FAPI OP Conformance Testing & Certification Submission Overview for Open Banking Brazil
The first step is to pay for FAPI certification fees: https://openid.net/certification/fees/
Some Open Banking Brazil organizations have chosen to pay certification fees via Mirow and others pay the OpenID Foundation directly. If your organization has paid via Mirow, there is nothing further for you to do in this regard.
Once your organization has paid FAPI certification fees, the next step is to test your FAPI implementation.
FAPI OP Testing Instructions: https://openid.net/certification/fapi_op_testing/
The main testing differences for Open Banking Brazil are due to extra requirements in the Brazil specifications including:
- A Brazil-specific pre-lodged intent mechanism is used, and passed via a structured scope
- Encrypted request objects are required when passed via the front channel
- Refresh tokens must be supported
- Access token lifetime must be between 300 and 900 seconds (inclusive).
- Only PS256 is permitted
Dynamic client registration tests are also available for Brazil (these are specific to the Brazil ecosystem, the tests cannot be passed unless your authorization server accepts software statements generated by a Open Banking Brazil directory). There is an example configuration for the DCR tests.
Once your organization has successfully completed the FAPI conformance tests, the final step is to submit your certification request to the OpenID Foundation.
FAPI OP Certification Submission Instructions: https://openid.net/certification/op_submission/
Once your organization has successfully certified it’s FAPI implementation, the results are published: https://openid.net/certification/#FAPI_OPs
- It is very important to follow the submission instructions or your certification request will be delayed.
- If there are issues with your certification request, a member of the OpenID Foundation certification team will follow-up to identify the issues.
- Certification requests will not be processed if certification fees have not been received.
- Processing times are expected to be longer than normal in the few weeks before the go live deadline.
- Configure your organization’s system to be compliant with the FAPI specifications: usually the hardest part. Your organization’s internal expertise and/or the vendor you have selected determines how difficult the process is.
- Setting up the test configuration: requires creating keys, creating clients on the sandbox directory and onboarding the clients to your server. For a good engineer that has all the necessary skills and access to the directory, this process takes a few hours.
- Run the FAPI conformance tests: takes a few hours.
- Fix any failures and rerun the conformance tests until you successfully pass.
- Preparing the certification submission package to send to the OpenID Foundation with the test results etc. takes an hour or so. Part of the submission package includes a Certification of Conformance document that requires a signature which is the usual cause of delays.
- Once the certification package is submitted and payment received, the OpenID Foundation will process the submission.
- OpenID Foundation Certification Program FAQ: https://openid.net/certification/faq/
- OpenID certification is a ’self certification’ and the engineers at your bank run the tests against your organization’s server and then send the OpenID Foundation the results to be certified.
- Financial-grade API (FAPI), Explained by an Implementer (Portuguese): https://openid.net/financial-grade-api-fapi-explicada-por-um-desenvolvedor/
- OpenID Foundation Workshop for Open Banking Brazil Demonstrating the FAPI Conformance Tests for Brazil: https://www.youtube.com/watch?v=zW14qlYg5Ts
Please send any FAPI certification questions to: firstname.lastname@example.org
When running the tests for Brazil, the keys required are:
- Client 1’s private key (used for signing the request object and, if private_key_jwt, for client authentication)
- Client 2’s private key
- Organization private key (the BRSEAL used for signing payment API request body)
- Organization private key for client 2 (the BRSEAL used for signing payment API request body)
Some of these keys may be the same key, however the private key used for client 1 and client 2 must be different for the ‘ensure-matching-key-in-authorization-request’ test to pass. This can be accomplished either:
- by using BRSEAL keys for two different organisations (and hence entering the same key in the client 1 private key and organization 1 private key)
- if you are using the Brazil sandbox directory, by adding different signing keys to each of the client’s software statements in the directory, and using those for the client keys, and entering the BRSEAL in the organization key.