue
it's a mock bank issue so it means that
you need to put a ticket into
us as a mock bank issue but what i would
suggest we do
is that we update the example
configuration so that it's using the icp
style certificates
and not the the legacy ob
uk style certificates and that way
it'll be testing with something that's
uh icp
like and so you'll find these issues
using the icp search that's that's easy
for us to do we'll do that this
afternoon
yeah okay okay because yeah
that's exactly it the the switch is
getting the cn
and thinking and and accepting it as the
the software id and for for the the the
icp standard it's not
i'm not sure if i make myself clear and
uh with that this test fails
i might be able to oh okay
i i i'm gonna do this
by buy the buy a ticket so
you can get an official an official
uh position
that would be great thank you
there were there have been several
questions running in the
uh the log i don't think we've covered
so
forgive me if we have um for the there
was one question for the dcr registered
clients
where is the jaywax key server running
for those clients
i think jaywalks is jwks
yeah that's right um so the assumption
is that the
jw case is hosted on the directory um
and the suite will register using the
jwks uri that's contained within
the software statement that is retrieved
from the directory
okay there's another question this has
probably already been discussed
but in sandbox are the tpp certs
expected to be self-signed
how does oc sp work in that case
that sounds like a question for ralph
perhaps if you're there off
yeah so in sandbox then there is a fully
fledged
eki that is a development version of the
icp
of an icp pki it fully supports
crl and ocsp so
everything that you would need in a real
production environment is fully
supported by the directory and the trust
framework in sandbox
thanks ralph um i see mike les has
popped the
the link for github in the chat some
people want to copy it from there um
the other links that you have here in
this uh in the in the page
joseph is the is this part of a document
that the group has
already or you know if they want to pull
the links from there or
should they screenshot this page on
their laptops right now
gail this is mike les i'm going to put
all the links in the chat but we'll also
be uh sharing this uh
deck with the miro team so they can um
uh publish this for the
entire ecosystem that to have access to
after the workshop
great mike uh i
can and then another question can you
guys point docs
uh examples of how a client should
implement a fappy based
off
so a reference an example client for
fappy has been published on the security
conform
sorry as on the security website it's on
the security get so there's an example
relying party sorry i didn't uh
fappy client that you can use to test
okay thanks and next question can you
explain each configuration item
that is passing the test
um i'd presume that's basically asking
what
each value in the configuration is for
let me just switch back to my browser
yeah i think there was a question could
you explain each configuration item
that is passing the test so i guess
that's a little bit of a
overview
so for this each test item has help if
you just hover over this little
eye and
uh there is also a link here if you look
at the
open id certification instructions
and the
how to run conformance tests with happy
read write ops
if we just open that then
this test runs you rather more verbosely
through
exactly what you need to do and what to
fill in where
where it needs a little bit more
explanation that we can include in the
pop-up tool tip
um
i can quickly run through them i think
we've got time
uh the alias is uh
just forms part of the redirect urls
it's just because obviously our
production server is a cert
is a shared server that could be
multiple people using
this is just a something that goes into
the redirect urls that's
unique to you so that your tests don't
interfere with anyone else's and vice
versa
the description field is just a freeform
field that is really for your own notes
of
exactly what you are testing
the publish field is you can just leave
that set to no
if you want to share your results
publicly you can always publish them
later but by default when you're running
tests as long as you keep this set to
know
your results are only visible to you so
it's on if you wanted to make it visible
to someone else that you would
publish them uh the discovery url
we mentioned earlier is just the
location for the open id configuration
file on
your bank and
then we have the the client
authentication so
the client id that has been registered
at your bank
the scopes to use which i think will
always be
open id accounts for brazil
and for these tests the jwks for the
client which is
the client's private key just in
the json web key format or the json web
key set format in particular because it
has
the keys array
and then the mtls client certificate
and private key and certificate
authority which
i believe the are instructions for the
sandbox directory that
show you how to generate these and get
the directory to sign them and
then presumably register them with your
bank server and then there is a
second client joseph maybe a good time
for a
a health check about the so the private
key
being super careful around where they
place that private key
yeah uh so obviously this is
uh a private key that does give access
to your bank system so
particularly when you're testing a
production system do take care with
what you do with this configuration
to make sure that you don't publish
anything that has your private
keys in them until you've deactivated
them at the point you're ready to
submit your certification
and yeah it is a private key so do take
care with it
we have seen uh at least in the uk
uh some people publishing private keys
places
they shouldn't
so yeah configuration for a second
client
again you need to register two clients
for the test to be able to
check security properties like that a
refresh token issued to
one client is not usable by another
valid client so you just need two
distinct clients which means they also
need different
software ids as well in some or most
cases
that might vary depending on which type
of client authentication you're using
possibly
then the final values are just the
resource url
which will always be uh the accounts
resource
um so it'll be in this v1 slash accounts
format for
wherever your api endpoints are
the consent endpoint that the suite will
use just to create
the consent before it sends the user to
the authorization endpoint
and then just the cpf value which is
some kind of national id i'm assuming
you guys understand much better than i
do
[Applause]
and that's all the configuration values
for that test if we just quickly look at
a dcr test instead just
when i was running earlier
when you've run through that we have
three questions pending
and i have one too great
um so the dcr configuration is very
similar
um you only need one client in this case
um everything's the same but the only
bit is different is at the end you need
to provide some information about the
directory so
the open id configuration file for the
directory so
obviously at this stage everybody will
presumably be using the sandbox
directory but
at some point you'll need to switch to
using the real directory for testing
instead the
final certification i would expect would
be run on the
the production directory against a
production bank server
the client id on the directory that
corresponds with the certificates you
supplied
and just the api base url for the
directory
that's the sandbox one currently but in
due course i'm sure people will switch
to production
and that is all the configuration fields
sorry joseph can you just clarify um
are we expected to run the final tests
in production
not my understanding
so that was my understanding uh
certainly that's what happens in
the uk and in
australia um
i wasn't aware that anything different
had been agreed in
brazil do you know anything about that
ralph
no that's a policy question to miro and
the sandbox and certification testing
squad
okay thanks ralph um yeah i mean the the
usual expectation would be that these
tests are run against production because
what we've seen in other ecosystems is
that the tests are
um or the configurations of the servers
is very sensitive
um and most banks are
not generally able to guarantee that
they have a working fappy configuration
in production without testing the
production server
good morning the policy adopted here is
that the test can be done
on a production environment uh
or in production it's a choice of the
institution uh
the problem of the going on production
is that you you have to be very careful
with your
certificates you you are exposing your
your certificate so you have to have a
gate
after the test and the the the
data the the user you you are
you are using for the test have the
their data expose it to
and and for the dcr test and fab there
isn't
much data exposed but for the functional
tests
uh you have to have clients with
accounts and
other products so it's very hard to test
here in brazil
since you think you can't have a test
client in production
uh you have to to use real clients
so so we believe most institutions will
do the test on a pre-production
environment
thank you paula that's helpful
so let me run through a couple of the
new questions joseph
um this one's a little long in the
context of fappy 1.0 advanced
allowed client authentication methods
are private key
jwt or jot tls client off and
self-signed tls client off
the blog below explains details of the
