How-tos

Client Registration & Management for Open Finance, Open Banking, and Open Insurance Brazil

This article provides an overview of Cloudentity enabling the Data Transmitters to be Open Banking/Insurance/Finance Brasil compliant by providing the Security Profile requirements implementation especially for Dynamic Client Registration for Data Recipients/TPPs.

Overview

As per Brasil Open Finance/Banking/Insurance specifications, Data Recipients must register with Data Transmitter according to the OAuth 2.0 Dynamic Client Registration protocol. The Cloudentity platform is part of Data Holder ecosystem facilitating all the security profile requirements, including all the OAuth capabilities to handle the dynamic client registration of Data Recipient entities. Once registered, Data Recipients can utilize the registered client information to mint CDR-compliant tokens from the Cloudentity authorization platform to retrieve consumer data from the Data Holder in a secure manner.

Register Data Recipient with Brasil Directory

Open Banking Brasil Directory (Brasil ICP or the Directory of Participants) issues software statements to accredited TPP/Data reciever organizations. DCR requests against the data provider must contain a software statement which has been issued by the Open Banking Brasil Directory. This means that the API caller must obtain a software statement in advance before making a DCR request.

Cloudentity implementation validates the software statement included in a DCR request. The most important part of the validation is to confirm that the software statement has been signed by the Open Banking Brasil Directory.

A Software Statement Assertion(SSA) issued by the Directory is a digitally signed JSON Web Token (JWT) created in accordance with a JWT that asserts metadata values about the client software.

A sample SSA (decoded view) issued by the by the Open Finance Brasil directory of participants looks like the following:

                
                    
{
  "alg": "PS256",
  "kid": "542A9B91600488088CD4D816916A9F4488DD2651",
  "typ": "JWT"
}
                
                    
{
   "software_mode":"Live",
   "software_redirect_uris":[
      "https://www.tpp.com/accounting/cb"
   ],
   "software_statement_roles":[
      {
         "role":"DADOS",
         "authorisation_domain":"Open Banking",
         "status":"Active"
      },
      {
         "role":"PAGTO",
         "authorisation_domain":"Open Banking",
         "status":"Active"
      }
   ],
   "software_client_name":"TPP App",
   "org_status":"Active",
   "software_client_id":"Cki1EbvjwyhPB12NGLlz2",
   "iss":"Open Banking Open Banking Brasil prod SSA issuer",
   "software_tos_uri":"https://www.tpp.com/accounting/tos.html",
   "software_client_description":"TPP App that brings you real time up to date views of your finances",
   "software_jwks_uri":"https://keystore.directory.openbankingbrasil.org.br/b961c4eb-509d-4edf-afeb-35642b38185d/25556d5a-b9dd-4e27-aa1a-cce732fe74de/application.jwks",
   "software_policy_uri":"https://www.tpp.com/accounting/policy.html",
   "software_id":"25556d5a-b9dd-4e27-aa1a-cce732fe74de",
   "software_client_uri":"https://www.tpp.com/accounting.html",
   "software_jwks_inactive_uri":"https://keystore.directory.openbankingbrasil.org.br/b961c4eb-509d-4edf-afeb-35642b38185d/25556d5a-b9dd-4e27-aa1a-cce732fe74de/inactive/application.jwks",
   "software_jwks_transport_inactive_uri":"https://keystore.directory.openbankingbrasil.org.br/b961c4eb-509d-4edf-afeb-35642b38185d/25556d5a-b9dd-4e27-aa1a-cce732fe74de/inactive/transport.jwks",
   "software_jwks_transport_uri":"https://keystore.directory.openbankingbrasil.org.br/b961c4eb-509d-4edf-afeb-35642b38185d/25556d5a-b9dd-4e27-aa1a-cce732fe74de/transport.jwks",
   "software_logo_uri":"https://www.tpp.com/accounting/logo.png",
   "org_id":"b961c4eb-509d-4edf-afeb-35642b38185d",
   "org_number":"112233445566",
   "software_environment":"production",
   "software_version":"1.1",
   "software_roles":[
      "DADOS",
      "PAGTO"
   ],
   "org_name":"Open Banking Brasil",
   "iat":1620060821,
   "organisation_competent_authority_claims":[
      {
         "authorisation_domain":"Open Banking",
         "authorisations":[],
         "registration_id":"13353236-OBB-CONTA",
         "authority_id":"687a1c94-b360-4e04-9589-0fa5cb16451b",
         "authority_name":"Banco Central",
         "authorisation_role":"CONTA",
         "authority_code":"BCB",
         "status":"Active"
      },
      {
         "authorisation_domain":"Open Banking",
         "authorisations":[],
         "registration_id":"13353236-OBB-DADOS",
         "authority_id":"687a1c94-b360-4e04-9589-0fa5cb16451b",
         "authority_name":"Banco Central",
         "authorisation_role":"DADOS",
         "authority_code":"BCB",
         "status":"Active"
      },
      {
         "authorisation_domain":"Open Banking",
         "authorisations":[],
         "registration_id":"13353236-OBB-PAGTO",
         "authority_id":"687a1c94-b360-4e04-9589-0fa5cb16451b",
         "authority_name":"Banco Central",
         "authorisation_role":"PAGTO",
         "authority_code":"BCB",
         "status":"Active"
      }
   ]
}

The Open Finance Brasil directory of participants has chosen to use PS256 as the signing algorithm, conforming to FAPI-RW Section 8.6 for signing the Software Statement Assertion (SSA). Cloudentity verifies the signature of this PS256 signed Software Statement Assertion(SSA) presented in DCR request body.

DCR configuration in Cloudentity

DCR is enabled by default in Cloudentity when the Open Finance Brasil compliant workspace is created.

  1. In the workspace, go to Auth Settings > OAuth > Client registration from the sidebar.

  2. In the DCR tab, you can see Enable dynamic client registration enabled.

  3. In the DCR tab, you can see Protected by software statement enabled as well.

Open Banking Brazil DCR configuration

Register TPP with Data Provider

To register with a Data Provider, TPP sends an HTTP POST request to the Data provider registration endpoint. Cloudentity platform provides the DCR endpoint. As per the DCR API specification the registration request must be passed as body param in the request.

Manage registered TPP

As the Infosec provider component of a Data Holder, the Cloudentity platform exposes all the Data Recipient Client Registration Management endpoints as defined in the APIs.

OIDC configuration endpoints can be located easily within the Cloudentity administrative portal.

Within the OIDC Discovery configuration endpoint, DCR endpoint location is specified under registration_endpoint key

"registration_endpoint": "https://authorization.cloudentity.com:8443/default/openbanking_brasil/oauth2/register"

Cloudentity provides all the DR compliant DCR APIs as in the specification for TPP dynamic client registration within the Data Provider ecosystem.