Open Finance Brasil
Video
•
16/06/2021
1° Workshop ferramenta de certificação funcional (15/06/2021)
Sumário Regulatório
Mais detalhes em https://openbanking-brasil.github.io/areadesenvolvedor/#testes-e-homologacao
Transcrição e Conteúdo
hey everyone good morning i like something great man thanks and the tips you gave me yesterday work like a charm yeah we just got to get them so that not tips it's written dance absolutely in fact i was asking renan if we can get a slot in your meeting this afternoon and if you got the same slot it would be great for that quick uh hands-on on generating the certificates a...
hey everyone
good morning
i like something
great man thanks and the tips you gave
me yesterday
work like a charm yeah we just got to
get them so that not tips
it's written dance absolutely
in fact i was asking renan if we can
get a slot in your meeting
this afternoon and if you got the same
slot it would be great for that
quick uh hands-on on generating the
certificates and
using our sandbox directory tim can you
see
if if you guys can accommodate it'd be
great
yeah tim could you see that i've just
got 30 minutes
um good morning everyone
i think we have 220 plus people already
yeah let's start so um
rafa i'll just uh make a quick
introduction and then hand over to you
uh
very quickly um
workshop
so ralph uh well let's start
cool okay so firstly thanks very much
for
the opportunity to demonstrate to the
entire ecosystem 244 people
is a huge turnout so it's uh
very much appreciated everything that
we're about to demo
is against live systems so we're going
to be demonstrating
against the a reference bank that
we have stood up for testing the tests
we will be using live instances of the
certification tests of which there are
three that you will see today
the first one being an end-to-end
dynamic client registration
process which integrates with the open
banking directory
um to obtain software statement
assertions
discover a bank register with a bank
create a consent and obtain
authorization for a customer to share
data so it'll be an end-to-end flow the
second test that we will show
is the newly released open banking
brazil
certification test suite which will use
the clients that have been dynamically
rendered generated in
step one and i'm not going to
demonstrate all of the different tests
there i'm just going to demonstrate the
the main happy and
unhappy path tests there are about 50 or
60 different tests that banks will have
to go through to in order to obtain
um certification and then the final one
is we'll demonstrate the
the functional apis which will show uh
how you can use the
open banking the same set of clients to
then start testing
once you're through your front doors the
functional apis
and the functional uh endpoints we'll be
doing that using the accounts
api the accounts api and the consents
api and it will demonstrate the
end-to-end flow and then data access
retrievals for
this process as i said all of this is
live please be nice
um and it is at the moment when we get
to it a
uh a little bit of a moving target we
will demonstrate what happens when you
have a failing test
and then we can have a look at some of
the analysis processes that we have to
go through in order to work out
why a test has failed is it a problem
with the spec is it a problem with the
test
is it a problem with the api
um as always if you have any questions
please feel free to stick your hand up
and
let us know so this will be turned off
uh notifications
before i begin does anybody have any
questions
no okay and
just don't even shout at once can
somebody give me a thumbs up if they can
see my screen
we can excellent fantastic okay so the
first set of the
uh and a little bit of just a little bit
of background so there are two
uh open source performances
certification test projects both of
which are hosted on
gitlab the first one is the open id
conformance suite which
i believe the details of this had been
shared previously
on the wiki page for the open id
certification test suite is an example
configuration
for the brazil dynamic client
registration test suite
uh it is using my credentials and my
password remember as part of the consent
process
that's been adopted by brazil you've got
to nominate a cpf id
up front as part of the end-to-end user
journey which unfortunately that means
that you need to have the accounts
pre-created you can't just use blogging
with google or login with any of the
other identity providers that you
otherwise could have inside the content
contains a private key that i'm going to
use for any assigning operations
my mutual tls certificates a link to
the directory and the client id
on the directory that corresponds to
this particular
software and the api based path for the
directories apis
the directories api scheme has been
published before all of the
functionality that you see available on
the ui
is available via api which means that
tpps will be able to do
discovery searching software statement
generation
and then dynamic client registration now
putting all of that together and that
piece of company together we're going to
come to the certification test suite
which is available at certification dot
id.net
press plan
and i'm going to select brazil dynamic
client registration authorization server
test
now the bank that there's all this is
the software that is being um that is
the bank that we're going to be doing is
testing against supports
all combinations that you could put that
are available for the brazilian security
profile
so that radium stack supports
privacy.mtls
pushed authorization by value or by
reference and also the two response
modes that you
can support now banks are obliged as i
understand it to support only one
combination but they are encouraged
to advertise and certify that they can
support whatever different options that
they like
um for those who have read the security
profile adhering to plan supporting
plane
is mandatory but we do encourage banks
that can support jarm to advertise that
they can support jarm because
it does actually make some of the
processing easier for
for tpps if so
any of these configurations you can log
in here and you can just update
uh your information with your software
that's registered on the brazil sandbox
point it at your bank and you can start
testing
so what i recommend that you do is make
sure you save off your json
or once you've finished plugging it in
and because it can get quite annoying if
you keep having to
type multiple different values into
different fields so
uh without further ado let's
create a test plan
right so in the dcr test we've only got
one um happy for uh happy path flow
at the moment we're going to run that
and off we go so
we've got the number of tests running um
successes failures warning and
we're now at step 62 and well looks like
we're done we're being asked to prompt
for a user login so let's go and have a
quick look before we do that
as to what's been done
so
we have form dynamic client registration
the test pack has built the dynamic
client registration request
it has posted the dynamic client
registration request to the server
it received a response saying yes your
client has been created
we are now going to go and create the
consents and the accounts
in order to test that this client works
we have used client credentials grant to
obtain a brazilian
consent built the necessary request and
now we are asking the user to log in
anything else that we want to do
this while it's running call consent
their token
there's the response all the tls has all
been
being used
cool now i've already logged into my
application so
my mock bank has already got a session
for me and i've kept it active just for
the purpose of this testing so i don't
have to type my username and password
each time
now that consent resource has been
retrieved we've looked at the
commissions and it said
this client is looking for access to
your accounts bank account information
please select the accounts that you want
to give it access and
finish the authorization step once the
oidf
redirect component is finished or tab is
finished you can close that tab and you
can come back to the
application that's finishing the process
it's verifying the authorization
endpoint response verifying the token
endpoint response
uh making a call to the actual resource
checking
for things like uh the headers so x
factor interaction id
checking that it was a response type
json uh and as you can see here there
was a call a valid response to the
account's endpoint
looking back at our test uh results we
are now in a finished state and you've
successfully completed end-to-end
dynamic client registration
i'll do that again because it probably
went quite quickly and let's
change a couple of different settings so
this time we're going to register an
mtls client
we're going to do by push and why not
let's use
job so i want to test that like my
server supports dynamic client
registration with all those properties
i'm going to click run test my test is
going to run
obtain a software statement from the
directory registered with the bank
create a consensus resource set the user
up for
register for testing my newly created
client
i'm going to consent
i'd finish the consent process and voila
i've successfully received accounts now
that is open banking as it should be
and open banking as it should function
end-to-end
with no barriers for entry for a tpp
being able to integrate with a bank
discover a bank or board to a bank and
send a customer or offer authentication
to release data
pretty much real time
any questions on dynamic client
registration
is there another way to uh test this uh
