# SIG Breakout Session: 2025-08-20 - Date: Wed 20 August 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Vinod Anandan - Pascal Knüppel - Francis Pouatcha - Thomas Darimont - Rodrick Awambeng - Bertrand Ogen - Assah Bismark - Dmitry Telegin - Forkim Akwichek - Ingrid Kamga - Nathalia Pinesi - Stefan Wiedemann ## Notes - The repository name was changed([#838](https://github.com/keycloak/keycloak-oauth-sig/issues/838)): https://github.com/keycloak/keycloak-oauth-sig ## Keyconf 25 - Next thursday - Everythin is ready, all speakers confirmed. - One might no be able to travel. Working on backup speaker. - 120 People confirmed. Tickets still on sales. - Link will be available for youtube watch (adorsys channel). Available from thursday 9 CET. - https://www.youtube.com/watch?v=soTPKxPx3Ig&list=PL7Azddo9KxKl_d405huHjgEnRU4M2Zjxz - No breakout session ## New Support ### 1. Workload Identity - Transaction Token, SPIFEE Specification: - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials ](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication ](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) Issue: - [Support authenticating clients with SPIFFE/SPIRE](https://github.com/keycloak/keycloak/issues/41907) PoC: - [Keycloak and SPIRE for Agent Identity ](https://github.com/christian-posta/keycloak-agent-identity) - [keycloak-spiffe ](https://github.com/CarrettiPro/keycloak-spiffe) 20 August 2025: Issue: - [Support authenticating clients with SPIFFE/SPIRE](https://github.com/keycloak/keycloak/issues/41907) - Still in the discussion mode. - Overlaping of similarity with ??? - Target date for a dedicated session: 10th of September. - Mentioning topic of similarities with Attestation based authentication, considering PoP - Wimse: PoP - Would be nice if one of us could perform a brief overview of all those. ### 2. OAuth 2.0 for First-Party Applications (FiPA) Specification: [OAuth 2.0 for First-Party Applications](https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/) Discussion: [#38796](https://github.com/keycloak/keycloak/discussions/38796) 20 August 2025: - adorsys working on a proof of concept. Done, waiting for the discussion to evolve. ### 3. Shared Signals Framework (SSF) Specification: - [OpenID Shared Signals Framework Specification 1.0](https://openid.net/specs/openid-sharedsignals-framework-1_0.html) - [OpenID Continuous Access Evaluation Profile](https://openid.net/specs/openid-caep-1_0-ID2.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-02.html) PoC: [Shared Signals Framework for Keycloak ](https://github.com/identitytailor/keycloak-ssf-support) 20 August 2025: Misc: - OpenID Foundation started a vote for finalizing the SSF specs https://openid.net/notice-of-vote-to-approve-three-shared-signals-specifications/ - Vote open until August 29, 2025. - Thomas is currently updating the OIDF Conformance Tests for SSF - No update on the keycloak side. ### 4. OpenID Federation 1.0 (OIDFED) Epic Ticket: [#40509](https://github.com/keycloak/keycloak/issues/40509) Slack: https://cloud-native.slack.com/archives/C096PUDTC3U ### 5. Client Attestation Specification: [OAuth 2.0 Attestation-Based Client Authentication ](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Ticket: [#39287](https://github.com/keycloak/keycloak/issues/39287) Discussion: [#40413](https://github.com/keycloak/keycloak/discussions/40413) PoC : https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation 20 August 2025: - Vinod: Addressing the PoP? - Pull request submitted by adorsys on key attestation : https://github.com/keycloak/keycloak/pull/41688 - Second reviewer needed! ### 6. Model Context Protocol (MCP) Specification: [Base Protocol - Authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization) Pull request active: [#35711](https://github.com/keycloak/keycloak/pull/35711), [#41440](https://github.com/keycloak/keycloak/pull/41440) 20 August 2025: - Takashi: no progress. ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OID4VCI) Pull request active: [#40751](https://github.com/keycloak/keycloak/pull/40751) Potentials issue with OID4VCI authorization code flow implementaion, we will need to track it via a Github issue (related slack discussion - https://cloud-native.slack.com/archives/C05KR0TL4P8/p1752669762102799 , https://cloud-native.slack.com/archives/C05KR0TL4P8/p1752670003236459 ) Pre-auth code flow issue - https://gitlab.com/openid/conformance-suite/-/issues/1544 20 August 2025: - Link to draft 15: https://github.com/keycloak/keycloak/issues/39273 - Last major ticket: https://github.com/keycloak/keycloak/issues/39277 - Open Pull requests: https://github.com/keycloak/keycloak/pulls?q=is%3Apr+is%3Aopen+OID4VCI - [Notice of Vote to Approve OpenID for Verifiable Credential Issuance 1.0 Final Specification](https://openid.net/notice-of-vote-openid-for-verifiable-credential-issuance-1-0-final-specification/) - [Draft 16 epic ticket #41569](https://github.com/keycloak/keycloak/issues/41569) - [Draft 17: spec link - final](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-17.html#name-document-history) - [LinkedIn Voting Announcement](https://www.linkedin.com/posts/openid-foundation_notice-of-vote-to-approve-openid-for-verifiable-activity-7363315065673895938-GFSB/) ### 8. Token Exchange 20 August 2025: No updates ### 9. Demonstrating Proof-of-Possession (DPoP) Epic Ticket: [#22311](https://github.com/keycloak/keycloak/issues/22311) 20 August 2025: - Takashi: no progress. 11 of 15 issues were resolved. (73%) ### 10. Passkeys Epic Ticket: [#23656](https://github.com/keycloak/keycloak/issues/23656) 20 August 2025: - Takashi: 26 of 27 issues were resolved. (+4 resolved, +3 added, 96%) ### 11. FAPI 2.0 FINAL - FAPI 2.0 Security Profile Final was released on this Feburary. - FAPI 2.0 Message Signing Final will be released on 19 August (not still fixed). #### FAPI 2.0 Security Profile Final Epic Ticket: [#38769](https://github.com/keycloak/keycloak/issues/38769) Pull request active: [#41341](https://github.com/keycloak/keycloak/pull/41341) 20 August 2025: - Takashi: 3 of 4 issues were resolved. (no progress, 75%) #### FAPI 2.0 Message Signing Final Epic Ticket: [#41311](https://github.com/keycloak/keycloak/issues/41311) 20 August 2025: - Takashi: 1 of 3 issues was resolved. (no progress, 33%) ### Others ## Recordings https://us06web.zoom.us/rec/share/0eVMoU0DoJfOhI2E35qTs6k2_2c3ecY04YvhwC7nKc3X1QcL8MgqeoMX9C8Lx_lY.81vWgdDuGBJl74WF Passcode: c1&5E8pm