# SIG Breakout Session: 2025-07-09 - Date: Wed 9 July 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Rodrick Awambeng - Bertrand Ogen - Vinod Anandan - Ingrid Kamga - Pascal Knüppel - Forkim Akwichek - Francis Pouatcha - Stefan Wiedemann - Dmitry Telegin - Costas Georilakis - krejzal ? ## Notes ## New Support ### 1. Workload Identity - Transaction Token, SPIFEE - Dmtry working on this. Nothing to report for now. - Auto Client Registration could be a viable and more efficient than DCR. This could also have an application in the context of AI Agents. ### 2. OAuth 2.0 for First-Party Applications (FiPA) - Adorsys still waiting for client approval to release plugin. But best would be community review discussion, so we can integrate it directly into keycloak. https://github.com/keycloak/keycloak/discussions/38796 ### 3. Shared Signals Framework (SSF) - no update today. ### 4. OpenID Federation 1.0 (OIDFED) - Takashi: Regarding [OpenID Federation OP with explicit registration](https://github.com/keycloak/keycloak/issues/40511), my colleague is instested in this topic, but it is not clear what type of contribution he will make and to what extent. - bucchi submitted the article to Medium: https://bucchi.medium.com/building-trust-with-openid-federation-trust-chain-on-keycloak-f8ac021add3a - Which draft version? -> Implementer's Draft 4 (draft 36) (https://openid.net/specs/openid-federation-1_0-ID4.html) - Costas: By the way for OpenId Federation, our implementation is based on draft 42. I have observed that now the latest version is [OpenID Federation 1.0 - draft 43](https://openid.net/specs/openid-federation-1_0.html). We need to try being compliant with latest version. ### 5. FIDO2 conformance test - Will be removed from the agenda. ### 6. Client Attestation - This is generally the proof of legitimacy produced by an oAuth Client based on a certificate produced by an authority known to the server. - https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/ - There is a PR on validating Wallet Attestions in OID4VCI. https://github.com/keycloak/keycloak/issues/39287 ### 7. Model Context Protocol (MCP) - Takashi: As a PoC, I implemented [RFC 8414 complient OAuth 2.0 Server Metadata well-known URI](https://datatracker.ietf.org/doc/html/rfc8414#section-3.1) and confirmed that it works as I expect. - Takashi or Colleagues might send pull request for this feature in the future. - New well-known url will be backward compatible with existing implementation. - https://github.com/keycloak/keycloak/issues/40923 - Feature might be helpfull for OID4VCI support? ## Refinement ### 8. OpenID Verifiable Credentials Issuance (OID4VCI) - Takashi: It seems that the latest OIDF conformance suite v5.1.33 can start including several alpha versions of some conformance tests, which include OID4VCI. Regardless of whether keycloak can pass the tests or not, it might be happy if someone runs the alpha version of OID4VCI conformance test by using the OAuth SIG's Conformance Test Execution Platform and contribute its settings (e.g., Keycloak's realm setting, conformance test run settings, etc.) to the platform. - Ticket waiting for review: https://github.com/keycloak/keycloak/pulls?q=is%3Apr+is%3Aopen+oid4vci ### 9. Token Exchange - no update ### 10. Demonstrating Proof-of-Possession (DPoP) - Epic Issue: [#22311](https://github.com/keycloak/keycloak/issues/22311) - Takashi: 10 of 15 issues were resolved. (no progress, 67%) - Takashi: I am now woking on FAPI 2.0 Final working item, therefore I stopped the work on DPoP Nonce. ### 11. Passkeys - Epic Issue: [#23656](https://github.com/keycloak/keycloak/issues/23656) - Takashi: 17 of 21 issues were resolved. (+3 resolved, +2 newly added, 81%) ### 12. FAPI 2.0 FINAL - Takashi: the latest OIDF conformance suite v5.1.33 start including FAPI 2.0 Final (FAPI2 Security Profile Final and FAPI2 Message Signing Final) - Takashi: I ran the FAPI 2.0 Final tests against kc-26.3.0 and found some tests it cannot pass. I will investigate them. - Takashi: I found the change of the conformance suite v5.1.33 regarding Australia Consumer Data Right (AU-CDR). According to [the OIDF Certificate Program](https://openid.net/certification/), there are three conformance profiles of AU-CDR: 1. AU-CDR Adv. OP w/ Private Key 2. AU-CDR Adv. OP w/ Private Key, PAR 3. AU-CDR Adv. OP w/ Private Key, PAR, JARM It seems that the conformance suite from v5.1.33 only accepts the third conformance profile while the current Conformance Test Execution Platform can run the first and second conformance profile tests. Therefore, I will modify the Conformance Test Execution Platform to run the third conformance profile test. https://github.com/keycloak/keycloak/pull/35443 ## Recordings https://us06web.zoom.us/rec/share/5NhPTBboMP6GFL-H9IwBGbbb4SWHif7W50SsUM8sA6bWBmd_oqOv36a6mR2epO7t.08ilIoakLOq82BTd?startTime=1752059161000