within an epic authentication
in the website of education yes
all of the flows can be done using app2
app uh authentication flows so if you
test this on a mobile it will do an app
to app deep link if you've got your
application appropriately registered
with
um the apple and uh android
processors there's a whole section and
user guides on
testing the app to app deep linking
flows but yes it supports all of that as
well
thank you
[Music]
okay moving on this is no other
questions on the
dynamic client registration request
we're going to change the test
and now we're going to go through the uh
the security tests
so switching from open bank crappy one
advanced to a
fappy one advanced final authorization
server tests
again we're going to pick up yeah
sorry i think someone shared the screen
and took control of the
screen share so if you could do it again
yeah it's true thanks cool
in this instance i'm going to perform a
packing one advanced authorization test
i'm going to select
the i want to use pushed authorization
and from my drop down i'm going to
select the open bank in brazil
variants and again the type of mode that
i want to do
is jam i'm going to
take my configuration that i've saved
earlier just to paste it in to make my
life a little bit
uh easier um which again just contains
my clients
uh the my cpf for the user that i want
to use for testing the accounts and the
consent results
and i'm going to create content planning
now with the security tests there are a
lot of tests most of these are unhappy
paths so they're negative testing to
make sure
the authorization server that you've got
configured correctly rejects tests
so it does things like mixing up
tokens mixing up refresh tokens mixing
up certificates
making sure that the security of your
authorization server
is correct and again like the previous
one
is just a simple example of running
through each of the tests and making
sure that you
are conform it now there are
tests that require you to do different
things so for the this one is the
primary
happy path where you're required to
authenticate successfully
twice
validating validating at all times you
can see not the number of successful
tests are going up
1504 and we're going to do it again
because we want to give
this server a couple of different access
tokens so it can do some
tests against against those two and
that's it
so if you've got an authorization server
that is faculty compliant you have a
valid consents api that's correctly
wired in
uh that you've got your cpf check and
all those additional requirements
executing the test is quite
straightforward the same goes for some
of the negative testing so if we
continue the plan
and we go to execute the negative
test which says this test requires a
user to reject
in a sense i'm going to click the cancel
button
and it's going to confirm that the user
rejected the consent
twice
and what i have passed at any time you
can return to the plan
and you can pick different tests you can
rerun different tests and when you are
finished with this you can click on
publish everything and then
generate a certification package we'll
demonstrate that against the
functional certification tests
any questions on the security tests
little
hello i have seen i have saw
one test that is about multiple
i think is multiple approved so
what are the scopes of this test because
here in brazil we don't
i think we have a different scope than
uk what are the
the tests what happened with this test
that
are different from brazil and uk
so it's a good question so the the first
thing
is that from the security profile
nothing's been called out that is
different
from um versus the
brazil model as i understand it if you
have
a consent that requires additional
authorizations which is exactly the same
as you have
uh in australia the only thing that
changes
is the response that you get on the
authorization
i.e the resource call the very end of
um payload now the openid certification
test suite doesn't actually validate
the resource request the resource
request that comes through
whenever i can find the valid call
checks to make sure that
it is a json and that it has the
appropriate
uh response type so if you've got an
authorization
response that gives you say an empty
accounts list
because it requires additional
authorization that should still pass the
security profile
if you need a specific test because it
doesn't return an
empty json and it needs to return some
other message
then that needs to be defined and
included inside the security profile as
to what the error should be
for a call to the accounts api because i
didn't see an error on the accounts api
that said not yet authorized
guided thanks no words
any questions on the security test
no
again this is very good you can do them
all with the
app to app and mobile deleting and again
all of the configuration for these have
been included inside
the uh the open id foundation wiki
and the same configuration can be used
in the functional certification test
this is against the radium reference
bank you've got the credentials there
for the username
and password as well as the cpf id that
matches that corresponding account so
feel free to use these feel free to play
with them
do let us know if you manage to break it
and as always if you find something that
you think is wrong with the test
please raise an issue because this is
part of the process is helping
everyone in the ecosystem test the tests
joe hello everybody good morning
thank you health my doubt is the tests
you demonstrated to us right now they
are only for the security requirements
right i mean you're as i understood
you're calling the the apis
from from brazilian open banking but are
the results of
those apis being being verified
somehow or because we have
for our certifications we have to be
compliant to security requirements
and functional requirements those tests
you demonstrated they
do both verifications or just security
verifications
those tests do both however at the start
of the meeting no sorry those tests do
security
however at the start of the meeting i
said there were three tests
we'll get onto the functional ones in
just a moment okay
thank you any questions on the
uh the security test
no okay moving straight on to the
functional
uh is that fabi profile
tailored for primitives
and methods that are supported
in the uh in our brazilian specification
or is that are all the 5b profile
available for testing you can run all of
the fappy profiles if you want however
the one that you have to certify
is the open bank in brazil only the open
bank in brazil
is integrated with the consents api and
only the open bank in brazil will pass
the reference to the consent api in a
dynamic scope
australia uses a sharing id and the
united kingdom uses
uh an overloads and id token so you
can't use any of those profiles with
your
end-to-end security requirements so you
can
by all means you can confirm that you
were generic fappy compliant
but the requirement for open biking
brazil is to be able to handle the
complete
consent end-to-end life cycle
and so you need to complete the open
banking brazil certifications which is
the only one that uses
the open ranking brazil consent and
authorization standards
hi how can you please share with us
that you are help
of the that explains
with your your inputs
of your past here
the gitlab link oh the git lab link
oh yeah sure can do the the git lab link
is actually linked off the open id
foundation certification page so if you
go to
openid.net and click certification all
of the documentation the how-to guides
uh everything uh is on
very well documented and it's all
included as part of the
instructions so you've got how to
you know uh specifications instructions
for
running the relying parties that will
take you to
all of the different you know the link
to the git lab which will give you
access to all of the different you know
information that you may
require so that's straight to the wiki
and as you can see
you've got the brazil specifications on
the right hand side
you've also got access to all the code
and if you find an issue
please raise a ticket thank you
cool any final questions on security we
can always come back and i can redo this
as many times as as is required
but let's move on to the the functional
test so
what the open id sorry what radium has
been doing with in conjunction with the
id foundation is making sure that we can
use the same
testing suite and the same testing
services that
we have jointly been developing but to
test the functional apis
now the openid foundation doesn't want
to do functional apis they don't want to
be maintaining those functional apis so
we have a fork
of the open id foundation certification
suite just a little bit of trivia
originally the
radium took the contract to develop a
lot of this stuff
as part of the engagement with the open
banking implementation entity so it's
quite useful to
have it all being used again for another
jurisdiction
so again it's exactly the same thing
it's the same test suites the same test
pack if you can't find
a document that says what do i do
on the brazil uh
get lab then there will be a
corresponding document on the open
banking
sorry the openid foundation gitlab so
again same thing
this time we're going to run a test and
we're going to select the functional
accounts
test for the accounts apis all of the
other apis
are being added as we speak in fact
they'll demonstrate
what happens when you're trying to test
against a moving target
so we're going to test the functional
test for the accounts uh api
and in this test we've got a
deliberately failing api
