SIG Breakout Session: 2025-12-17

# SIG Breakout Session: 2025-12-17 - Date: 17 December 2025 - Time: 12:00 - 13:00 UTC in 1 hour 08:00 - 9:00 EDT (UTC-4) 12:00 - 13:00 GMT (UTC+0) 13:00 - 14:00 CET (UTC+1) 13:00 - 14:00 WAT (UTC+1) 14:00 - 15:00 EET (UTC+2) 17:30 - 18:30 IST (UTC+5:30) 21:00 - 22:00 JST (UTC+9) 22:00 - 23:00 AEST (UTC+10) Zoom Link: https://us06web.zoom.us/j/81611246656 ## Agenda Agenda Items to discuss ## Attendees - Francis Pouatcha ## Notes Notes by Topic ## New Support ### 1. AuthZEN Specifications: - https://openid.net/wg/authzen/ AuthZEN Github - https://github.com/openid/authzen - https://github.com/openid/authzen/tree/main/interop/authzen-idp - https://authzen-interop.net/ AuthZEN IdP Interop: - https://sts.authzen-interop.net/ ### 2. Workload/Agentic Identity Specifications: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) - [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) Related Epic Issue: - 21/21 [#43152 Authorization Grants](https://github.com/keycloak/keycloak/issues/43152) 2025/12/17 - For Transaction Tokens, Dmitry started experimenting with [CEL](https://cel.dev/), to implement policy decisions and claim mapping. Can potentially use CEL in other areas. ### 3. Shared Signals Framework (SSF) Specifications: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoCs: - [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) Issues: - [#43616 Add initial support for OpenID Shared Signals Framework](https://github.com/keycloak/keycloak/issues/43614) Active Draft PRs: [#43950 Initial support for Shared Signals Framework with Push Delivery](https://github.com/keycloak/keycloak/pull/43950) ### 4. OpenID Federation 1.0 (OIDFED) Specifications: - [OpenID Federation 1.0 - draft 45](https://openid.net/specs/openid-federation-1_0.html) Discussions: - [#31027Support for OpenID Federation 1.0](https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-14727205) Epic Issues: - 0/10 [#40509 OpenID Federation implementation](https://github.com/keycloak/keycloak/issues/40509) Slacks: - https://cloud-native.slack.com/archives/C096PUDTC3U - https://github.com/keycloak/keycloak/issues/42634 - https://github.com/keycloak/keycloak/issues/42635 ### 5. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication (ver 07)](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Discussion: [#40413 Support for OAuth 2.0 Attestation-Based Client Authentication](https://github.com/keycloak/keycloak/discussions/40413) PoCs : - https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slacks: - [Discussion on OAuth Attestation-based client authentication](https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949) Epic Issues: - 0/5 [#43136 Add support for OAuth 2.0 Attestation-based client authentication](https://github.com/keycloak/keycloak/issues/43136) ### 6. Model Context Protocol (MCP) Specifications: - [Version 2025-03-26: Authorization](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) - [Version 2025-06-18: Authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) - [Version 2025-11-25: Authorization](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) #### Standards Compliance MCP requires | Standard | 2025-03-26 | 2025-06-18 | 2025-11-25 | Keycloak 26.5 | | - | - | - | - | - | | [Internet Draft - The OAuth 2.1 Authorization Framework](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-14) | MUST | MUST | MUST | Supported | | [RFC 8414 OAuth 2.0 Authorization Server Metadata](https://datatracker.ietf.org/doc/html/rfc8414) | MUST | MUST | MUST | Supported | | [RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591) | SHOULD | SHOULD | MAY | Supported | | [Internet Draft - OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/html/rfc7591) | - | - | SHOULD | Not supported | #### MCP version compliance The basic criteria for compliance: "Keycloak supports MCP" means that Keycloak meets all MUST and SHOULD requirements by MCP. | MCP Version | Conformance | | - | - | | [2025-03-26](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) | Supported | | [2025-06-18](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) | Supported (\*1) | | [2025-11-25](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) | Supported