Integration of OpenID Connect (OIDC) with ICP-Brasil (PKI)

bitheerani319 · Post by **bitheerani319** » Sat Feb 22, 2025 10:02 am

The growing demand for secure and easy-to-use digital authentication in critical digital services requires new approaches that combine flexibility, scalability, and regulatory compliance. This paper proposes the integration of the OpenID Connect (OIDC) protocol and the Brazilian Public brazil mobile database Infrastructure (ICP-Brasil), which can create a robust and legally valid digital authentication and identification system. The merger of these two systems will allow the use of ICP-Brasil digital certificates in OIDC authentication flows, bringing improved security, legal validity, and simplified user experience. This integration is especially relevant in regulated sectors, such as financial services, insurance, private pensions, government, and healthcare, where trust and security are necessary conditions.

Introduction

Digital transformation, driven by emerging technologies such as Open Insurance and Open Banking (Open Finance), requires authentication systems that are both secure and intuitive. At the same time, compliance and security requirements are growing exponentially in regulated digital environments such as the financial, insurance, private pension, healthcare and government sectors.

The Brazilian Public Key Infrastructure (ICP-Brasil) has played a fundamental role in digital authentication, ensuring the identity of individuals and legal entities with a high level of security and legal validity. However, ICP-Brasil, traditionally associated with document signing, still lacks integration with modern authentication technologies, such as OpenID Connect (OIDC) , which has been consolidated as a global standard for federated authentication and Single Sign-On (SSO).

This paper proposes an innovative solution that combines the flexibility of OIDC with the security and legal validity of ICP-Brasil. This merger offers a new approach to digital authentication and secure identity, allowing ICP-Brasil certificates to be used in OIDC authentication flows. Implementing this model can improve the user experience while meeting regulatory and security demands.

Technological Context

OpenID Connect (OIDC)

OIDC is an authentication protocol built on top of OAuth 2.0, allowing applications to verify the identity of users based on authentication performed by a third-party identity provider. OIDC facilitates Single Sign-On (SSO), allowing a user to access multiple services and applications with a single login, in a secure and standardized manner. Additionally, OIDC uses JSON Web Token (JWT) tokens to authenticate and transmit data between services.

ICP-Brazil

ICP -Brasil is a public key infrastructure responsible for issuing digital certificates in Brazil, with legal validity for authentication and signing of electronic documents. ICP-Brasil certification guarantees the identity of individuals and entities, ensuring the integrity and authenticity of digital transactions, based on Law 14.063/2020.

Integration Proposal: OIDC + ICP-Brazil

The integration between OIDC and ICP-Brasil aims to create a model that combines the flexibility and open standard of OIDC with the breadth, security and legal reliability of ICP-Brasil, offering a robust digital authentication system that is adaptable to different contexts.

Key Integration Components:

Digital Certificate-Based Authentication Users can use ICP-Brasil digital certificates for authentication in OIDC flows. Instead of using a conventional login and password, authentication would be done through verification of the digital certificate, significantly increasing the level of security and trust in the identification process.

Issuance of JWT Tokens with ICP-Brasil Signature OIDC uses JWT tokens to transmit information between the identity provider and applications. In the proposed integration, these tokens would be signed with ICP-Brasil digital certificates, ensuring the legal validity and integrity of the transmitted data.

Identity Confirmation with Certified Attributes The ICP-Brasil digital certificate contains verified personal information, such as the CPF and the name of the holder. These attributes would be used to compose the OIDC ID Token , ensuring that the data used for authentication is reliable and, more importantly, complies with Brazilian legal requirements.

Single Sign-On (SSO) with Legal Validity The integration would allow users to log in to multiple systems using the ICP-Brasil certification as the central identity. SSO would be facilitated by OIDC, while legal validity would be guaranteed by the ICP-Brasil digital signature.

Validation of Electronic Transactions and Contracts The integration would enable the validation of sensitive transactions and electronic contracts with ICP-Brasil digital signatures, providing legal security and regulatory compliance, especially relevant for sectors such as banking and government.

Advantages of Integration

Security and Trust : The use of ICP-Brasil digital certificates guarantees the security of authentications and transactions, eliminating the dependence on traditional credentials (such as passwords) that are vulnerable to attacks.

Legal Compliance : ICP-Brasil grants legal validity to authentications and transactions, something essential for systems that operate in regulated environments, such as banks and governments.

Simplified User Experience : With OIDC, the user can log in once (Single Sign-On) to multiple systems, using their digital certificate, simplifying the usage flow and promoting a more fluid experience.