so you can see what happens when you do
the test
so again fill out the same client you
can copy your configuration straight
from one
security pro uh the security profile
test straight into here
uh same cpf same consent same
account and now we're going to run the
the
api for the account test for the api
now we did a release for this about 10
minutes before this demo so
knowing how luck uh it may or may not
fully function but uh let's let's go and
give it a go
so same thing number of tests uh running
setting itself up it's creating a
consent
it's posting consent to the
um to the server it's prompting the user
to log
in and boot itself up from the cold
you can see let's see what it asks for
uh what did i do i did a pushed
authorization endpoint request i got my
pushed authorization
response i posted my
request uri made sure that i was
sufficiently
insufficient entropy and same thing i'm
going to
select my accounts i'm going to consent
to sharing data
it's going to finish the redirect back
i'm going to close my tab
and the tests are going to continue and
it's going to do a lot of the
basics validation that was done in the
previous
security test just for happy path it's
making sure that the authorization
server did what it needed to correctly
and now it's going to go and start doing
the resource server tests
so we'll be making sure there's valid x
fappy customer id headers and then we're
going to start running the accounts
api so we
call the first one which we call the
accounts api
validating the accounts api
all the different tests for different
registers and fields in that past
next one is we're going to use that
result set to call a specific
account inside the account api same
tests
here's the response to a specific
account inside that
that list and it's doing some tests but
oh
we've got a failure and in this case it
said right
i was unable to find a data element
called subtype on the account
identification api response
and as you can see this is what was sent
back and there is
no subtype so very clear errors very
clear descriptions about
what the error was was it a failure of
regex was it a
missing feel was a mandatory property
that was not that was not present
uh et cetera et cetera now that one's
not a a
cease failing test there are other tests
that are carrying on so in
the background we've also done or we
continue to do a fetch account balance
test
so let's retrieve the balance api for
that account checked all the fields all
the properties of that
and then we called the fetch account
transactions endpoint which is pullback
we've only got one for this particular
account that is selected
one transaction that list and it then
goes and does all the validations for
that
transaction as well
fetch account limits same thing it's
done the limits test and finally it says
i
can run to completion at the top of my
test you get
the description of what actually fails
you want to click on that one it will
take you to the exact failure and as i
said it gives you a very detailed
breakdown of
what has failed what has not failed and
this is where we start having
the conversation is it a problem with
the test
is it a problem with the api is it a
problem with the swagger
and so the expectation would be that if
you root counter a failure
you want to review all three of those
things and
if something's wrong with your api which
in the case of
this one here it is you go and fix it
rerun the test and let it go green
or if it's a problem or something that's
uh incorrect with the
either the reference examples or the
swagger specification you would raise a
ticket on the open banking
brazil github for the functional api
team to do
the first triage now this process has
already started
we've discovered quite a few different
things with different
apis and different endpoints and the
functional api team are pretty good at
turning around
changes quickly likewise the
so are the sensitive reference
examples which does make
challenges uh for incorporating these
the the pace of change quite challenging
when things are being updated literally
an hour before um before a demo
so one of the tasks that we've now got
is to go and incorporate the latest
changes that have been made to the
uh reference examples so in the case of
something like
the balance api originally there was no
trailing decimal places
and that was failing the regular
expression uh
check which meant that we were we had
some failing tests
so whilst there is a significant
uh level of change in both the
specifications the reference examples
we do ask for a little bit of patience
but likewise we really want to encourage
banks
to start the process of functional
performance acidification
such that you can help the functional
team bottom out any issues
quickly so that they can be addressed
because the longer they go
on the slower it will be to
have those capabilities or these issues
identified
uh unsorted
i think that's enough from for me
yeah if you have another question matt
hi
good morning uh a question of your
journey of content this test you
prepared for a journal since you with
one screen uh
so radium is not testing the adherence
to the customer experience
guidelines that's not something that
we're being asked to test as the
functional apis
it's a very good question in terms of
the certification to the cegs
and it's something that i think miro
should take a note of and work with the
sandbox team
to decide what certification processes
there will be
to the ceg guidelines for banks
consents and authorization number of
screens
hey uh i guess i'm next one in line so
uh
my doubt is that uh at some point in
some work groups
um i guess uh someone told
told us about the possibility that the
functional tests
could uh exist uh without
the the security requirements
coupled like you could just test
functional requirements as at least i
i saw your tasks it uh
it's basically using all the the fappy
profile
uh requirements so uh is there any
possibility for us to test
just the functional part of the apis
yeah so if you wanted to go and test
your own payloads
the easiest way for you to test that is
to pull down and follow
the local development instructions for
the test
harness which are all included here so
there's a
complete developer getting where are we
blind
here which will allow you to pull down
all of the tests
and run them locally with whatever
options that you want on
or off there obviously isn't a hosted
version
that expects to be able to access
resources in an unsecured manner given
this is customer data that's a little
bit nonsensical
but what you can do is run all of the
the tests
uh locally and you can turn off whatever
tests that you like
the other option that you have got is
that with every one of the
tests that are being added in
you'll see where are we where's my good
game
let's just go to changes cool you'll see
that every one of these
tests has got an example payload
so if you have the ability to generate
from your own servers
your own example payloads for your tests
you simply take your payloads drop them
in
run the test suite and that will confirm
whether or not that you
pass or fail against your own payloads
just using
your local ci cd or a local developer
workstation
but uh this way i'm not exactly testing
my host right i'm just
testing my payloads that's correct but
if you
you can't test your host really without
testing your security
if you've got an api endpoint that's
serving customer data on demand with no
access control or securities in front of
it
that would be an interesting lgdp
position
and that really is it so as again we've
said previously this has been shared
all the tests and all the processes all
of the velocity is all being developed
uh in the open anyone can review any of
the changes
anyone can look at the tests add new you
know submit a pull request for new tests
challenge the tests raise issues against
the tests
and ultimately we really hope that the
ecosystem itself
uses this harness to then start
developing its own
and enhancing its own tests in terms of
uh
taking long-term ownership for the
maturity the development and the growth
of the
certification service and payloads
because it is all um open source it is
all available for
you to do with what you will and again
it's a very it's a great testing harness
and it's a great testing
process for testing your own apis so for
those banks that are looking for
end-to-end security testing against say
some of your commercial propositions
that you're going to develop
off the back of open banking it is a
great capability to be able to do that
the final thing i should mention is that
when you've completed a
a test a test suite or a test execution
the final task will be to follow the
same instructions as we've already
articulated the open id foundation
you're going to click the button that
says publish everything
oh me out
and this test link will be included
on the git now the github is a public
attestation of
you saying to the ecosystem
i've passed all my tests i'm 100
compliant with this particular version
of the test drive profile
feel free to come and review my logs and
confirm that i haven't done anything
uh underhanded or sneaky and
that is it
so i don't know if anyone has any
question
or would like ralph to go through a
specific step
again as we have a few more minutes
here
uh our our brazilian
open banking security profile uh points
to
a lot of rfcs from fapi and the pub
itself
points to a lot of rfcs the question is
is our certification tests
testing only the requirements stated in
uh open banking brazilian profile
or the the the inner
rfcs as well oh no the inner rfcs
it tests the entire triangle so