client authentication methods and
includes links to the relevant
specifications
um and then i think that's more
informative so oauth to
client authentication so i don't think
there's a question i think it's just
clarification
next one is uh this is
and uh uh who wrote the comment on the
chat
it is not a question that the
information
or thank you the audience thank you i
started reading it before i read the
whole thing thank you
we have another question um could you
confirm this understanding
on the flow that we are simulating the
test scenario
where we are on the tpp going to catch
data on the asp
sp sorry aspsp is that right
the datas were imputed like
authorization server uri
are your data is by aspsv thank you
yes so that that's correct we're testing
a bank here
and the conformance suite is pretending
to be a
tpp um
and it's just running through and
checking that the bank does
provide things to the tpp in the way
expected when the tpp makes the right
requests
there is a set of tests for the other
way around the relying party test so
that's where
the conformance suite pretends to be a
bank
and then expects the the tpp to
treat the conformance suite as a bank
and it runs through
um some test scenarios just happy path
flow and then checking that
if the bank server
returns say an invalid signature to the
client then
the client detects that and aborts the
transaction so those are a separate set
of tests which we're
publishing the brazil versions of today
and i think we're probably
perhaps going to look at running a
different workshop to a bit more detail
on those tests
great um i see there's a related
question i think to this production
environment
so some financial institutions during
phase two
might not have current account
information to be published if that is
the case
my understanding is that there is
nothing expected to be published in any
of the accounts endpoint
therefore did it still make sense to
request for open id
and accounts as the minimum scope
okay uh that is information that i was
previously unaware of
um so thanks for that alex um
i um
so obviously we need to make some change
to the conformance suite to
cater for that i expect um
i don't know if there's only one
alternative or if there's multiple
alternatives
if you could perhaps open an issue on
the
gitlab on the link we shared before
just with any details you can share then
that would be helpful and
we'll make sure the suite gets updated
to cater for that case
the value of the resource url in the
test configuration
is uh a town everyone
accounts and probably the
specification of the api is
written at the url i tested it
to the chat and according to the
specification the
document says this operation does not
require
authentication and i i'm not sure what
this means but
uh it can be interpreted like the
the the end point does not have to be
protected by an
access token and so
but please double check
what resources you are aware of the
configuration
uh expect uh
the endpoint yeah how the endpoint
behaves
thank you tucker i'll check that
specification
joseph just a point that
it looks like every bank has to
implement the resources
api so if there's concerns over some
banks not having to implement the
accounts
api you could change this to
accessing the resources api there is a
mock resources api
and the mock and the consent process is
already available for
uh for resources so again
this is more of a question to brazil is
that if the resources api
is the universal customer protected api
please let uh i suppose uh alex
or the functional team know and
perhaps the resources applies that the
accounts
api would be a better candidate for the
test
i well thank you i pasted it as
a link to the specification of the
resources api
and the document says that the endpoint
requires
two scopes one is the resources
scope and the other is consent dot
constant id scope so the
that's correct so probably i guess if
if we replace the accounts
to resources and the
certification tests will
not pass no this notification test will
pass because you change the scope as
well from accounts to
resources and change the permission from
accounts read to resources read
the point is providing a test that every
bank has to implement
and every bank has to implement the
resources api
for phase 2 but only some of the
resources
need to implement accounts then it would
make sense to use
resources in addition bruno has raised a
point that says
actually maybe it should be the customer
identification
for a natural person api that should be
the
the universal api either way
it would be useful if brazil could feed
back to the foundation
which api should be the universal
api that all banks have to implement for
phase two
is making the changes straight forward
the mock bank
supports them all so it is the result
it is the resources api thanks sam so
that's an easy one we can change that to
the resources api
and then everyone can use that
configuration to test
okay again but the certification test
will have to call the end of the
resources
api with an access token who which
has resources scope and the constant
consent id scope and if the
certification
program is not programmed in that way
the certification program needs to be
modified right
so the certification process already
uses consent colon consent id
it's already using the dynamic consent
id the only thing that changes is a few
strings we're changing the scope
changing
the permission code this is not like i
can raise the pull request myself tucker
this is a
simple change okay thank you
i i just worried about if
the certification just does not send
an access to that sacrifice requirements
so for for uh you know absolute
clarity on this point it sounds like
enough we may want to circulate and
update afterwards
um once the miro or the
forget it what it's called the security
working group has
validated that it's the api resources
that everyone
is implementing uh joseph is that what
we uh
what we need to see here is just to have
that uh
informed is the case
yeah uh that would be helpful
um yeah it seems
like it's bruno arguing with himself now
or someone else i've lost track but um
yeah uh if if somebody could just tell
us what we need to do that's
fine um if it means we potentially need
to sort
uh support two different end points
because there isn't actually a fully
universal one then
that shouldn't be an issue but we just
need to someone to tell us exactly what
the need is
all right great let's see if we can
close that one down today
and circulate to this group so there's
no question
um as a as a higher level question
myself joseph
um just going to raise this up for a
moment
what would we expect of all of the phase
ii the first 24 banks that are
implementing where would we expect them
to be in their process
like should they all be in the the test
environment actively testing like is
that what good looks like right now
yeah i would hope so so i would imagine
most of the banks
already have systems live that at least
in theory are
fappy compliant given i think there's
now
uh where we just i think it's exactly
two weeks or just around two weeks that
the certifications need to be submitted
to meet the
regulatory deadline i believe so um
yeah i would expect people have uh
systems live and then they're running
the tests either using our production
system in the cloud or i know some of
the banks have been
deploying locally and presumably running
against a pre-production environment of
some kind
um so hopefully
people are getting through that if you
are running it
into issues that the tests aren't
actually working for you please do
um either drop an email to the
certification team or
open an issue whichever you feel is
probably most
correct um but yeah the
the team are here and if we have bugs
we're ready to fix them and
hopefully get the fixes rolled out
pretty quickly
we are expecting kind of a couple bugs
right because the profile
for brazil is a little bit different
right
so it's very absolutely crazy what was
my point is fair play to raise
and to also you know point out if
there's any
uh bugs that have been identified
because they're
updated tests specific to brazil
yes definitely as with any software
project you always expect
a couple of gremlins it
it's probably helpful if people can veer
towards
raising items as bugs as we are
still getting up to speed with the
brazil standards and it's helpful if we
can
refer other people to the reports to
check
what the answer is if there's questions
about exactly how
the brazil pacific bits of the standard
work
great and uh i see ralph on that last
open question
there's an ask out to to bruno and sam
to to follow up
let us know yeah usually
celestine
great i think we've gotten through all
the the questions on the list here
um we'll keep an eye on that uh log of
questions
in the meantime uh joseph was there
anything else that we needed to cover
with the wider group while uh while we
wait to see if more questions come up
now
no i mean i i think we have
covered everything so i think it's the
ons is
very much on the banks now to test and
report any issues to us and get their
systems into
full compliance
great and i also understand there's a
parallel call
going on in portuguese
if if anyone's following that
conversation and questions have come up
there
we invite you to to raise them in this
forum
okay i see something coming in
okay see sam larson raised the ticket
thank you sam
and something here option b might be
personal identifications as the interval
okay so that's more of a clarification
universal api endpoint so i think folks
are still looking at that question
