SIG Meeting: 2025-07-02 25th Meeting (70th from Ex FAPI-SIG)

# SIG Meeting: 2025-07-02 25th Meeting (70th from Ex FAPI-SIG) [Meeting Slides](https://github.com/keycloak/kc-sig-fapi/blob/main/OAuth-SIG/meetings/25th/presentations/OAuth-SIG_25th_MTG_agenda.pdf) - Date: Wed 2 July 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Thomas Darimont - Pascal Knüppel - Forkim Akwichek - Vinod Anandan - Pascal Knuppel - Marek Posolda - Dmitry Telegin - Kannan Rasappan - Costas Georgilakis - Rodrick Awambeng - Bertrand Ogen ## Notes Notes by Topic ### General - Takashi presents current state of efforts - Next OAuth SIG meeting will be held on Wednesday 6 July 2025. ## New Support ### 1. Workload Identity - Transaction Token, SPIFEE - Dimitry will give a talk at KeyConf NL and is also involved with the "Workload Identity" working group - Dimitry: DCR (dynamic client registration) not suitable due to overhead and lack of cleanup mechanism - Dimitry: Peter Kassleman has a draft for an "ad-hoc" "automatic" client registration with a cleanup mechanism (https://datatracker.ietf.org/doc/html/draft-kasselman-oauth-spiffe) ### 2. OAuth 2.0 for First-Party Applications (FiPA) - Adorsys built support for FIPA based on an extension for a customer - They are considering contributing this to Keycloak - Discussion on FIPA: https://github.com/keycloak/keycloak/discussions/38796 ### 3. Shared Signals Framework (SSF) - Thomas: no progress with the Implementation - Thomas: SSF Working Group is working towards finalization (currently aligning spec texts CAEP, RISC, SSF), see https://github.com/openid/sharedsignals ### 4. OpenID Federation 1.0 (OIDFED) - Costas: will present talk at KeyConf NL about OpenID Federation support in Keycloak - OpenID Federation Support Issue: https://github.com/keycloak/keycloak/issues/40509 - Current OpenID Federation Draft No. 43 https://openid.net/specs/openid-federation-1_0.html - Dynamic Client Registration for OpenID Federation in the context of Open banking UK https://openbankinguk.github.io/dcr-docs-pub/v3.3/dynamic-client-registration.html ### 5. FIDO2 conformance test - Backbase / Dimitry: No update on FIDO Conformance tests ### 6. Attestation-Based Client Auth - Thomas: FYI OIDF Cert Team currently adding support for Client Attestation based Client Authentication ### 7. Model Context Protocol (MCP) - MCP Specification https://modelcontextprotocol.io/specification/2025-06-18 - Takashi gives MCP overview - Keycloak might be used as Authorization Server in the context for MCP. For this the Authorization Server must be aware of MCP Resource Server - Keycloak issues -> Needs OAUth Server metadata: https://github.com/keycloak/keycloak/discussions/40809 - Keylcoak needs proper Token Audience Binding -> RFC 8787 OAuth2 Resource Indicator Support - Thomas: PR for OAuth2 Resource Indicator Support https://github.com/keycloak/keycloak/pull/35711, PR needs tests. Marek recommends StandardTokenExchangeV2Test ## Refinement ### 8. OpenID Verifiable Credentials Issuance (OID4VCI) - Thomas: Conformance Tests are still on ID2 Draft 15 - Thomas: Current spec version recently released Draft 16 - OpenID4VCI for Keycloak: AIM ID2 Draft 15 -> to be able to run with conformance tests - Thomas: Conformance Tests will probably updated by August ### 9. Token Exchange - Marek: Internal to Internal working - Marek: Internal to External comming next potentially ### 10. Demonstrating Proof-of-Possession (DPoP) - Takashi: now investigating the spec of DPoP nonce. ### 11. Passkeys ### 12. FAPI 2.0 FINAL - Thomas: New Release of Conformance Tests: https://gitlab.com/openid/conformance-suite/-/releases/release-v5.1.33 - Thomas: FAPI2 Security Profile Final tests available (next to the old ID2 ones for comparison) - Thomas: OIDF Cert Team is still working on FAPI2 Security Profile final tests fixes - Thomas: Keycloak Conformance testing could be configured to use the "Final" version -> https://github.com/keycloak/kc-sig-fapi/tree/main/conformance-tests-env/conformance-suite/fapi-conformance-suite-configs ## KeyConf 25 ## Recordings https://us06web.zoom.us/recording/detail?meeting_id=wnY6Pua3S0%2BWVjtQNamflQ%3D%3D&show_share=true