you're right at the top with open
banking brazil but in order to be quiet
there
you have to contest all of the
underlying rfcs that you've built on
sure sure uh
could you pass the complete link of the
complete path of these tests on the chat
please
i can text
um
[Music]
now ralph
a question from nelson and he's asking
uh
for he notices that in in the git lab
and in other
tabs of your browser that has a lot of
java code
and he's wondering if he will be able to
run those tests in in his machine
or it is only available in the
certification
tools that are published in online no
you can run the whole thing locally okay
just just have to check check out the
code and then and and
make a deploy right so see this to build
yes building from the source oh that's
great
ball end to end everything that you
could possibly want to do
so again the expectation would be
if you want to contribute to the test
download it run it locally add the tests
submit a pull request
okay i think it's clear any further
questions guys
myself
foreign
okay uh ralph marcus is is
asking if if we had a similar
test suite for the the tpp
side or the partner or the client side
so
uh with uh i i i could see you have a
dummy bank
running but i'm not sure if we have
automated tests too
yes okay so the relying they're called
the relying
party tests now the relying party tests
are being uh uh focus on the security
side only
okay not the functional side so they
make sure from a security point of view
the tpp does the correct thing because
dealing with functional messages should
be a matter of processing a swagger
we don't input in terms of relying party
tests for
the tpp side now the open bank in brazil
is sorry the openid foundation is
with us is going to release relying
party tests
for for brazil what is still not
clear is whether or not uh brazil
is going to make the passing of those
tests
mandatory for tpp accreditation
yeah no i personally believe it is a
very good idea
for tpps to be required to pass the test
as you can see they are not hard
particularly for the tpp they are
straightforward they're very very
straightforward
however i understand that in some
jurisdictions there is a push back
on tpps having to certify now that is a
policy decision
not a technical decision um and this the
test will be in beta
sometime next week according to the open
id foundation
process
foundation blizzards
[Music]
um it would be very useful to get an
answer to this from a policy point of
view pretty quickly
cool well as always if there's anything
that
we can do or radium can do to help the
ecosystem please do let us
let us know for participants that are
going to start running this test there's
an agreed process that's being put in
place between
um miro the sandbox testing team
the functional api ownership and our own
uh our own support teams
but if there's anything above and beyond
that you think
we can help you with please do feel free
to reach out
and apart from that best of luck with
your testing and certification over the
next
um over the next four weeks there will
be continuous
improvements to the functional
certification
tests in fact we actually have to go on
before this demo
um make uh make a change because
these new ex these new examples have
been introduced less than well now two
hours ago which we now need to go and
incorporate
uh into the tests and then uh update the
the public sorry the um the regular
expressions that have now been included
in the updated functional api
so please do be patient in terms of uh
running
uh running those tests and please make
sure that you check your implementation
specification both the current version
and it might be prudent to
check the previous version as well for
example when i looked at the um
the balances here you can see very
quickly that
one hour ago the structure of the
balance
changed from being
an integer to a double
and so when you're doing your own
investigation please make sure that
you're reviewing
not just the current version of the
swagger specification but also
potentially the previous one
and just be mindful that they are there
are still changes that are
being incorporated and you
think we have two more questions nelson
george
hi uh uh a second question what the
business
endpoints will be tests in the first
version of the year
how entry points course ones accounts
so the aim is to have all of the
functional apis for phase two
included in the test suite before um
well we're going to try and aim for the
next within the next two weeks so you've
got
all of them but as i said they will be
staggered and released out
um andre and miro can talk about a
change to the central bank's
uh delivery cadence that's recently been
announced um because
it's a policy i believe a policy change
from
central bank as to what needs to be done
uh first and when
but at from our point of view we're not
we're trying to deliver as per our
previously agreed
delivery time scales and project plan
so to give you the example for those of
you that are going to download
and run this locally you can see that
all of the tests are now there
or most of the goods could you share
this screen again please
thank you very much so for those of you
that are going to go
and uh download the test plan and update
your
own local test you can see that there
are now tests for more than just the
accounts api
what we are now working on and then the
next step for us will be to
build the test plans so that we test
that you've now got those as an item
inside the the drop down so it's just a
matter of wiring in
these tests into the resource calls but
um the cadence is is we're on track
and we are delivering as agreed as part
of the project plan
nelson
and the video run talk to linux sarah
macios windows just say just
do wind docker correctly
uh possibly uh yes the majority of
people and developers from the
international community that use this
i know use either macs or linux machines
there is some uh commentary on how to
get this running for
from windows point of view but it isn't
something that we've
had to come across before okay
okay thank him
but because it's java there should be no
reason why it doesn't function
close your knee
i have thank you for your presentation
my doubt is related to the
the two running locally on the machine
uh the tools running locally
covers only the aspects of the message
like
syntax and payload or covers
the security layer as well you can run
the entire thing locally
the entire test suite runs locally so if
you
can stand up an authorization server
and an api gateway and
locally that is completely fine if you
want to run it
and a copy for yourself or internal bank
testing
against your own internal development
systems that is perfectly fine as well
it is a tool and a capability that
essentially acts as a very complex
uh tpp it's got all of the options and
all of the capabilities to interact with
banks
and all of their different choices that
they may make
and the entire tool can be run locally
okay thank you half excuse me just
add one more thing to
[Music]
is
a clarification in this subject
of our confirmation tests regarding
uh if we are going to evaluate
just the the open banking security
profile
tests or this oh the whole suite must be
green
in order to certify i i kind of
get ahead and say that we are going
for the whole set because our uh
security profile is an extension of the
fappy
advanced and so the complete set of
requirements
are needed in order to pass the
certification test right
and if you wanna yeah that's correct so
if you look at the
yeah let's go back to the plan
oh it's loading up
so this test is going to test your
adherence to the fappy open banking
brazil
profile all of these tests need to pass
now all of these tests use the options
that are defined in flappy open banking
brazil
so in fact this this is testing your
adherence to the fatty one advanced
profile
open making brazil flavor
so it all has to be green okay
sorry i just want to be very clear the
openid foundation
will require this all to be green in
order for them to certify that you are
conformed where things may be more
interesting
is on the functional apis so the
functional api process
if you think it's a problem with the
specifications take it up with the
certification this specification team
if you think it's a problem with the
tests well take it up with the testing
the testing team the policy that goes
for
certification or not certification will
depend on the failures
obviously if it's all green and for
example you've tested
on the 14th of july you're far more
likely to get
a bigger test a more complete test
and therefore more likely to be
certified for example
certification at the moment is not open
because
the apis have only just been updated the
example specifications have only been
just updated and so the coverage at the
moment for
that accounts api is insufficient
for anyone to be certified in addition
there has been only one person that has
actually run
the test this is against the radium bank
how do you know we are correct
until there are sufficient implementers
and this group
collectively have come together and said
we've all run the tests
we're happy with the coverage we're
happy that
we've ironed out the big issues with the
specifications
this is now version one of the tesla and
at that point
you nero you can start certifying people
or miro can say this is good enough for
us to start
certifying the ecosystem that's a policy
question
not a technology one
i've got a question that i think it's
directed to the mural
guys regarding exactly this policy point
i'll switch to portuguese okay
[Music]
[Music]
[Music]
[Music]
[Music]
foreign
