SIG Breakout Session: 2025-11-19

# SIG Breakout Session: 2025-11-19 - Date: 19 November 2025 - Time: 12:00 - 13:00 UTC in 1 hour 08:00 - 9:00 EDT (UTC-4) 12:00 - 13:00 GMT (UTC+0) 13:00 - 14:00 CET (UTC+1) 13:00 - 14:00 WAT (UTC+1) 14:00 - 15:00 EET (UTC+2) 17:30 - 18:30 IST (UTC+5:30) 21:00 - 22:00 JST (UTC+9) 22:00 - 23:00 AEST (UTC+10) Zoom Link: https://us06web.zoom.us/j/81611246656 ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Ingrid Kamga - Francis Pouatcha - Dmitry Telegin - Thomas Darimont - Forkim Akwichek - Georgilakis Konstantinos - Thomas Diesler - Bertrand Ogen - Awambeng Rodrick ## Notes Notes by Topic ## New Support ### 1. Workload/Agentic Identity Specifications: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) - [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) 20251119 - IETF - Last Week: Update will happen in 2 Weeks time, as part of general SIG meeting (Dmitry & Arndt) - In matter of Transaction Token, the idea is to have mapper for Token Exchange. (Dmitry) - Spec does not focus on token content mapping. So it need to be configurable. - TokenExchangeMapper details for next session. ### 2. Shared Signals Framework (SSF) Specifications: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoCs: - [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) Issues: - [#43616 Add initial support for OpenID Shared Signals Framework](https://github.com/keycloak/keycloak/issues/43614) Active Draft PRs: [#43950 Initial support for Shared Signals Framework with Push Delivery](https://github.com/keycloak/keycloak/pull/43950) - Example provided - Impl Notes: Minimal - It is an SPI - Receiver will be connected with the new workflow support, so events can trigger workflows. 20251119 - No update - This friday: Thomas appointent with Apple. Goal get enough information to have Keycloak support apple school and business manager. - Still waiting for feedback on the pull request [#43950 Initial support for Shared Signals Framework with Push Delivery](https://github.com/keycloak/keycloak/pull/43950) - Dmitry would like to use the **generalized IDP** in the future, to be used for Transaction Tokensa and Identity Chaining. Because of UI-Extension limitations, this is to be done as entire part of Keycloak and not as a Keycloak extension. ### 3. OpenID Federation 1.0 (OIDFED) Specifications: - [OpenID Federation 1.0 - draft 44](https://openid.net/specs/openid-federation-1_0.html) - version up from draft 43 to 44 Discussions: - [#31027Support for OpenID Federation 1.0](https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-14727205) Epic Issues: - [#40509 OpenID Federation implementation](https://github.com/keycloak/keycloak/issues/40509) Slacks: - https://cloud-native.slack.com/archives/C096PUDTC3U - https://github.com/keycloak/keycloak/issues/42634 - https://github.com/keycloak/keycloak/issues/42635 20251119 - Vinod: Costas still waiting for a feedback from Stian ### 4. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication (ver 07)](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Discussion: [#40413 Support for OAuth 2.0 Attestation-Based Client Authentication](https://github.com/keycloak/keycloak/discussions/40413) Issues: - [#39287 [OID4VCI] Understand key attestations as additional information to jwt proofs or as per new attestation proof type (for Key binding)](https://github.com/keycloak/keycloak/issues/39287) - Its PR merged and the issue was resolved. PoCs : - https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slacks: - [Discussion on OAuth Attestation-based client authentication](https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949) 20251119 - Bertrand: I review the work in the context of adorsys work. Still working on that. - Vinod: Any update for the standard? Is HAIP going to use the standard? - Thomas: HAIP is still being finalized. - Guessing finalization of HAIP arround Q1 ### 5. Model Context Protocol (MCP) Specifications: - [Version 2025-03-26: Authorization](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) - Takashi: according my investigation, Keycloak supported this version. - [Version 2025-06-18: Authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) - Takashi: according my investigation, Keycloak supported this version partially. - [Draft: Authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization) - Takashi: the next version will be released on 25 Nov. - Takashi: [SEPs to Implement - MCP Spec 25-11-2025](https://docs.google.com/document/d/1xY9yTSw4WqPjLJ6hT29kyogREP8J99L-dh7rqKpHUFU/edit?tab=t.0#heading=h.8zp1b7wxpe0k) Active PRs: - [#35711 Add support for RFC 8707 OAuth2 Resource Indicators](https://github.com/keycloak/keycloak/pull/35711) - Takashi: the PR is needed to make keycloak fully complies with MCP version 2025-06-18 and the future versions. 20251119 - No update this week. ## Refinement ### 6. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specifications: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Active PRs: - [#43834 [OID4VCI]: Realm-Configurable Time-Claim Normalization (Randomize/Round) to Mitigate Correlation](https://github.com/keycloak/keycloak/pull/43834) - [#44227 [OID4VCI] Redesign SDJwt API and handle keybinding JWT](https://github.com/keycloak/keycloak/pull/44227) - [#44037 [OID4VCI] Fix deprecated realm-scoped well-known endpoint access](https://github.com/keycloak/keycloak/pull/44037) - [#44029 [OID4VCI] VC of type oid4vc_natural_person has invalid id value](https://github.com/keycloak/keycloak/pull/44029) Merged PRs in this week: - [#44153 Use the unified constants class for sd-jwt/oid4vc standard data and claims](https://github.com/keycloak/keycloak/pull/44153) - [#44106 Sd-Jwt unit tests in the crypto/fips1402 module #44106](https://github.com/keycloak/keycloak/pull/44106) - [#43182 [OID4VCI] Relax CORS policy on credential offer endpoint](https://github.com/keycloak/keycloak/pull/43182) - [#43951 [OID4VCI]: Add backward compatibility for Draft 15 wallets (single proof support)](https://github.com/keycloak/keycloak/pull/43951) - [#44128 [OID4VCI]: Fix: Allow assignment of OID4VCI client scopes to clients in admin UI](https://github.com/keycloak/keycloak/pull/44128) Epic Issues: - [#43396 [OID4VCI] Implementing support for OID4VCI Final Version](https://github.com/keycloak/keycloak/issues/43396) Blog Posts: - https://github.com/ADORSYS-GIS/keycloak-web/pull/1 20251119 - UI-Ticket shall be submitted for review by thursday. - UI Ticket are not big. - Client Based Attestation Support being actively worked on. - PR sent by Thomas Diesler being reviewd by adorsys. - Marek: - Working on the JWT-SD: will wait for work of Pascal to be merged - Blog Post Draft: - Repo mentioned in the blog post not yet in SIG repo - Making post easierto consume - Ingrid: PR is merged so Vinod can clone. - Adorsys team could not get it to work with the multipass wallet. Trying other wallets. ### 6.a Token Status List Specifications: - [Token Status List](https://github.com/oauth-wg/draft-ietf-oauth-status-list?tab=readme-ov-file#implementations-open-source) 20251119 - No update this week. ### 7. Token Exchange Epic Issues: - https://github.com/keycloak/keycloak/issues/43151 : this is like an epic Ticket. - [#38335 External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) - [#40704 Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) 20251119 - No update this week. - Still WiP on the Authorization Grant. - https://github.com/keycloak/keycloak/issues/43151 : this is like an epic Ticket. ### 8. Opentd4VCI Wallet Testing Issues: - [Test-setup for OpenID Foundation Conformance tests for OpenID4VCI Support #42505](https://github.com/keycloak/keycloak/issues/42505) ### Others - Dmitry is working on a concept on how to use third party extentions to extend the KC UI instead of forking everything. Looking for contributions. Ingrid is interested. - Thomas : update on conformance test automation. - Takashi and I held a small workshop last week to improve the test automation of the OpenID conformance tests. - Link on how to run: https://github.com/keycloak/keycloak-oauth-sig/tree/main/conformance-tests-env` ## Recordings https://us06web.zoom.us/rec/share/KDvqvjZAB8_jYchTRcmzmRmiqkKUFaTZTwW5SAAy2rqxzuq4wysMHH-FqP0NP-ai.HjIx-GGi43qcXTs8