and i haven't seen anything new come in
um joseph one option we have if there's
not
more ground to cover is that we can keep
the line open
for a little bit longer and let the
wider group
jump off if they have what they need um
and let any others if they've got any
detailed questions to to
hang on there and they'll you know feel
free to open any other questions that
are
on their mind
sure sounds good so yeah i'm happy to
hang around here and answer any more
questions as they come up for a little
bit but
yeah thank you everyone for joining and
listening and
providing thoughtful insight today
great um that just uh this is gail
hodges speaking i'm the executive
director of the openid foundation
and uh mike letz uh who's the program
manager for the open id foundation and
joseph you
you've been listening to is leading our
certification team
um so you got all the right people
listening in here
uh we are uh thankful for all of your
efforts to uh
to test the tests as it were and um you
know good momentum here in the brazil
market we're delighted to see your
progress
and uh there's obviously quite a bit
more to to work through over the next
couple of weeks before those um
submissions are due um is there anything
that the
miro team or the security uh group
working group
in brazil would like to raise before we
close
[Music]
i have seen one or two additional
questions just pop up in the meantime
will the conformance suite test adapted
to scopes of the phase three
yep uh so i don't know the full context
of that question
uh so i know as as part of phase three i
believe all banks
or at least all banks that are doing
payments are required to support
uh fappy sieber so we will be publishing
uh brazil pacific versions of the flappy
seba
certification tests in due course which
will be a similar set of changes as we
make to the core fappy tests
um i'm not sure if there are any other
changes that were necessary
um the
certification suite basically only needs
one
resource endpoint that it and it assumes
that all
resource endpoints have um
the same uh
security restrictions applied to them
and we just use that resource endpoint
to ensure that
certificate bound access tokens and the
few other properties that are required
of a
resource endpoint our restrict are
correctly implemented
so if there is any other requirements
for phase three uh please
do let us know
great and i i i know um danielle bronco
that you had been working on a
translation of some of the documents um
i'm not sure if that's been
posted on the open id foundation website
yet mike um
if there's anything you want to point
people into language
thank you well thanks thanks for raising
that so um the the document that dale is
referencing
is a uh fappy implementer's guide that
oidf member kawasaki with athlete
authored some time ago and then updated
it once the fappy final
specs were uh approved and put into
production
and danilo has been kind enough to uh
translate that to
uh portuguese and he just completed that
uh
earlier today so we will get that
published both to the
oidf website and we'll share with the
miro team so they can
publish that for the entire uh brazil
ecosystem so
we should have that uh for you later
today or first thing tomorrow at the
latest
great denia you wanted to chime in
yeah um just make some adjustments i'll
just make some corrections
i have just now to do this so mike
please give me
some a couple of hours just to read
again and see if you
have any error in portuguese error i'm
correcting now and i also
sent to
to cigara the the link of the mutual
rfc because the the question that he put
and the real
issue is about the rfc of the mucho
besides of the use of the icp brazil
thank you for we're starting to make
those updates already dania that's
perfect
and uh and mike obviously for
distributing that to the group
um to help them with local language
that's obviously fantastic
um i have seen one additional question
um come in
uh joseph which is that uh just
acknowledging that not every institution
has
personal um or i guess individual
clients um
some only have business clients um
so there may be consequences for them uh
to be able to test
yeah so hopefully we can get the
universal endpoint
yeah that
the fact that some banks only have
business clients was one of the reasons
we added the extra
configuration form entry for the is it
the cp
nf or whatever the alternative to the
cpf
is so that banks that do only have
business clients are able to
run the tests yeah
yeah but uh sorry joseph but
that's one point about this uh john and
thinking in the institution that you
only have the the business person
the business client you should look for
every business client who has a person
that is responsible for the business so
and maybe yeah if you will see that
what ralph are talking that is very
important about the universal endpoint
you may see that you have a personal
that is responsible for this business
and maybe
this person can be used to do the test
can i just provide a little clarity the
there is still
confusion and it's not clear between the
consent requirements for the cpf
the cmpj and then who and how you do
matching with the cnpj for business
accounts
there are two open tickets on the
security
uh gitlab and i'd welcome
any more people to provide their
opinions on this
but uh it is still waiting clarification
from the security working group
and the consents working group and the
user experience working group
just how the cmpj to cpf mappings and
that consent process is supposed to then
uh function because it's not
clear and unfortunately because it's not
crystal clear
uh there are some still some ambiguities
profile but when cloud was
made to the cj consent
cpf relationships etc
so the brazil security team can update
the profile
there uh if i may add some info to that
subject actually as the nilo was
saying or asking i'm not sure but i
don't exactly agree with uh your point
of view
uh the nivo because i i think that my
clients
are the enterprises not the persons
that represent them so
uh from our point of view we don't have
any implementations of the natural
person
or the personal clients and
i take this opportunity also to
say that conformance tests
should support this kind of scenario
like
my station won't have any personal
clients so
i won't be able to provide any cpfs for
for the tests like uh it won't make any
sense
to us we can provide a test
cnpj but
cps won't make any sense to us
okay i got it i will put as rough side i
will put
the the scope that i'm thinking to do
this in the cmpj
and the github so i will update that
what i'm thinking and maybe see how we
can do this
okay thank you
ralph did you have a ralph bragg did you
have a question or some comments that
you'd like to make
yeah it helps if i come off mute um so i
just put a link
to the the issue and there's a few
issues on this topic
inside the brazil security
specifications
the issue is assigned to the security
team it's assigned to the functional
team
and it's assigned to the user experience
team because it has
issues that affect all of those
different
user groups so exactly what needs to go
where
for the consent request and then also in
the open id connect responses
remembering that openid connect is
supposed to
define some properties about the user
authentication
so even though the resources might be
owned by a cmpj
and you have a corporate account that
owns the resources
the open id security profile describes
elements about the user that was
performing authentication
and authorization so whilst the
resources may be owned by the enterprise
the authentication process was performed
by an individual
so that relationship between consent
author authentication the user
performing authentication
and what needs to go into what tokens
and when
isn't clear and it's recognized that
it's not clear
and it's assigned to the security team
the functional team
and the user experience team to work out
are there any final questions
carlos carlos has a question go ahead
carlos
carlos
follow the thing
um
so mike gale
joseph ralph danilo everyone i believe
we don't know
that we don't have furry questions here
so
i believe we can close this meeting i
would like to thank
you all for for hosting this event here
it's very important for everyone to
to understand how the engine works and
to be
able to certify by the due date we have
yes thank you to the miro team for uh uh
partnering with the foundation on this
latest workshop and coordinating the
workshop
and uh we'll distribute the uh meeting
materials to uh
miros so that they can share those with
the workshop participants so thank you
all again
and uh we'll be in touch soon perfect
and to everyone we will share the
content of this meeting on our youtube
channel
together with all the materials and by
like the opening foundation we will also
update our github
afterwards
for presents thanks all
thank you
thank you everyone bye bye
stretch one
you
[Music]
uh
me
[Music]
[Music]
foreign
m
which
foundation uh
so mike or
will you present for us so we
first would like to thank you for for
joining us on this workshop
and we started a meeting discussing with
everyone how to set up
the the real time translation so we will
have this feature
on this workshop and i believe you guys
can
start the presentation
hey everyone here let me just share my
presentation
[Music]
so yep so i'm joseph heaton i think most
of you know me by now i'm the
certification technical lead for the
open id foundation
um so today we're just going to cover
three things
i'm just going to go through a quick
update on where we are with the brazil
profile of the the fappy conformance