foreign
[Music]
[Music]
foreign
moment
okay
i would like to to thank ralph if you're
there
and see you next time
um
okay guys thank you
thank you bye
be
so
risky
ignorance
uh
good morning
i like something
great man thanks and the tips you gave
me yesterday
work like a charm yeah we just got to
get them so that not tips
it's written dance absolutely
in fact i was asking renan if we can
get a slot in your meeting
this afternoon and if you got the same
slot it would be great for that
quick uh hands-on on generating the
certificates and
using our sandbox directory tim can you
see
if if you guys can accommodate it'd be
great
yeah tim could you see that i've just
got 30 minutes
um good morning everyone
i think we have 220 plus people already
yeah let's start so um
rafa i'll just uh make a quick
introduction and then hand over to you
uh
very quickly um
workshop
so ralph uh well let's start
cool okay so firstly thanks very much
for
the opportunity to demonstrate to the
entire ecosystem 244 people
is a huge turnout so it's uh
very much appreciated everything that
we're about to demo
is against live systems so we're going
to be demonstrating
against the a reference bank that
we have stood up for testing the tests
we will be using live instances of the
certification tests of which there are
three that you will see today
the first one being an end-to-end
dynamic client registration
process which integrates with the open
banking directory
um to obtain software statement
assertions
discover a bank register with a bank
create a consent and obtain
authorization for a customer to share
data so it'll be an end-to-end flow the
second test that we will show
is the newly released open banking
brazil
certification test suite which will use
the clients that have been dynamically
rendered generated in
step one and i'm not going to
demonstrate all of the different tests
there i'm just going to demonstrate the
the main happy and
unhappy path tests there are about 50 or
60 different tests that banks will have
to go through to in order to obtain
um certification and then the final one
is we'll demonstrate the
the functional apis which will show uh
how you can use the
open banking the same set of clients to
then start testing
once you're through your front doors the
functional apis
and the functional uh endpoints we'll be
doing that using the accounts
api the accounts api and the consents
api and it will demonstrate the
end-to-end flow and then data access
retrievals for
this process as i said all of this is
live please be nice
um and it is at the moment when we get
to it a
uh a little bit of a moving target we
will demonstrate what happens when you
have a failing test
and then we can have a look at some of
the analysis processes that we have to
go through in order to work out
why a test has failed is it a problem
with the spec is it a problem with the
test
is it a problem with the api
um as always if you have any questions
please feel free to stick your hand up
and
let us know so this will be turned off
uh notifications
before i begin does anybody have any
questions
no okay and
just don't even shout at once can
somebody give me a thumbs up if they can
see my screen
we can excellent fantastic okay so the
first set of the
uh and a little bit of just a little bit
of background so there are two
uh open source performances
certification test projects both of
which are hosted on
gitlab the first one is the open id
conformance suite which
i believe the details of this had been
shared previously
on the wiki page for the open id
certification test suite is an example
configuration
for the brazil dynamic client
registration test suite
uh it is using my credentials and my
password remember as part of the consent
process
that's been adopted by brazil you've got
to nominate a cpf id
up front as part of the end-to-end user
journey which unfortunately that means
that you need to have the accounts
pre-created you can't just use blogging
with google or login with any of the
other identity providers that you
otherwise could have inside the content
contains a private key that i'm going to
use for any assigning operations
my mutual tls certificates a link to
the directory and the client id
on the directory that corresponds to
this particular
software and the api based path for the
directories apis
the directories api scheme has been
published before all of the
functionality that you see available on
the ui
is available via api which means that
tpps will be able to do
discovery searching software statement
generation
and then dynamic client registration now
putting all of that together and that
piece of company together we're going to
come to the certification test suite
which is available at certification dot
id.net
press plan
and i'm going to select brazil dynamic
client registration authorization server
test
now the bank that there's all this is
the software that is being um that is
the bank that we're going to be doing is
testing against supports
all combinations that you could put that
are available for the brazilian security
profile
so that radium stack supports
privacy.mtls
pushed authorization by value or by
reference and also the two response
modes that you
can support now banks are obliged as i
understand it to support only one
combination but they are encouraged
to advertise and certify that they can
support whatever different options that
they like
um for those who have read the security
profile adhering to plan supporting
plane
is mandatory but we do encourage banks
that can support jarm to advertise that
they can support jarm because
it does actually make some of the
processing easier for
for tpps if so
any of these configurations you can log
in here and you can just update
uh your information with your software
that's registered on the brazil sandbox
point it at your bank and you can start
testing
so what i recommend that you do is make
sure you save off your json
or once you've finished plugging it in
and because it can get quite annoying if
you keep having to
type multiple different values into
different fields so
uh without further ado let's
create a test plan
right so in the dcr test we've only got
one um happy for uh happy path flow
at the moment we're going to run that
and off we go so
we've got the number of tests running um
successes failures warning and
we're now at step 62 and well looks like
we're done we're being asked to prompt
for a user login so let's go and have a
quick look before we do that
as to what's been done
so
we have form dynamic client registration
the test pack has built the dynamic
client registration request
it has posted the dynamic client
registration request to the server
it received a response saying yes your
client has been created
we are now going to go and create the
consents and the accounts
in order to test that this client works
we have used client credentials grant to
obtain a brazilian
consent built the necessary request and
now we are asking the user to log in
anything else that we want to do
this while it's running call consent
their token
there's the response all the tls has all
been
being used
cool now i've already logged into my
application so
my mock bank has already got a session
for me and i've kept it active just for
the purpose of this testing so i don't
have to type my username and password
each time
now that consent resource has been
retrieved we've looked at the
commissions and it said
this client is looking for access to
your accounts bank account information
please select the accounts that you want
to give it access and
finish the authorization step once the
oidf
redirect component is finished or tab is
finished you can close that tab and you
can come back to the
application that's finishing the process
it's verifying the authorization
endpoint response verifying the token
endpoint response
uh making a call to the actual resource
checking
for things like uh the headers so x
factor interaction id
checking that it was a response type
json uh and as you can see here there
was a call a valid response to the
account's endpoint
looking back at our test uh results we
are now in a finished state and you've
successfully completed end-to-end
dynamic client registration
i'll do that again because it probably
went quite quickly and let's
change a couple of different settings so
this time we're going to register an
mtls client
we're going to do by push and why not
let's use
job so i want to test that like my
server supports dynamic client
registration with all those properties
i'm going to click run test my test is
going to run
obtain a software statement from the
directory registered with the bank
create a consensus resource set the user
up for
register for testing my newly created
client
i'm going to consent
i'd finish the consent process and voila
i've successfully received accounts now
that is open banking as it should be
and open banking as it should function
end-to-end
with no barriers for entry for a tpp
being able to integrate with a bank
discover a bank or board to a bank and
send a customer or offer authentication
to release data
pretty much real time
any questions on dynamic client
registration
is there another way to uh test this uh
within an epic authentication
in the website of education yes
all of the flows can be done using app2
app uh authentication flows so if you
test this on a mobile it will do an app
to app deep link if you've got your
application appropriately registered
with
um the apple and uh android
processors there's a whole section and
user guides on
testing the app to app deep linking
flows but yes it supports all of that as
well
thank you
[Music]
