FAPI OP Conformance Testing & Certification Submission Overview for Open Banking Brazil


INSTRUCTIONS

STEP 1

The first step is to pay for FAPI certification fees: https://openid.net/certification/fees/

Some Open Banking Brazil organizations have chosen to pay certification fees via Mirow and others pay the OpenID Foundation directly. If your organization has paid via Mirow, there is nothing further for you to do in this regard.


STEP 2

Once your organization has paid FAPI certification fees, the next step is to test your FAPI implementation.

FAPI OP Testing Instructions: https://openid.net/certification/fapi_op_testing/

The main testing differences for Open Banking Brazil are due to extra requirements in the Brazil specifications including:

  • A Brazil-specific pre-lodged intent mechanism is used, and passed via a structured scope
  • Encrypted request objects are required when passed via the front channel
  • Refresh tokens must be supported
  • Access token lifetime must be between 300 and 900 seconds (inclusive).
  • Only PS256 is permitted

An example configuration for Brazil is available.

Dynamic client registration tests are also available for Brazil (these are specific to the Brazil ecosystem, the tests cannot be passed unless your authorization server accepts software statements generated by a Open Banking Brazil directory). There is an example configuration for the DCR tests.

 
STEP 3

Once your organization has successfully completed the FAPI conformance tests, the final step is to submit your certification request to the OpenID Foundation.

FAPI OP Certification Submission Instructions: https://openid.net/certification/op_submission/

Once your organization has successfully certified it’s FAPI implementation, the results are published: https://openid.net/certification/#FAPI_OPs

Please note:

  • It is very important to follow the submission instructions or your certification request will be delayed.
  • If there are issues with your certification request, a member of the OpenID Foundation certification team will follow-up to identify the issues.
  • Certification requests will not be processed if certification fees have not been received.
  • Processing times are expected to be longer than normal in the few weeks before the go live deadline.


TIMELINE

  1. Configure your organization’s system to be compliant with the FAPI specifications: usually the hardest part. Your organization’s internal expertise and/or the vendor you have selected determines how difficult the process is.
  2. Setting up the test configuration: requires creating keys, creating clients on the sandbox directory and onboarding the clients to your server. For a good engineer that has all the necessary skills and access to the directory, this process takes a few hours.
  3. Run the FAPI conformance tests: takes a few hours.
  4. Fix any failures and rerun the conformance tests until you successfully pass.
  5. Preparing the certification submission package to send to the OpenID Foundation with the test results etc. takes an hour or so. Part of the submission package includes a Certification of Conformance document that requires a signature which is the usual cause of delays.
  6. Once the certification package is submitted and payment received, the OpenID Foundation will process the submission.


HINTS

  • OpenID Foundation Certification Program FAQ: https://openid.net/certification/faq/
  • OpenID certification is a ’self certification’ and the engineers at your bank run the tests against your organization’s server and then send the OpenID Foundation the results to be certified.


ADDITIONAL RESOURCES


HELP

Please send any FAPI certification questions to: certification@oidf.org

KEYS

When running the tests for Brazil, the keys required are:

  • Client 1’s private key (used for signing the request object and, if private_key_jwt, for client authentication)
  • Client 2’s private key
  • Organization private key (the BRSEAL used for signing payment API request body)
  • Organization private key for client 2 (the BRSEAL used for signing payment API request body)

Some of these keys may be the same key, however the private key used for client 1 and client 2 must be different for the ‘ensure-matching-key-in-authorization-request’ test to pass. This can be accomplished either:

  1. by using BRSEAL keys for two different organisations (and hence entering the same key in the client 1 private key and organization 1 private key)
  2. if you are using the Brazil sandbox directory, by adding different signing keys to each of the client’s software statements in the directory, and using those for the client keys, and entering the BRSEAL in the organization key.

TIMELINES

OP certification

Deadline to send certification requests: Sep 24
Go live: Oct 29 (all certifications submitted by the deadline will be published before go live date)

RP certification

Open for beta testing (accounts API): Sep 13
Open for beta testing (payments API & DCR): Sep 27
Open Banking Brazil RP Community Group Slack channel goes live: Sep 27
All RP tests in production and start of certification: Oct 04
Deadline to send certification requests: Oct 15
Go live: Oct 29