tests
i'm going to run through a quick demo of
the brazil pacific tests
and then we've got quite a bit of time
set aside for q a
so i'm hoping or expecting that there's
quite a lot of questions from people
um so in terms of where we are on the
timeline again i think most of you know
this
thank you um so on the 11th of june we
put the the beta version of the
brazil fappy uh tests for banks um
into production um so they've been
available for people to test for
11 days now i think
so they're just based on the existing
flappy one advanced final test that
the certificate that the openid
foundation has
i think uh someone put everybody on mute
including the presenter thank you very
much for pointing that out i haven't
spotted that
uh i'm not sure where i got to
uh so 11th of june we launched that the
beta versions of the bank tests they're
based on the
existing fappy advanced final test that
the foundation
has as part of its existing
certification tests
and we're now on a you know bug fixing
and adding
additional tests phase on the 14th
we put the dynamic client registration
test for brazil into beta
um then the 22nd today
we're launching uh the beta version of
the brazil
uh relying party test that's the test
for the fintechs
they should go into production later
today hopefully
and then on the 28th the expectation is
that
the bank tests will leave beta
um and then on the 28th we're expecting
uh we're opening up the certification
program as well and then we're expecting
the
the phase two banks to submit their
certifications between the 28th and the
5th of july
and all certifications that get
submitted by the 5th of july
at the openid foundation will have
processed and
published onto the website by the 15th
of july for the the go live
so next stage i'm just going to run
some quick demos of these tests so this
is just using the example configurations
that i believe my
the people at miro should have shared
out
so i'm just going to run through uh
quickly the
bank tests and the the dcr bank tests
um and just know that i know some people
have tried running these configurations
and have been
unsuccessful that's just there have been
a few
changes but we're making sure these wiki
pages are being kept up to date with
working configuration so if you if you
do see a problem just uh
check the wiki page in an hour or two
and hopefully we'll have
updated and solved it but if not just
get in touch and we'll
help figure out why you can't run the
tests
so let me just switch to my browser
so this is what you see after you've
logged into the
certification suite
what's my page with the example
configuration just grab that
as well
and this is the wiki page with the
instructions for
running the suite so
i'm just going to run through this i'll
just grab the configuration
json go to create a new test plan
and then it's just a case of selecting
the things that this section of the text
of the wiki page tells me to
so i'm just wrapping one advanced final
authorization
server test private key charts
request object by value select the
brazil profile
and just plain response switch to the
json tab paste in the configuration
and you can switch back to the form tab
just to see what's been
and i sorry i just realized that looking
at the wrong wiki page
the other one i was looking at the
dcr configuration was trying to
run the non-dcr test just grab that
configuration
paste it in
that's not the right one either excuse
[Applause]
me
all right there we go so that's the
right configuration so
we walked through this form in the last
workshop so
i don't think there's anything
particularly to comment on
uh apart from perhaps there's some new
brazil values that
only went live on the 11th so just the
resource use
url to use which is the accounts
endpoint which the help
tells you to use that just the url for
the consent endpoint as well
and the cpf value to be used when
creating the consent
we're going to have a change that should
hopefully go into production
later today that also offers the option
of uh
the other kind of identifier as cnpf
possibly if i got that right um just
that you have the option to
use that if your bank only supports
business accounts i believe you'd use
that value instead of the cpf
so just create the test plan and then we
just start
running tests so the first test is very
simple and just
us some basic checks of the
configuration endpoints
just continue running tests
and the next one is a lot more involved
we see the proceed to test button comes
up
so we just press that and we'll just
sign into the mock banks
again the username and password to use
are
listed on the wiki page
we just need to extend this section to
authorize access to at least
one bank account and consent
hit continue we get redirected back to
the suite
does some interactions with the bank
after a second auto you see the proceed
with test button appear again so
just press that again and do exactly the
same process
it's just doing two different types of
or two slight variations on the same
test and getting two sets of
valid access tokens and then one of the
things it does at the end once it's got
both is check that certificate bound
access tokens are working correctly and
using uh access token from one client
with
a different client's tls certificate
does
correctly get rejected so as you can see
that test passed and
there's a very detailed log that shows
everything that went on
the log has some heading sections if you
keep an eye on that gives you a good
idea
of what's happening in each section
and as i say it's quite long because
this particular test has quite a lot of
steps but so you can see this final step
is the
step i mentioned of trying the access
token with the wrong
client certificate just checking that we
do get an error back
you can see the actual http error that
we get
um and then it's just a case of going
back to the test and
carrying on with running the tests
so it's a good idea to pay attention to
this blue text here
that occasionally contains explicit
instructions for example this test
requires that you reject the authority
authentication or consent again you
proceed with consent but
i think i just switch that off and
switch that one
redirects but back but
i have to do that twice for this test as
well
and again you just carry on running the
tests like this and
following the instructions so for some
of the tests
let's just find an example
it may actually end up displaying an
error in the browser so if we try the
test
for the redirect url being registered
then when we press the proceed with test
button
uh we should get an error back
uh we don't uh but if
i had got an error back then i'd just
take a screenshot of it
and i'd go back to the test and hit the
upload button
just select my screenshot
upload it uh return to the test
log it was on the right screenshot
uploaded but never mind
uh and then just give it a few seconds
and that the test will
move into finished and reduced state
and then again you just carry on running
the rest of the tests in the plan
it will move into the review statement
on it
sorry into the finish stay on this just
just take a few seconds
uh yep there we go
and then for running the dcr test it's a
very
similar process select the brazil
dynamic client registration test there
select the right variants
and just take the config from the wiki
page
just joseph yep
um just noticing some questions are
coming in from the group
and um the speed might be a little fast
for people to keep up uh you're so
cool with it uh some people won't be
following
english as quickly as you can tap
through the screens
um so two questions in the chat one was
are we planning to include the app to
app demonstration
and um a request to repeat the consent
step again
and how to choose the mock bank not sure
if you can see the chat
on the side uh
[Laughter]
um are we going to cover app app
demonstration
yeah uh so i don't have a test
environment set up for
app to app here um
i i can briefly talk about how you'd run
that which
the process is exactly the same
except you'd run the test and
we recommend using a tablet size device
because
if you run on an actual phone device
you struggle to actually use the
conformance suite ui just because of
limited screen space so
you just access the conformance suite
website on a
tablet when you press the proceed to
test button
if the app is correctly installed and
set up
then that button will switch to the app
and then at the end of the process
that will switch back to the
certification suite
so obviously that's technically testing
web to app
rather than app to app um but we've not
found any cases yet where that
um where web to app works but
app to app fails so it seems to be a
valid way of testing it
great and then the second question was
if it's not too much trouble
is it possible to repeat the consent
step again
absolutely uh so
i've just started up the dcr test so as
part of that
um i need to run the consent test as
well
so i've just got this receipt test
button
um
so there's no need to actually select
the mock bank um i'll explain that after
i've actually
done this bit um so press the proceed to
test
so you just need to expand this bank
account information screen
and then enable sharing for at least one
of the bank accounts
just click to consent to sharing the
above data
and then press continue
press that wrong
i think one of these days something
quite right there well it's loading i
didn't say it earlier joseph just a
reminder to everyone and we've got a big
group please feel free to raise any
questions
no questions a bad question and the
meeting chat's a good way to share