okay moving on this is no other
questions on the
dynamic client registration request
we're going to change the test
and now we're going to go through the uh
the security tests
so switching from open bank crappy one
advanced to a
fappy one advanced final authorization
server tests
again we're going to pick up yeah
sorry i think someone shared the screen
and took control of the
screen share so if you could do it again
yeah it's true thanks cool
in this instance i'm going to perform a
packing one advanced authorization test
i'm going to select
the i want to use pushed authorization
and from my drop down i'm going to
select the open bank in brazil
variants and again the type of mode that
i want to do
is jam i'm going to
take my configuration that i've saved
earlier just to paste it in to make my
life a little bit
uh easier um which again just contains
my clients
uh the my cpf for the user that i want
to use for testing the accounts and the
consent results
and i'm going to create content planning
now with the security tests there are a
lot of tests most of these are unhappy
paths so they're negative testing to
make sure
the authorization server that you've got
configured correctly rejects tests
so it does things like mixing up
tokens mixing up refresh tokens mixing
up certificates
making sure that the security of your
authorization server
is correct and again like the previous
one
is just a simple example of running
through each of the tests and making
sure that you
are conform it now there are
tests that require you to do different
things so for the this one is the
primary
happy path where you're required to
authenticate successfully
twice
validating validating at all times you
can see not the number of successful
tests are going up
1504 and we're going to do it again
because we want to give
this server a couple of different access
tokens so it can do some
tests against against those two and
that's it
so if you've got an authorization server
that is faculty compliant you have a
valid consents api that's correctly
wired in
uh that you've got your cpf check and
all those additional requirements
executing the test is quite
straightforward the same goes for some
of the negative testing so if we
continue the plan
and we go to execute the negative
test which says this test requires a
user to reject
in a sense i'm going to click the cancel
button
and it's going to confirm that the user
rejected the consent
twice
and what i have passed at any time you
can return to the plan
and you can pick different tests you can
rerun different tests and when you are
finished with this you can click on
publish everything and then
generate a certification package we'll
demonstrate that against the
functional certification tests
any questions on the security tests
little
hello i have seen i have saw
one test that is about multiple
i think is multiple approved so
what are the scopes of this test because
here in brazil we don't
i think we have a different scope than
uk what are the
the tests what happened with this test
that
are different from brazil and uk
so it's a good question so the the first
thing
is that from the security profile
nothing's been called out that is
different
from um versus the
brazil model as i understand it if you
have
a consent that requires additional
authorizations which is exactly the same
as you have
uh in australia the only thing that
changes
is the response that you get on the
authorization
i.e the resource call the very end of
um payload now the openid certification
test suite doesn't actually validate
the resource request the resource
request that comes through
whenever i can find the valid call
checks to make sure that
it is a json and that it has the
appropriate
uh response type so if you've got an
authorization
response that gives you say an empty
accounts list
because it requires additional
authorization that should still pass the
security profile
if you need a specific test because it
doesn't return an
empty json and it needs to return some
other message
then that needs to be defined and
included inside the security profile as
to what the error should be
for a call to the accounts api because i
didn't see an error on the accounts api
that said not yet authorized
guided thanks no words
any questions on the security test
no
again this is very good you can do them
all with the
app to app and mobile deleting and again
all of the configuration for these have
been included inside
the uh the open id foundation wiki
and the same configuration can be used
in the functional certification test
this is against the radium reference
bank you've got the credentials there
for the username
and password as well as the cpf id that
matches that corresponding account so
feel free to use these feel free to play
with them
do let us know if you manage to break it
and as always if you find something that
you think is wrong with the test
please raise an issue because this is
part of the process is helping
everyone in the ecosystem test the tests
joe hello everybody good morning
thank you health my doubt is the tests
you demonstrated to us right now they
are only for the security requirements
right i mean you're as i understood
you're calling the the apis
from from brazilian open banking but are
the results of
those apis being being verified
somehow or because we have
for our certifications we have to be
compliant to security requirements
and functional requirements those tests
you demonstrated they
do both verifications or just security
verifications
those tests do both however at the start
of the meeting no sorry those tests do
security
however at the start of the meeting i
said there were three tests
we'll get onto the functional ones in
just a moment okay
thank you any questions on the
uh the security test
no okay moving straight on to the
functional
uh is that fabi profile
tailored for primitives
and methods that are supported
in the uh in our brazilian specification
or is that are all the 5b profile
available for testing you can run all of
the fappy profiles if you want however
the one that you have to certify
is the open bank in brazil only the open
bank in brazil
is integrated with the consents api and
only the open bank in brazil will pass
the reference to the consent api in a
dynamic scope
australia uses a sharing id and the
united kingdom uses
uh an overloads and id token so you
can't use any of those profiles with
your
end-to-end security requirements so you
can
by all means you can confirm that you
were generic fappy compliant
but the requirement for open biking
brazil is to be able to handle the
complete
consent end-to-end life cycle
and so you need to complete the open
banking brazil certifications which is
the only one that uses
the open ranking brazil consent and
authorization standards
hi how can you please share with us
that you are help
of the that explains
with your your inputs
of your past here
the gitlab link oh the git lab link
oh yeah sure can do the the git lab link
is actually linked off the open id
foundation certification page so if you
go to
openid.net and click certification all
of the documentation the how-to guides
uh everything uh is on
very well documented and it's all
included as part of the
instructions so you've got how to
you know uh specifications instructions
for
running the relying parties that will
take you to
all of the different you know the link
to the git lab which will give you
access to all of the different you know
information that you may
require so that's straight to the wiki
and as you can see
you've got the brazil specifications on
the right hand side
you've also got access to all the code
and if you find an issue
please raise a ticket thank you
cool any final questions on security we
can always come back and i can redo this
as many times as as is required
but let's move on to the the functional
test so
what the open id sorry what radium has
been doing with in conjunction with the
id foundation is making sure that we can
use the same
testing suite and the same testing
services that
we have jointly been developing but to
test the functional apis
now the openid foundation doesn't want
to do functional apis they don't want to
be maintaining those functional apis so
we have a fork
of the open id foundation certification
suite just a little bit of trivia
originally the
radium took the contract to develop a
lot of this stuff
as part of the engagement with the open
banking implementation entity so it's
quite useful to
have it all being used again for another
jurisdiction
so again it's exactly the same thing
it's the same test suites the same test
pack if you can't find
a document that says what do i do
on the brazil uh
get lab then there will be a
corresponding document on the open
banking
sorry the openid foundation gitlab so
again same thing
this time we're going to run a test and
we're going to select the functional
accounts
test for the accounts apis all of the
other apis
are being added as we speak in fact
they'll demonstrate
what happens when you're trying to test
against a moving target
so we're going to test the functional
test for the accounts uh api
and in this test we've got a
deliberately failing api
so you can see what happens when you do
the test
so again fill out the same client you
can copy your configuration straight
from one
security pro uh the security profile
test straight into here
uh same cpf same consent same
account and now we're going to run the
the
api for the account test for the api
now we did a release for this about 10
minutes before this demo so
knowing how luck uh it may or may not
fully function but uh let's let's go and
give it a go