without OAuth Client ID Metadata Document (\*1) | \*1: Regarding the feature "Token Audience Binding", MCP specification does not explicitly mandate an authorization server to support but Keycloak needs to support in practice. There are several workaound for that. Active PRs: - [#35711 Add support for RFC 8707 OAuth2 Resource Indicators](https://github.com/keycloak/keycloak/pull/35711) - [#44572 MCP Documentation for 26.5](https://github.com/keycloak/keycloak/pull/44572) #### Token Audience Binding (for 2025-06-18, 2025-11-25) 2025-12-17: Takashi: I sent to keycloak-playground repository [the PR](https://github.com/keycloak/keycloak-playground/pull/25) of the tantative measure for Token Audience Binding. #### OAuth Client ID Metadata Document (for 2025-11-25) 2025-12-17: Takashi: no progress. ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specifications: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Active PRs: - Draft [#44207 Polishing of key-binding in sd-jwt SDK](https://github.com/keycloak/keycloak/pull/44207) - [#44615 [OID4VCI] Expose advanced realm-level OID4VCI settings in the Admin UI](https://github.com/keycloak/keycloak/pull/44615) - Draft [#44716 Account console QR code generation for OID4VCI credentials is broken](https://github.com/keycloak/keycloak/pull/44716) - [#44765 [OID4VCI] Realign naming of attribute configuring algorithms for credential](https://github.com/keycloak/keycloak/pull/44765) Epic Issues: - 5/8 [#43396 [OID4VCI] Implementing support for OID4VCI Final Version](https://github.com/keycloak/keycloak/issues/43396) - 6/9 [#43932 Promote OID4VCI to preview feature](https://github.com/keycloak/keycloak/issues/43932) - 8/37 [#43936 [OID4VCI] Feedback from IBM team on OID4VCI feature](https://github.com/keycloak/keycloak/issues/43936) Discussion: - [#44764 Integration of AIA to OID4VCI Pre-authorization code flow](https://github.com/keycloak/keycloak/discussions/44764) Blog Posts: - [Draft blog post on the support of OpenID4VCI](https://github.com/keycloak/keycloak-web/pull/682) 2025/12/17 Issues: - https://github.com/keycloak/keycloak/issues/44836 - Will be taken by Ingrid as soon as available. But issue will be put on hold for now. waiting for the discusion - related: https://github.com/keycloak/keycloak/discussions/44764 - Francis will put his feedback during the hollidays. - https://github.com/keycloak/keycloak/issues/44834 - Marek will repond to the last comment soon. - https://github.com/keycloak/keycloak/issues/44795 - Please add automated tests and let us improve the test coverage. PRs: - https://github.com/keycloak/keycloak/pull/44954 - To be reviewed by Ingrid. - https://github.com/keycloak/keycloak/pull/44946 - Shall be reviewed by Marek. - https://github.com/keycloak/keycloak/pull/44931 - https://github.com/keycloak/keycloak/pull/44903, https://github.com/keycloak/keycloak/pull/44828 - Marek will take a look. - https://github.com/keycloak/keycloak/issues/44849 - ready for reiew. - https://github.com/keycloak/keycloak/pull/44874 - depends on: https://github.com/keycloak/keycloak/issues/44849 - https://github.com/keycloak/keycloak/pull/44871 - Waiting for non-adorsys reviewer - https://github.com/keycloak/keycloak/pull/44840 - Seeking for adorsys reviewer ### 7.a Token Status List Specifications: - [Token Status List](https://github.com/oauth-wg/draft-ietf-oauth-status-list?tab=readme-ov-file#implementations-open-source) ### 8. Token Exchange Epic Issues: - https://github.com/keycloak/keycloak/issues/43151 : this is like an epic Ticket. - [#38335 External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) - [#40704 Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) 2025-12-17: Takashi: both epic issues are closes as not planned because those are realized by JWT authorization grant. Therefore, the topic will be removed from the next meeting. ### 9. Opentd4VCI Wallet Testing Issues: - [Test-setup for OpenID Foundation Conformance tests for OpenID4VCI Support #42505](https://github.com/keycloak/keycloak/issues/42505) -> completed. ### Others - [Keycloak User Group UK](https://www.meetup.com/keycloak-user-group-uk/). First Meeting to be hosted at Backbase (tentatively, late Feb 2026). ## Recordings TBA