that those questions if you want to
write it in portuguese we'll have
someone help translate for us
yeah um so if stuff like that seems to
go randomly wrong then what you do is
just
go back to the the tab that has the test
running in it just hit the
repeat test button and
you can just try it again and with any
luck it will work the second time
we had another question along the way to
please repeat the step that did the
screenshot upload
i know that didn't actually load fast
enough but again
again um
there we go so that that that's the dcr
test passed
um so obviously uh the
dcr test plan only has this one test in
it at the moment which just tests the
happy flow
uh we'll add at least one negative test
just to check
check that dcr without a software
statement assertion
fails and we'll also add something that
just does a quick
test that the client management endpoint
seems to be working as well
uh so
uh sorry what was the
step you just asked me to repeat gail
i've lost trust
yes um we had a request to a piece
repeat the step that did the screenshot
upload and then i've got a couple other
questions after that
cool so let me just go back to that
previous
test i was running so just go to view
all test plans and then
i'll go back into the
plan i was running before and then i'll
just run that same
registered redirect uri screen again
and just press proceed with
test um again
i'm not getting an error message for
some reason but i'll just take a
a screenshot of this so i'm on a mac so
it's just
uh command shift
for space
take the screenshot then go back to the
test log you can either hit the upload
images button here
or if you scroll to the bottom of the
test then there's a attach image to log
file button here as well
the question regarding the upload
screenshot is about
what exactly are we testing here is it
that
the the the tool checks if the
the the screen i got is the same
that the tool uh
has when it calls the the
the redirect to url is that okay
the screens match yeah so
uh what should have happened in this
case
is that the authorization server showed
an error saying
the uh redirect url that
the request object use isn't actually
registered so it can't proceed and
it can't redirect back to the test suite
so what happens then is you upload a
screenshot of that error
and then that becomes part of your
certification submission
showing that you were actually showing
an error as a result of this test
and then when you submit your results to
the open id foundation
one of the things that we go through on
our checklist is just making sure the
screenshots do
seem to match up with what was meant to
happen so
it only gets checked manually right at
the point of you submitting your
certification okay
yeah just uploaded that and returned to
the test log we'll
move through uh
so that was that there was a question at
some point about how to select
the mock bank uh so you select the bank
you're
testing against as part of the
configuration so just hit the edit
configuration button so i can go back
and show you that
um so that the the mock bank was
selected as a result of that
configuration json i passed in so to
test your own bank
you change this discovery url that all
the endpoints
are found from to the discovery url for
your bank
and then you put the client id and the
keys
that are the ones that are actually
registered and work with your bank
and you do that twice
i can ask the stupid question so the
discovery url has
been um named for all the participating
phase two banks do they know what their
discovery urls are
i would hope so um it's the location
where they're publishing this
open id configuration file which is
one of the the specs that is a
requirement to support
for brazil it's just a simple file that
lists all the endpoints and the keys
that will be used and so on
so it hopefully shouldn't be a surprise
to anyone that's
testing if they've got as far as uh
having something to test against
it this is my class um maybe if we can
pause just for a second
a couple things ralph bragg raised his
hand so let's uh
see if ralph has a question comment
ralph
hi uh thanks joseph there was a question
earlier somebody was asking
how can i test different using the
morphine
different combination once and it might
be worthwhile explaining how you can
dcr tests to register your client and
then use those
that client configuration inside the
subsequent tests
um
yeah well that might be a little bit too
complicated for me to demo on the fly
but yeah certainly in the dcr test you
can just change
the values here and
um the the dcr configuration
sorry the test will then register for
the different type of client
authentication and it will run
through and as ralph says you could then
take
the resulting client id if you find it
in the
test log which i can just show you where
to find it
that's the wrong test
uh let me go back to my dcr test
so yeah if you look at the test log for
the
the dcr test then
if you scroll down uh you'll see the
first step it's getting an access token
and retrieving a software statement
then we do the dynamic client
registration
and at the end of this that you'll see a
past
registration endpoint response
part of which will be the client id and
if you take that client id
and paste it into the
configuration form for the non-dcr tests
then that client will be registered to
use mtls and you can then run
the tests against the mock bank using
mtls
um we can probably actually just publish
a
example configuration using mtls that
works if that would be helpful for
people
i'll add a couple questions here and um
ralph i i think the last question i did
uh you're referring to might be
this one so forgive me if i'm wrong but
there was a question earlier would it be
possible to have
a working example from radium's mach 4
client auth type
mtls fappyoff request method by value
i think you've covered that right ralph
in your comments
yeah we can probably you can either
register one yourself which is what
joseph has just shown you
uh or we can just publish a
by reference plain response mode
pls which is essentially the option
super thank you and i saw a question
about
is it possible to test with my bank
screens instead of the mock
joystick yeah uh
so that is the case where as i was
showing you just
edit the configuration and make sure
that you put the discovery url
for your own bank the necessary client
credentials and just make sure you
update the resource url
the consent url the cpf value
and so that they they match for what's
valid for
your own bank
and then i i see a question in uh
portuguese denio that came in at 7
26 a.m in the chat um not sure if you
caught that one you'd like to speak to
it
for uh for us all
actually yeah i think daniel is is
answering a previous question
it's not exactly a question to the
question
all okay i think that takes us through
the open questions right now then
okay i have a couple of questions if i i
may
uh first one is uh i we we've run some
tests using the tool for for a couple of
days now
and there's there's a a problem that we
found
with the client certificates in the
dcr and the fapi flows that are
evaluating the the distinguished name
in an incorrect way uh based on the
the icp brazil requirements and
it's a simple matter of just
regenerating the certificates in order
to comply with the with the tests
but in fact i think the test should
comply with the
the right uh uh
brazilian certificate profile so where
should i raise this
issue should i open a ticket in the
gitlab or should i send it through
email uh yeah if you can't
open a ticket in the gitlab that's best
okay so i did have a final slide that
happens to answer that question
it's just a minor issue though is that
uh the the the
the tests are using the the common name
and they're expecting the common name to
be the software id
and in fact uh the the common name for
the brazilian uh
client certificate is the it is a
fkdn and the the software
id should be taken from the uh
i believe the serial
number i would just check okay
alexa i've raised this with the security
team before and i've raised this with
marcos
this is the specifications the
specification that this
the security team and joseph is applying
is correct
the specification for tls client auth is
an explicit
dn match which means the common name
which is part of the distinguished name
in the icp
must match so this isn't an issue with
either the specifications or the
certification test suite
it's an issue with the icp
uh specific specification for the brazil
transport certificate now the radium
mock bank
deliberately recognizes this problem
and is deliberately not spec 100
compliant yeah because if you use
certificates as you designed
if you change the common name at all it
changes the dn and if you change the
it chain it isn't an exa it isn't an
exact match
so the mock bank handles it fine but the
expected names for the conformance and
certification suite are 100
as per the ietf specification for mtls
so i've raised i've raised this
previously but
and i've said you have to address this
with guidance
but this is one that needs to come
through the security working group of
brazil
first before it comes out because you
couldn't you could change the specs
but as they're written at the moment it
must be an explicit dn
match distinguished name full string of
which
of which you have a common name which
you can change whenever you like
and because it's part of the dn it means
you're changing the credential
id no i i'm good with that and i think
you're right we should
take this uh back to the table
but uh for instance uh if
i i i managed to to to create a new