so same thing number of tests uh running
setting itself up it's creating a
consent
it's posting consent to the
um to the server it's prompting the user
to log
in and boot itself up from the cold
you can see let's see what it asks for
uh what did i do i did a pushed
authorization endpoint request i got my
pushed authorization
response i posted my
request uri made sure that i was
sufficiently
insufficient entropy and same thing i'm
going to
select my accounts i'm going to consent
to sharing data
it's going to finish the redirect back
i'm going to close my tab
and the tests are going to continue and
it's going to do a lot of the
basics validation that was done in the
previous
security test just for happy path it's
making sure that the authorization
server did what it needed to correctly
and now it's going to go and start doing
the resource server tests
so we'll be making sure there's valid x
fappy customer id headers and then we're
going to start running the accounts
api so we
call the first one which we call the
accounts api
validating the accounts api
all the different tests for different
registers and fields in that past
next one is we're going to use that
result set to call a specific
account inside the account api same
tests
here's the response to a specific
account inside that
that list and it's doing some tests but
oh
we've got a failure and in this case it
said right
i was unable to find a data element
called subtype on the account
identification api response
and as you can see this is what was sent
back and there is
no subtype so very clear errors very
clear descriptions about
what the error was was it a failure of
regex was it a
missing feel was a mandatory property
that was not that was not present
uh et cetera et cetera now that one's
not a a
cease failing test there are other tests
that are carrying on so in
the background we've also done or we
continue to do a fetch account balance
test
so let's retrieve the balance api for
that account checked all the fields all
the properties of that
and then we called the fetch account
transactions endpoint which is pullback
we've only got one for this particular
account that is selected
one transaction that list and it then
goes and does all the validations for
that
transaction as well
fetch account limits same thing it's
done the limits test and finally it says
i
can run to completion at the top of my
test you get
the description of what actually fails
you want to click on that one it will
take you to the exact failure and as i
said it gives you a very detailed
breakdown of
what has failed what has not failed and
this is where we start having
the conversation is it a problem with
the test
is it a problem with the api is it a
problem with the swagger
and so the expectation would be that if
you root counter a failure
you want to review all three of those
things and
if something's wrong with your api which
in the case of
this one here it is you go and fix it
rerun the test and let it go green
or if it's a problem or something that's
uh incorrect with the
either the reference examples or the
swagger specification you would raise a
ticket on the open banking
brazil github for the functional api
team to do
the first triage now this process has
already started
we've discovered quite a few different
things with different
apis and different endpoints and the
functional api team are pretty good at
turning around
changes quickly likewise the
so are the sensitive reference
examples which does make
challenges uh for incorporating these
the the pace of change quite challenging
when things are being updated literally
an hour before um before a demo
so one of the tasks that we've now got
is to go and incorporate the latest
changes that have been made to the
uh reference examples so in the case of
something like
the balance api originally there was no
trailing decimal places
and that was failing the regular
expression uh
check which meant that we were we had
some failing tests
so whilst there is a significant
uh level of change in both the
specifications the reference examples
we do ask for a little bit of patience
but likewise we really want to encourage
banks
to start the process of functional
performance acidification
such that you can help the functional
team bottom out any issues
quickly so that they can be addressed
because the longer they go
on the slower it will be to
have those capabilities or these issues
identified
uh unsorted
i think that's enough from for me
yeah if you have another question matt
hi
good morning uh a question of your
journey of content this test you
prepared for a journal since you with
one screen uh
so radium is not testing the adherence
to the customer experience
guidelines that's not something that
we're being asked to test as the
functional apis
it's a very good question in terms of
the certification to the cegs
and it's something that i think miro
should take a note of and work with the
sandbox team
to decide what certification processes
there will be
to the ceg guidelines for banks
consents and authorization number of
screens
hey uh i guess i'm next one in line so
uh
my doubt is that uh at some point in
some work groups
um i guess uh someone told
told us about the possibility that the
functional tests
could uh exist uh without
the the security requirements
coupled like you could just test
functional requirements as at least i
i saw your tasks it uh
it's basically using all the the fappy
profile
uh requirements so uh is there any
possibility for us to test
just the functional part of the apis
yeah so if you wanted to go and test
your own payloads
the easiest way for you to test that is
to pull down and follow
the local development instructions for
the test
harness which are all included here so
there's a
complete developer getting where are we
blind
here which will allow you to pull down
all of the tests
and run them locally with whatever
options that you want on
or off there obviously isn't a hosted
version
that expects to be able to access
resources in an unsecured manner given
this is customer data that's a little
bit nonsensical
but what you can do is run all of the
the tests
uh locally and you can turn off whatever
tests that you like
the other option that you have got is
that with every one of the
tests that are being added in
you'll see where are we where's my good
game
let's just go to changes cool you'll see
that every one of these
tests has got an example payload
so if you have the ability to generate
from your own servers
your own example payloads for your tests
you simply take your payloads drop them
in
run the test suite and that will confirm
whether or not that you
pass or fail against your own payloads
just using
your local ci cd or a local developer
workstation
but uh this way i'm not exactly testing
my host right i'm just
testing my payloads that's correct but
if you
you can't test your host really without
testing your security
if you've got an api endpoint that's
serving customer data on demand with no
access control or securities in front of
it
that would be an interesting lgdp
position
and that really is it so as again we've
said previously this has been shared
all the tests and all the processes all
of the velocity is all being developed
uh in the open anyone can review any of
the changes
anyone can look at the tests add new you
know submit a pull request for new tests
challenge the tests raise issues against
the tests
and ultimately we really hope that the
ecosystem itself
uses this harness to then start
developing its own
and enhancing its own tests in terms of
uh
taking long-term ownership for the
maturity the development and the growth
of the
certification service and payloads
because it is all um open source it is
all available for
you to do with what you will and again
it's a very it's a great testing harness
and it's a great testing
process for testing your own apis so for
those banks that are looking for
end-to-end security testing against say
some of your commercial propositions
that you're going to develop
off the back of open banking it is a
great capability to be able to do that
the final thing i should mention is that
when you've completed a
a test a test suite or a test execution
the final task will be to follow the
same instructions as we've already
articulated the open id foundation
you're going to click the button that
says publish everything
oh me out
and this test link will be included
on the git now the github is a public
attestation of
you saying to the ecosystem
i've passed all my tests i'm 100
compliant with this particular version
of the test drive profile
feel free to come and review my logs and
confirm that i haven't done anything
uh underhanded or sneaky and
that is it
so i don't know if anyone has any
question
or would like ralph to go through a
specific step
again as we have a few more minutes
here
uh our our brazilian
open banking security profile uh points
to
a lot of rfcs from fapi and the pub
itself
points to a lot of rfcs the question is
is our certification tests
testing only the requirements stated in
uh open banking brazilian profile
or the the the inner
rfcs as well oh no the inner rfcs
it tests the entire triangle so
you're right at the top with open
banking brazil but in order to be quiet
there
you have to contest all of the
underlying rfcs that you've built on
sure sure uh
could you pass the complete link of the
complete path of these tests on the chat
please
i can text
um
[Music]
now ralph
a question from nelson and he's asking
uh
for he notices that in in the git lab
and in other
tabs of your browser that has a lot of
java code
and he's wondering if he will be able to
