# SIG Breakout Session: 2025-10-15 - Date: 15 October 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss ## Attendees - Bertrand Ogen - Ingrid Kamga - Francis Pouatcha - Pascal Knüppel - Rodrick Awambeng - Forkim Akwichek - Takashi Norimatsu - Vinod Anandan - Arndt Schwenkschuster - Costas Georgilakis - Stefan Wiedemann - Assah Bismark ## Notes 15 October 2025: - Takashi: I proposed maintainers for running OIDF conformance tests before releasing every minor and major version release. I will disscuss it with them. ## New Support ### 1. Workload/Agentic Identity Specification: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) Issue: - [Support authenticating clients with SPIFFE/SPIRE](https://github.com/keycloak/keycloak/issues/41907) PoC: - [Keycloak and SPIRE for Agent Identity](https://github.com/christian-posta/keycloak-agent-identity) - [keycloak-spiffe](https://github.com/CarrettiPro/keycloak-spiffe) Epic Issue: - [Preview federated client authentication](https://github.com/keycloak/keycloak/issues/42230) Oct 15 2025 - New Proposal: https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/ - Main difference is the SPIFFE Key Distribution. - e.g Networking based trust. - For JWT: Does not necessary carry an issuer claim - For X509: special processing rules. (not implemented in keycloak as of now) - There a couple of null pointer exceptions in the code, being fixed by Stian. Use 26.4.1... ### 2. Shared Signals Framework (SSF) Specification: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoC: [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) ### 3. OpenID Federation 1.0 (OIDFED) Specification: - [OpenID Federation 1.0 - draft 43](https://openid.net/specs/openid-federation-1_0.html) Epic Issue: [#40509](https://github.com/keycloak/keycloak/issues/40509) Slack: https://cloud-native.slack.com/archives/C096PUDTC3U https://github.com/keycloak/keycloak/issues/42634 https://github.com/keycloak/keycloak/issues/42635 Oct 15th 2025 - Costas: no update. - Keycloak shall support both SPIFFE and OpenID Federation. Even though similar, is not the same. OIDF need trust anchor in order to work. - Consolidation of the whole trust work in the keycloak echosystem is going on. ### 4. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Ticket: [#39287](https://github.com/keycloak/keycloak/issues/39287) Discussion: [#40413](https://github.com/keycloak/keycloak/discussions/40413) PoC : https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slack: Discussion on OAuth Attestation-based client authentication https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949 Oct 15 2025 Interresting Discussion: https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/152 - Nature of the Client: Public or Confidential ### 5. Model Context Protocol (MCP) Specification: - [Base Protocol - Authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization) Pull request active: [#35711](https://github.com/keycloak/keycloak/pull/35711) 15 October 2025: - Takashi: 1 of 2 issues were resolved. (no progress, 50%) - There is an issue using keycloak with MCP Inspector. As MCP Inspector tries to register itself with KC using a cross origine JS code. But not supported by keycloak. KC does not support CORS. MCP Spec does not mandate support of CORS either. - MCP Dev Summit London: Oct 2.: - Nov 25 Major version of MCP spec will be released. - Especting major changes. - Will require gap analysis with KC implementeion. - DCR version will be released 2 weeks before. Takashi will do a gap analysis after this release. ### 5a. OAuth2 Resource Indicators - Review of PR started: https://github.com/keycloak/keycloak/pull/35711#issuecomment-3380054867 - MCP Client must support RFC8707 - Might be adavisable to keycloak to be compliant to RFC 8707. ## Refinement ### 6. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specification: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Epic Issues: - [Promote OID4VCI from experimental to preview](https://github.com/keycloak/keycloak/issues/42889) - [[OID4VCI] Implementing support for OID4VCI Final Version](https://github.com/keycloak/keycloak/issues/43396) Open PRs: - [[OID4VCI] Relax CORS policy on credential offer endpoint](https://github.com/keycloak/keycloak/pull/43182) - [[OID4VCI] Ensure authorization_details from PAR requests are properly returned in token responses](https://github.com/keycloak/keycloak/pull/43215) 15 October 2025: - Takashi: I will review them, but would appreciate it if other member also could review them. - Status - Done with draft 15 & 16 and done with the conformance tests - promotion epic: https://github.com/keycloak/keycloak/issues/42889 - Repo to have epic tickets tracked by the KC team: https://github.com/keycloak/keycloak-web - Gap Analysis to Final Spec: https://github.com/keycloak/keycloak/issues/43396 - Support of ISO mdoc in the planning by adorsys team. - Takashi: Webauthn4j libs already support CBOR. So Takashi expect CBOR to be in there. https://github.com/webauthn4j/webauthn4j. Keycloak uses webauthn4j library... - Todo: check to see what lib webauthn4j uses for cbor. - WebAuthn4J uses CBOR to parse and process the binary-encoded attestation objects, authenticator data, and cryptographic keys that are fundamental to WebAuthn authentication operations, see(https://webauthn4j.github.io/webauthn4j/en/#custom-converter-implementation). ### 7. Token Exchange Epic Issue: [External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) Epic Issue: [Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) 15 October 2025: - Takashi: It seems that there is no progress. ### Others ## Recordings https://us06web.zoom.us/rec/share/yQIyi7wZKmVKgMdLunGunoidJn2PwkRGRbbsuSmxyYHrvFyPvOg6JHXu8qDJgxWb.oE5rq8wDuHgcJ22h