certificate
using the the cn as the software id
in order to pass the tests but
when i when i'm going through the
certification steps and i use that nice
ep brazil
certificate it's going to fail so
i'm not sure exactly how how could we
handle this
so if you're going to go through it
shouldn't fail if you're using the fappy
conformance suite
if you're if it does fail it's not a
factory conformance suite issue
it's a mock bank issue so it means that
you need to put a ticket into
us as a mock bank issue but what i would
suggest we do
is that we update the example
configuration so that it's using the icp
style certificates
and not the the legacy ob
uk style certificates and that way
it'll be testing with something that's
uh icp
like and so you'll find these issues
using the icp search that's that's easy
for us to do we'll do that this
afternoon
yeah okay okay because yeah
that's exactly it the the switch is
getting the cn
and thinking and and accepting it as the
the software id and for for the the the
icp standard it's not
i'm not sure if i make myself clear and
uh with that this test fails
i might be able to oh okay
i i i'm gonna do this
by buy the buy a ticket so
you can get an official an official
uh position
that would be great thank you
there were there have been several
questions running in the
uh the log i don't think we've covered
so
forgive me if we have um for the there
was one question for the dcr registered
clients
where is the jaywax key server running
for those clients
i think jaywalks is jwks
yeah that's right um so the assumption
is that the
jw case is hosted on the directory um
and the suite will register using the
jwks uri that's contained within
the software statement that is retrieved
from the directory
okay there's another question this has
probably already been discussed
but in sandbox are the tpp certs
expected to be self-signed
how does oc sp work in that case
that sounds like a question for ralph
perhaps if you're there off
yeah so in sandbox then there is a fully
fledged
eki that is a development version of the
icp
of an icp pki it fully supports
crl and ocsp so
everything that you would need in a real
production environment is fully
supported by the directory and the trust
framework in sandbox
thanks ralph um i see mike les has
popped the
the link for github in the chat some
people want to copy it from there um
the other links that you have here in
this uh in the in the page
joseph is the is this part of a document
that the group has
already or you know if they want to pull
the links from there or
should they screenshot this page on
their laptops right now
gail this is mike les i'm going to put
all the links in the chat but we'll also
be uh sharing this uh
deck with the miro team so they can um
uh publish this for the
entire ecosystem that to have access to
after the workshop
great mike uh i
can and then another question can you
guys point docs
uh examples of how a client should
implement a fappy based
off
so a reference an example client for
fappy has been published on the security
conform
sorry as on the security website it's on
the security get so there's an example
relying party sorry i didn't uh
fappy client that you can use to test
okay thanks and next question can you
explain each configuration item
that is passing the test
um i'd presume that's basically asking
what
each value in the configuration is for
let me just switch back to my browser
yeah i think there was a question could
you explain each configuration item
that is passing the test so i guess
that's a little bit of a
overview
so for this each test item has help if
you just hover over this little
eye and
uh there is also a link here if you look
at the
open id certification instructions
and the
how to run conformance tests with happy
read write ops
if we just open that then
this test runs you rather more verbosely
through
exactly what you need to do and what to
fill in where
where it needs a little bit more
explanation that we can include in the
pop-up tool tip
um
i can quickly run through them i think
we've got time
uh the alias is uh
just forms part of the redirect urls
it's just because obviously our
production server is a cert
is a shared server that could be
multiple people using
this is just a something that goes into
the redirect urls that's
unique to you so that your tests don't
interfere with anyone else's and vice
versa
the description field is just a freeform
field that is really for your own notes
of
exactly what you are testing
the publish field is you can just leave
that set to no
if you want to share your results
publicly you can always publish them
later but by default when you're running
tests as long as you keep this set to
know
your results are only visible to you so
it's on if you wanted to make it visible
to someone else that you would
publish them uh the discovery url
we mentioned earlier is just the
location for the open id configuration
file on
your bank and
then we have the the client
authentication so
the client id that has been registered
at your bank
the scopes to use which i think will
always be
open id accounts for brazil
and for these tests the jwks for the
client which is
the client's private key just in
the json web key format or the json web
key set format in particular because it
has
the keys array
and then the mtls client certificate
and private key and certificate
authority which
i believe the are instructions for the
sandbox directory that
show you how to generate these and get
the directory to sign them and
then presumably register them with your
bank server and then there is a
second client joseph maybe a good time
for a
a health check about the so the private
key
being super careful around where they
place that private key
yeah uh so obviously this is
uh a private key that does give access
to your bank system so
particularly when you're testing a
production system do take care with
what you do with this configuration
to make sure that you don't publish
anything that has your private
keys in them until you've deactivated
them at the point you're ready to
submit your certification
and yeah it is a private key so do take
care with it
we have seen uh at least in the uk
uh some people publishing private keys
places
they shouldn't
so yeah configuration for a second
client
again you need to register two clients
for the test to be able to
check security properties like that a
refresh token issued to
one client is not usable by another
valid client so you just need two
distinct clients which means they also
need different
software ids as well in some or most
cases
that might vary depending on which type
of client authentication you're using
possibly
then the final values are just the
resource url
which will always be uh the accounts
resource
um so it'll be in this v1 slash accounts
format for
wherever your api endpoints are
the consent endpoint that the suite will
use just to create
the consent before it sends the user to
the authorization endpoint
and then just the cpf value which is
some kind of national id i'm assuming
you guys understand much better than i
do
[Applause]
and that's all the configuration values
for that test if we just quickly look at
a dcr test instead just
when i was running earlier
when you've run through that we have
three questions pending
and i have one too great
um so the dcr configuration is very
similar
um you only need one client in this case
um everything's the same but the only
bit is different is at the end you need
to provide some information about the
directory so
the open id configuration file for the
directory so
obviously at this stage everybody will
presumably be using the sandbox
directory but
at some point you'll need to switch to
using the real directory for testing
instead the
final certification i would expect would
be run on the
the production directory against a
production bank server
the client id on the directory that
corresponds with the certificates you
supplied
and just the api base url for the
directory
that's the sandbox one currently but in
due course i'm sure people will switch
to production
and that is all the configuration fields
sorry joseph can you just clarify um
are we expected to run the final tests
in production
not my understanding
so that was my understanding uh
certainly that's what happens in
the uk and in
australia um
i wasn't aware that anything different
had been agreed in
brazil do you know anything about that
ralph
no that's a policy question to miro and
the sandbox and certification testing
squad
okay thanks ralph um yeah i mean the the
usual expectation would be that these
tests are run against production because
what we've seen in other ecosystems is
that the tests are
um or the configurations of the servers
is very sensitive
um and most banks are
not generally able to guarantee that
they have a working fappy configuration
in production without testing the
production server
good morning the policy adopted here is
that the test can be done
on a production environment uh
or in production it's a choice of the
institution uh
the problem of the going on production
is that you you have to be very careful
with your
certificates you you are exposing your
your certificate so you have to have a
gate
after the test and the the the
data the the user you you are
you are using for the test have the
their data expose it to
and and for the dcr test and fab there
isn't
much data exposed but for the functional
tests
uh you have to have clients with
accounts and
other products so it's very hard to test
here in brazil
since you think you can't have a test
client in production
uh you have to to use real clients