run those tests in in his machine
or it is only available in the
certification
tools that are published in online no
you can run the whole thing locally okay
just just have to check check out the
code and then and and
make a deploy right so see this to build
yes building from the source oh that's
great
ball end to end everything that you
could possibly want to do
so again the expectation would be
if you want to contribute to the test
download it run it locally add the tests
submit a pull request
okay i think it's clear any further
questions guys
myself
foreign
okay uh ralph marcus is is
asking if if we had a similar
test suite for the the tpp
side or the partner or the client side
so
uh with uh i i i could see you have a
dummy bank
running but i'm not sure if we have
automated tests too
yes okay so the relying they're called
the relying
party tests now the relying party tests
are being uh uh focus on the security
side only
okay not the functional side so they
make sure from a security point of view
the tpp does the correct thing because
dealing with functional messages should
be a matter of processing a swagger
we don't input in terms of relying party
tests for
the tpp side now the open bank in brazil
is sorry the openid foundation is
with us is going to release relying
party tests
for for brazil what is still not
clear is whether or not uh brazil
is going to make the passing of those
tests
mandatory for tpp accreditation
yeah no i personally believe it is a
very good idea
for tpps to be required to pass the test
as you can see they are not hard
particularly for the tpp they are
straightforward they're very very
straightforward
however i understand that in some
jurisdictions there is a push back
on tpps having to certify now that is a
policy decision
not a technical decision um and this the
test will be in beta
sometime next week according to the open
id foundation
process
foundation blizzards
[Music]
um it would be very useful to get an
answer to this from a policy point of
view pretty quickly
cool well as always if there's anything
that
we can do or radium can do to help the
ecosystem please do let us
let us know for participants that are
going to start running this test there's
an agreed process that's being put in
place between
um miro the sandbox testing team
the functional api ownership and our own
uh our own support teams
but if there's anything above and beyond
that you think
we can help you with please do feel free
to reach out
and apart from that best of luck with
your testing and certification over the
next
um over the next four weeks there will
be continuous
improvements to the functional
certification
tests in fact we actually have to go on
before this demo
um make uh make a change because
these new ex these new examples have
been introduced less than well now two
hours ago which we now need to go and
incorporate
uh into the tests and then uh update the
the public sorry the um the regular
expressions that have now been included
in the updated functional api
so please do be patient in terms of uh
running
uh running those tests and please make
sure that you check your implementation
specification both the current version
and it might be prudent to
check the previous version as well for
example when i looked at the um
the balances here you can see very
quickly that
one hour ago the structure of the
balance
changed from being
an integer to a double
and so when you're doing your own
investigation please make sure that
you're reviewing
not just the current version of the
swagger specification but also
potentially the previous one
and just be mindful that they are there
are still changes that are
being incorporated and you
think we have two more questions nelson
george
hi uh uh a second question what the
business
endpoints will be tests in the first
version of the year
how entry points course ones accounts
so the aim is to have all of the
functional apis for phase two
included in the test suite before um
well we're going to try and aim for the
next within the next two weeks so you've
got
all of them but as i said they will be
staggered and released out
um andre and miro can talk about a
change to the central bank's
uh delivery cadence that's recently been
announced um because
it's a policy i believe a policy change
from
central bank as to what needs to be done
uh first and when
but at from our point of view we're not
we're trying to deliver as per our
previously agreed
delivery time scales and project plan
so to give you the example for those of
you that are going to download
and run this locally you can see that
all of the tests are now there
or most of the goods could you share
this screen again please
thank you very much so for those of you
that are going to go
and uh download the test plan and update
your
own local test you can see that there
are now tests for more than just the
accounts api
what we are now working on and then the
next step for us will be to
build the test plans so that we test
that you've now got those as an item
inside the the drop down so it's just a
matter of wiring in
these tests into the resource calls but
um the cadence is is we're on track
and we are delivering as agreed as part
of the project plan
nelson
and the video run talk to linux sarah
macios windows just say just
do wind docker correctly
uh possibly uh yes the majority of
people and developers from the
international community that use this
i know use either macs or linux machines
there is some uh commentary on how to
get this running for
from windows point of view but it isn't
something that we've
had to come across before okay
okay thank him
but because it's java there should be no
reason why it doesn't function
close your knee
i have thank you for your presentation
my doubt is related to the
the two running locally on the machine
uh the tools running locally
covers only the aspects of the message
like
syntax and payload or covers
the security layer as well you can run
the entire thing locally
the entire test suite runs locally so if
you
can stand up an authorization server
and an api gateway and
locally that is completely fine if you
want to run it
and a copy for yourself or internal bank
testing
against your own internal development
systems that is perfectly fine as well
it is a tool and a capability that
essentially acts as a very complex
uh tpp it's got all of the options and
all of the capabilities to interact with
banks
and all of their different choices that
they may make
and the entire tool can be run locally
okay thank you half excuse me just
add one more thing to
[Music]
is
a clarification in this subject
of our confirmation tests regarding
uh if we are going to evaluate
just the the open banking security
profile
tests or this oh the whole suite must be
green
in order to certify i i kind of
get ahead and say that we are going
for the whole set because our uh
security profile is an extension of the
fappy
advanced and so the complete set of
requirements
are needed in order to pass the
certification test right
and if you wanna yeah that's correct so
if you look at the
yeah let's go back to the plan
oh it's loading up
so this test is going to test your
adherence to the fappy open banking
brazil
profile all of these tests need to pass
now all of these tests use the options
that are defined in flappy open banking
brazil
so in fact this this is testing your
adherence to the fatty one advanced
profile
open making brazil flavor
so it all has to be green okay
sorry i just want to be very clear the
openid foundation
will require this all to be green in
order for them to certify that you are
conformed where things may be more
interesting
is on the functional apis so the
functional api process
if you think it's a problem with the
specifications take it up with the
certification this specification team
if you think it's a problem with the
tests well take it up with the testing
the testing team the policy that goes
for
certification or not certification will
depend on the failures
obviously if it's all green and for
example you've tested
on the 14th of july you're far more
likely to get
a bigger test a more complete test
and therefore more likely to be
certified for example
certification at the moment is not open
because
the apis have only just been updated the
example specifications have only been
just updated and so the coverage at the
moment for
that accounts api is insufficient
for anyone to be certified in addition
there has been only one person that has
actually run
the test this is against the radium bank
how do you know we are correct
until there are sufficient implementers
and this group
collectively have come together and said
we've all run the tests
we're happy with the coverage we're
happy that
we've ironed out the big issues with the
specifications
this is now version one of the tesla and
at that point
you nero you can start certifying people
or miro can say this is good enough for
us to start
certifying the ecosystem that's a policy
question
not a technology one
i've got a question that i think it's
directed to the mural
guys regarding exactly this policy point
i'll switch to portuguese okay
[Music]
[Music]
[Music]
[Music]
[Music]
foreign
foreign
[Music]
[Music]
foreign
moment
okay
i would like to to thank ralph if you're
there
and see you next time
um
okay guys thank you
thank you bye
be
so
risky
ignorance
uh
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Acesso Exclusivo para Assinantes
Cadastre-se ou faça login com sua conta do Radar Finsiders Brasil para visualizar esta regulação na íntegra, fazer download dos arquivos e ter acesso a relatórios exclusivos do mercado financeiro.
