Moving Open Banking towards Open Source in Brazil

Gluu’s open banking distribution is in production at many leading banks in Brazil through our partner products and services. With the help of the community and our partners, Gluu is able to fuel development and research to continue to meet and exceed industry standards specifically for the banking sector.

Gluu is certified as a FAPI 1 Advanced Final (Generic) provider and remains one of the most certified open source platforms meeting this specification with every new release. 

Gluu is compliant with current Brazilian banking specifications. Clients may use PAR, JARM, and client authentication based on Mutual-TLS or JSON Web Token signed by Private Key. Gluu’s open banking distribution also supports Dynamic Client Registration (DCR) specifications, which requires a more complicated setup including registration with official Brazil institutions, ensuring integrity throughout authorization.

Most open banking markets selected FAPI as a global standard, including FDX (for US and Canada) UK, Australia, Brazil, Nigeria, New Zealand, and Brazil. Some financial markets such as the UK and Brazil added additional security requirements beyond the FAPI standard, developing domestic or regional FAPI profiles in partnership with the OpenID Foundation.

The Gluu Authorization Server(AS) will support these features by default. Moreover, these features are also FAPI certified for Brazil Open Banking (Based on FAPI 1 Advanced Final).

PAR or Pushed Authorization Requests are handled by an additional endpoint of Authorization Server (AS). Clients POST their authorization parameters to this endpoint, in return the client receives a reference (named as request URI value) that will be used in further authorization requests by the client. PAR enables the OAuth clients to push the payload of an authorization request directly to the authorization server in exchange for a request URI value. This request URI value is used as reference to the authorization request payload data in a subsequent call to the authorization endpoint. The Gluu server can also set different PAR expirations for different clients.

JARM or JWT Secured Authorization Response Mode is a new JWT-based response mode to encode authorization responses, (see Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0). Here clients are enabled to request the transmission of the authorization response parameters along with additional data in JWT format. This mechanism enhances the security of the standard authorization response since it adds support for signing and encryption,sender authentication, audience restriction. It also provides protection from replay, credential leakage, and mix-up attacks. It can be combined with any response type.

For more details about FAPI support, you can check our Gluu documentation to launch your Open Banking authentication services on EKS or other cloud native computing environments.