so so we believe most institutions will
do the test on a pre-production
environment
thank you paula that's helpful
so let me run through a couple of the
new questions joseph
um this one's a little long in the
context of fappy 1.0 advanced
allowed client authentication methods
are private key
jwt or jot tls client off and
self-signed tls client off
the blog below explains details of the
client authentication methods and
includes links to the relevant
specifications
um and then i think that's more
informative so oauth to
client authentication so i don't think
there's a question i think it's just
clarification
next one is uh this is
and uh uh who wrote the comment on the
chat
it is not a question that the
information
or thank you the audience thank you i
started reading it before i read the
whole thing thank you
we have another question um could you
confirm this understanding
on the flow that we are simulating the
test scenario
where we are on the tpp going to catch
data on the asp
sp sorry aspsp is that right
the datas were imputed like
authorization server uri
are your data is by aspsv thank you
yes so that that's correct we're testing
a bank here
and the conformance suite is pretending
to be a
tpp um
and it's just running through and
checking that the bank does
provide things to the tpp in the way
expected when the tpp makes the right
requests
there is a set of tests for the other
way around the relying party test so
that's where
the conformance suite pretends to be a
bank
and then expects the the tpp to
treat the conformance suite as a bank
and it runs through
um some test scenarios just happy path
flow and then checking that
if the bank server
returns say an invalid signature to the
client then
the client detects that and aborts the
transaction so those are a separate set
of tests which we're
publishing the brazil versions of today
and i think we're probably
perhaps going to look at running a
different workshop to a bit more detail
on those tests
great um i see there's a related
question i think to this production
environment
so some financial institutions during
phase two
might not have current account
information to be published if that is
the case
my understanding is that there is
nothing expected to be published in any
of the accounts endpoint
therefore did it still make sense to
request for open id
and accounts as the minimum scope
okay uh that is information that i was
previously unaware of
um so thanks for that alex um
i um
so obviously we need to make some change
to the conformance suite to
cater for that i expect um
i don't know if there's only one
alternative or if there's multiple
alternatives
if you could perhaps open an issue on
the
gitlab on the link we shared before
just with any details you can share then
that would be helpful and
we'll make sure the suite gets updated
to cater for that case
the value of the resource url in the
test configuration
is uh a town everyone
accounts and probably the
specification of the api is
written at the url i tested it
to the chat and according to the
specification the
document says this operation does not
require
authentication and i i'm not sure what
this means but
uh it can be interpreted like the
the the end point does not have to be
protected by an
access token and so
but please double check
what resources you are aware of the
configuration
uh expect uh
the endpoint yeah how the endpoint
behaves
thank you tucker i'll check that
specification
joseph just a point that
it looks like every bank has to
implement the resources
api so if there's concerns over some
banks not having to implement the
accounts
api you could change this to
accessing the resources api there is a
mock resources api
and the mock and the consent process is
already available for
uh for resources so again
this is more of a question to brazil is
that if the resources api
is the universal customer protected api
please let uh i suppose uh alex
or the functional team know and
perhaps the resources applies that the
accounts
api would be a better candidate for the
test
i well thank you i pasted it as
a link to the specification of the
resources api
and the document says that the endpoint
requires
two scopes one is the resources
scope and the other is consent dot
constant id scope so the
that's correct so probably i guess if
if we replace the accounts
to resources and the
certification tests will
not pass no this notification test will
pass because you change the scope as
well from accounts to
resources and change the permission from
accounts read to resources read
the point is providing a test that every
bank has to implement
and every bank has to implement the
resources api
for phase 2 but only some of the
resources
need to implement accounts then it would
make sense to use
resources in addition bruno has raised a
point that says
actually maybe it should be the customer
identification
for a natural person api that should be
the
the universal api either way
it would be useful if brazil could feed
back to the foundation
which api should be the universal
api that all banks have to implement for
phase two
is making the changes straight forward
the mock bank
supports them all so it is the result
it is the resources api thanks sam so
that's an easy one we can change that to
the resources api
and then everyone can use that
configuration to test
okay again but the certification test
will have to call the end of the
resources
api with an access token who which
has resources scope and the constant
consent id scope and if the
certification
program is not programmed in that way
the certification program needs to be
modified right
so the certification process already
uses consent colon consent id
it's already using the dynamic consent
id the only thing that changes is a few
strings we're changing the scope
changing
the permission code this is not like i
can raise the pull request myself tucker
this is a
simple change okay thank you
i i just worried about if
the certification just does not send
an access to that sacrifice requirements
so for for uh you know absolute
clarity on this point it sounds like
enough we may want to circulate and
update afterwards
um once the miro or the
forget it what it's called the security
working group has
validated that it's the api resources
that everyone
is implementing uh joseph is that what
we uh
what we need to see here is just to have
that uh
informed is the case
yeah uh that would be helpful
um yeah it seems
like it's bruno arguing with himself now
or someone else i've lost track but um
yeah uh if if somebody could just tell
us what we need to do that's
fine um if it means we potentially need
to sort
uh support two different end points
because there isn't actually a fully
universal one then
that shouldn't be an issue but we just
need to someone to tell us exactly what
the need is
all right great let's see if we can
close that one down today
and circulate to this group so there's
no question
um as a as a higher level question
myself joseph
um just going to raise this up for a
moment
what would we expect of all of the phase
ii the first 24 banks that are
implementing where would we expect them
to be in their process
like should they all be in the the test
environment actively testing like is
that what good looks like right now
yeah i would hope so so i would imagine
most of the banks
already have systems live that at least
in theory are
fappy compliant given i think there's
now
uh where we just i think it's exactly
two weeks or just around two weeks that
the certifications need to be submitted
to meet the
regulatory deadline i believe so um
yeah i would expect people have uh
systems live and then they're running
the tests either using our production
system in the cloud or i know some of
the banks have been
deploying locally and presumably running
against a pre-production environment of
some kind
um so hopefully
people are getting through that if you
are running it
into issues that the tests aren't
actually working for you please do
um either drop an email to the
certification team or
open an issue whichever you feel is
probably most
correct um but yeah the
the team are here and if we have bugs
we're ready to fix them and
hopefully get the fixes rolled out
pretty quickly
we are expecting kind of a couple bugs
right because the profile
for brazil is a little bit different
right
so it's very absolutely crazy what was
my point is fair play to raise
and to also you know point out if
there's any
uh bugs that have been identified
because they're
updated tests specific to brazil
yes definitely as with any software
project you always expect
a couple of gremlins it
it's probably helpful if people can veer
towards
raising items as bugs as we are
still getting up to speed with the
brazil standards and it's helpful if we
can
refer other people to the reports to
check
what the answer is if there's questions
about exactly how
the brazil pacific bits of the standard
work
great and uh i see ralph on that last
open question
there's an ask out to to bruno and sam
to to follow up
let us know yeah usually
celestine
great i think we've gotten through all
the the questions on the list here
um we'll keep an eye on that uh log of
questions
in the meantime uh joseph was there
anything else that we needed to cover
with the wider group while uh while we
wait to see if more questions come up
now
no i mean i i think we have
covered everything so i think it's the
ons is
very much on the banks now to test and
report any issues to us and get their
systems into
full compliance
great and i also understand there's a
parallel call
going on in portuguese
