SIG Breakout Session: 2025-06-18

# SIG Breakout Session: 2025-06-18 - Date: Wed 18 June 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Pascal Knüppel - Vinod Anandan - Ingrid Kamga - Francis Pouatcha - Rodrick Awambeng - Forkim Akwichek - Costas Georgilakis ## Notes Notes by Topic ## New Support ### Workload Identity - Transaction Token, SPIFEE ### Shared Signals Framework (SSF) ### FIDO2 conformance test ## Refinement ### OpenID Verifiable Credentials Issuance (OID4VCI) - PR: https://github.com/keycloak/keycloak/pull/39768 - Francis will take a look. https://github.com/keycloak/keycloak/pull/39385 - pending review from SIG & Marek - Francis will take a look. https://github.com/keycloak/keycloak/pull/40409 - pending review from SIG & Marek - Francis will take a look. https://github.com/keycloak/keycloak/pull/40412 - pending review from SIG & Marek - Francis will take a look. https://github.com/keycloak/keycloak/pull/40229 - pending review from SIG & Marek - Francis will take a look. Github Issue for Tracking OID4VCI Draft 15: https://github.com/keycloak/keycloak/issues/39273 https://github.com/keycloak/keycloak/issues/39042#issuecomment-2979073705 "Just a note for tracking, according to @thomasdarimont and @Captain-P-Goldfish , the DPoP nonce is necessary in Germany for the use-cases related to OID4VCI . Nonce is "optional" feature of DPoP specification, but will be probably good to implement it before we have DPoP supported." ### Token Exchange External-Internal Token exchange -> Not sure about when the work can be completed. ### Demonstrating Proof-of-Possession (DPoP) - Epic Issue: [#22311](https://github.com/keycloak/keycloak/issues/22311) - Takashi: I discussed [#21921](https://github.com/keycloak/keycloak/issues/21921) with Marek and decided that the issue is still open for traking by the Keycloak development team. However, the current Keycloak has already localized enough the DPoP implementation (a few classes) to be easily managed by the Keycloak development team. Therefore, we will do nothing anymore for the issue. - Takashi: I will priotize and start working on DPoP nonce [#39042](https://github.com/keycloak/keycloak/issues/39042). instead of [#21921](https://github.com/keycloak/keycloak/issues/21921). - Takashi: OIDF's OID4VCI conformance test follows HAIP profile and requres DPoP nonce support. Therefore, to pass the conformance test, Keycloak needs to support DPoP nonce. - Takashi: I discussed [#33942](https://github.com/keycloak/keycloak/issues/33942) with Marek and decided that I re-review the whole comments on the issue and give some feedback. - Takashi: No updates expected in this week (due to accomodating KubeCon Japan and its corresponding events). ### Passkeys RH team is working on it. ### OAuth 2.0 for First-Party Applications (FiPA) https://github.com/keycloak/keycloak/discussions/38796 - No feedback yet, Adorsys working on an extension. https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/01/ ### FAPI 2.0 - Takashi: No updates ## Others ### Transient users - Wating for specification to mature. ### Attestation based client authentication - Discussion: https://github.com/keycloak/keycloak/discussions/40413 ### OpenID Federation 1.0 - Development started by Costas - https://github.com/keycloak/keycloak/issues/40509 - https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-13498223 ## Recordings https://us06web.zoom.us/rec/share/3ookpRO8zKGDSSUaR-tIwDeGGR-_dftf8Cf5QY8s5j29VmF4vTIxxysvlSe_3Ka1.ZeuWhfxLfGm_isDB