SIG Breakout Session: 2025-09-17

# SIG Breakout Session: 2025-09-17 - Date: 17 September 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Thomas Darimont - Vinod Anandan - Pascal Knüppel - Rodrick Awambeng - Ingrid Kamga - Arndt Schwenkschuster - Forkim Akwichek - Dmitry Telegin - Costas Georgilakis - Stefan Wiedemann - Bertrand Ogen ## New Support ### 1. Workload/Agentic Identity Specification: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) Issue: - [Support authenticating clients with SPIFFE/SPIRE](https://github.com/keycloak/keycloak/issues/41907) PoC: - [Keycloak and SPIRE for Agent Identity](https://github.com/christian-posta/keycloak-agent-identity) - [keycloak-spiffe](https://github.com/CarrettiPro/keycloak-spiffe) Epic Issue: - [Preview federated client authentication](https://github.com/keycloak/keycloak/issues/42230) 17 September 2025: - How about holding one-day community virtual event "KeyConf Virtual" focusing on recent advancement on Workload Identity, on mid Nov, ### 3. Shared Signals Framework (SSF) Specification: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoC: [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) 17 September 2025: ### 4. OpenID Federation 1.0 (OIDFED) Specification: - [OpenID Federation 1.0 - draft 43](https://openid.net/specs/openid-federation-1_0.html) Epic Issue: [#40509](https://github.com/keycloak/keycloak/issues/40509) Slack: https://cloud-native.slack.com/archives/C096PUDTC3U 17 September 2025: ### 5. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Ticket: [#39287](https://github.com/keycloak/keycloak/issues/39287) Discussion: [#40413](https://github.com/keycloak/keycloak/discussions/40413) PoC : https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation 17 September 2025: ### 6. Model Context Protocol (MCP) Specification: - [Base Protocol - Authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization) Pull request active: [#35711](https://github.com/keycloak/keycloak/pull/35711) 17 September 2025: - Takashi: 1 of 2 issues were resolved. (no progress, 50%) - As for RFC 8707 Resource Indicators support, [#35711](https://github.com/keycloak/keycloak/pull/35711), adding a feature flag can be considered. ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specification: - [OpenID for Verifiable Credential Issuance - draft 15](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html) - [OpenID for Verifiable Credential Issuance - draft 16](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-16.html) - [OpenID for Verifiable Credential Issuance - draft 17](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-17.html) - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Pull request active(https://github.com/keycloak/keycloak/pulls?q=is%3Apr+is%3Aopen+OID4VCI ): [#41757](https://github.com/keycloak/keycloak/pull/41757), [#42622](https://github.com/keycloak/keycloak/pull/42622) Epic Issue: [[OID4VCI] Implementing support for OID4VCI ID2 Draft 15](https://github.com/keycloak/keycloak/issues/39273) 26 of 28 issues were resolved (+3 resolved, 93%) Epic Issue: [[OID4VCI] Implementing Support for OID4VCI ID2 draft 16](https://github.com/keycloak/keycloak/issues/41569) 20 of 22 issues were resolved (+12 resolved, +1 added 91%) 17 September 2025: ### 8. Token Exchange Epic Issue: [External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) Epic Issue: [Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) 17 September 2025: ### 9. Demonstrating Proof-of-Possession (DPoP) Epic Ticket: [#22311](https://github.com/keycloak/keycloak/issues/22311) 17 September 2025: - Takashi: 14 of 16 issues were resolved. (no progress, 86%) - Takashi: Keycloak 26.4 will offically support DPoP. ### Others ## Recordings TBA