if if anyone's following that
conversation and questions have come up
there
we invite you to to raise them in this
forum
okay i see something coming in
okay see sam larson raised the ticket
thank you sam
and something here option b might be
personal identifications as the interval
okay so that's more of a clarification
universal api endpoint so i think folks
are still looking at that question
and i haven't seen anything new come in
um joseph one option we have if there's
not
more ground to cover is that we can keep
the line open
for a little bit longer and let the
wider group
jump off if they have what they need um
and let any others if they've got any
detailed questions to to
hang on there and they'll you know feel
free to open any other questions that
are
on their mind
sure sounds good so yeah i'm happy to
hang around here and answer any more
questions as they come up for a little
bit but
yeah thank you everyone for joining and
listening and
providing thoughtful insight today
great um that just uh this is gail
hodges speaking i'm the executive
director of the openid foundation
and uh mike letz uh who's the program
manager for the open id foundation and
joseph you
you've been listening to is leading our
certification team
um so you got all the right people
listening in here
uh we are uh thankful for all of your
efforts to uh
to test the tests as it were and um you
know good momentum here in the brazil
market we're delighted to see your
progress
and uh there's obviously quite a bit
more to to work through over the next
couple of weeks before those um
submissions are due um is there anything
that the
miro team or the security uh group
working group
in brazil would like to raise before we
close
[Music]
i have seen one or two additional
questions just pop up in the meantime
will the conformance suite test adapted
to scopes of the phase three
yep uh so i don't know the full context
of that question
uh so i know as as part of phase three i
believe all banks
or at least all banks that are doing
payments are required to support
uh fappy sieber so we will be publishing
uh brazil pacific versions of the flappy
seba
certification tests in due course which
will be a similar set of changes as we
make to the core fappy tests
um i'm not sure if there are any other
changes that were necessary
um the
certification suite basically only needs
one
resource endpoint that it and it assumes
that all
resource endpoints have um
the same uh
security restrictions applied to them
and we just use that resource endpoint
to ensure that
certificate bound access tokens and the
few other properties that are required
of a
resource endpoint our restrict are
correctly implemented
so if there is any other requirements
for phase three uh please
do let us know
great and i i i know um danielle bronco
that you had been working on a
translation of some of the documents um
i'm not sure if that's been
posted on the open id foundation website
yet mike um
if there's anything you want to point
people into language
thank you well thanks thanks for raising
that so um the the document that dale is
referencing
is a uh fappy implementer's guide that
oidf member kawasaki with athlete
authored some time ago and then updated
it once the fappy final
specs were uh approved and put into
production
and danilo has been kind enough to uh
translate that to
uh portuguese and he just completed that
uh
earlier today so we will get that
published both to the
oidf website and we'll share with the
miro team so they can
publish that for the entire uh brazil
ecosystem so
we should have that uh for you later
today or first thing tomorrow at the
latest
great denia you wanted to chime in
yeah um just make some adjustments i'll
just make some corrections
i have just now to do this so mike
please give me
some a couple of hours just to read
again and see if you
have any error in portuguese error i'm
correcting now and i also
sent to
to cigara the the link of the mutual
rfc because the the question that he put
and the real
issue is about the rfc of the mucho
besides of the use of the icp brazil
thank you for we're starting to make
those updates already dania that's
perfect
and uh and mike obviously for
distributing that to the group
um to help them with local language
that's obviously fantastic
um i have seen one additional question
um come in
uh joseph which is that uh just
acknowledging that not every institution
has
personal um or i guess individual
clients um
some only have business clients um
so there may be consequences for them uh
to be able to test
yeah so hopefully we can get the
universal endpoint
yeah that
the fact that some banks only have
business clients was one of the reasons
we added the extra
configuration form entry for the is it
the cp
nf or whatever the alternative to the
cpf
is so that banks that do only have
business clients are able to
run the tests yeah
yeah but uh sorry joseph but
that's one point about this uh john and
thinking in the institution that you
only have the the business person
the business client you should look for
every business client who has a person
that is responsible for the business so
and maybe yeah if you will see that
what ralph are talking that is very
important about the universal endpoint
you may see that you have a personal
that is responsible for this business
and maybe
this person can be used to do the test
can i just provide a little clarity the
there is still
confusion and it's not clear between the
consent requirements for the cpf
the cmpj and then who and how you do
matching with the cnpj for business
accounts
there are two open tickets on the
security
uh gitlab and i'd welcome
any more people to provide their
opinions on this
but uh it is still waiting clarification
from the security working group
and the consents working group and the
user experience working group
just how the cmpj to cpf mappings and
that consent process is supposed to then
uh function because it's not
clear and unfortunately because it's not
crystal clear
uh there are some still some ambiguities
profile but when cloud was
made to the cj consent
cpf relationships etc
so the brazil security team can update
the profile
there uh if i may add some info to that
subject actually as the nilo was
saying or asking i'm not sure but i
don't exactly agree with uh your point
of view
uh the nivo because i i think that my
clients
are the enterprises not the persons
that represent them so
uh from our point of view we don't have
any implementations of the natural
person
or the personal clients and
i take this opportunity also to
say that conformance tests
should support this kind of scenario
like
my station won't have any personal
clients so
i won't be able to provide any cpfs for
for the tests like uh it won't make any
sense
to us we can provide a test
cnpj but
cps won't make any sense to us
okay i got it i will put as rough side i
will put
the the scope that i'm thinking to do
this in the cmpj
and the github so i will update that
what i'm thinking and maybe see how we
can do this
okay thank you
ralph did you have a ralph bragg did you
have a question or some comments that
you'd like to make
yeah it helps if i come off mute um so i
just put a link
to the the issue and there's a few
issues on this topic
inside the brazil security
specifications
the issue is assigned to the security
team it's assigned to the functional
team
and it's assigned to the user experience
team because it has
issues that affect all of those
different
user groups so exactly what needs to go
where
for the consent request and then also in
the open id connect responses
remembering that openid connect is
supposed to
define some properties about the user
authentication
so even though the resources might be
owned by a cmpj
and you have a corporate account that
owns the resources
the open id security profile describes
elements about the user that was
performing authentication
and authorization so whilst the
resources may be owned by the enterprise
the authentication process was performed
by an individual
so that relationship between consent
author authentication the user
performing authentication
and what needs to go into what tokens
and when
isn't clear and it's recognized that
it's not clear
and it's assigned to the security team
the functional team
and the user experience team to work out
are there any final questions
carlos carlos has a question go ahead
carlos
carlos
follow the thing
um
so mike gale
joseph ralph danilo everyone i believe
we don't know
that we don't have furry questions here
so
i believe we can close this meeting i
would like to thank
you all for for hosting this event here
it's very important for everyone to
to understand how the engine works and
to be
able to certify by the due date we have
yes thank you to the miro team for uh uh
partnering with the foundation on this
latest workshop and coordinating the
workshop
and uh we'll distribute the uh meeting
materials to uh
miros so that they can share those with
the workshop participants so thank you
all again
and uh we'll be in touch soon perfect
and to everyone we will share the
content of this meeting on our youtube
channel
together with all the materials and by
like the opening foundation we will also
update our github
afterwards
for presents thanks all
thank you
thank you everyone bye bye
stretch one
you
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Acesso Exclusivo para Assinantes
Cadastre-se ou faça login com sua conta do Radar Finsiders Brasil para visualizar esta regulação na íntegra, fazer download dos arquivos e ter acesso a relatórios exclusivos do mercado financeiro.
