SIG Breakout Session: 2025-11-26

# SIG Breakout Session: 2025-11-26 - Date: 26 November 2025 - Time: 12:00 - 13:00 UTC in 1 hour 08:00 - 9:00 EDT (UTC-4) 12:00 - 13:00 GMT (UTC+0) 13:00 - 14:00 CET (UTC+1) 13:00 - 14:00 WAT (UTC+1) 14:00 - 15:00 EET (UTC+2) 17:30 - 18:30 IST (UTC+5:30) 21:00 - 22:00 JST (UTC+9) 22:00 - 23:00 AEST (UTC+10) Zoom Link: https://us06web.zoom.us/j/81611246656 ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Vinod Anandan - Ingrid Kamga - Rodrick Awambeng - Bertrand Ogen ## Notes Notes by Topic ## New Support ### 1. Workload/Agentic Identity Specifications: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) - [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) 20251126 - No update ### 2. Shared Signals Framework (SSF) Specifications: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoCs: - [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) Issues: - [#43616 Add initial support for OpenID Shared Signals Framework](https://github.com/keycloak/keycloak/issues/43614) Active Draft PRs: [#43950 Initial support for Shared Signals Framework with Push Delivery](https://github.com/keycloak/keycloak/pull/43950) 20251126 - No update ### 3. OpenID Federation 1.0 (OIDFED) Specifications: - [OpenID Federation 1.0 - draft 44](https://openid.net/specs/openid-federation-1_0.html) Discussions: - [#31027Support for OpenID Federation 1.0](https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-14727205) Epic Issues: - [#40509 OpenID Federation implementation](https://github.com/keycloak/keycloak/issues/40509) Slacks: - https://cloud-native.slack.com/archives/C096PUDTC3U - https://github.com/keycloak/keycloak/issues/42634 - https://github.com/keycloak/keycloak/issues/42635 20251126 - Today the OpenID Connect Working Group started a two-week Working Group Last Call (WGLC) for the OpenID Federation 1.0 specification. - PR will be updated ### 4. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication (ver 07)](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Discussion: [#40413 Support for OAuth 2.0 Attestation-Based Client Authentication](https://github.com/keycloak/keycloak/discussions/40413) PoCs : - https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slacks: - [Discussion on OAuth Attestation-based client authentication](https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949) 20251126 - See bellow (OID4VCI) ### 5. Model Context Protocol (MCP) Specifications: - [Version 2025-03-26: Authorization](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) - Takashi: according my investigation, Keycloak supported this version. - [Version 2025-06-18: Authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) - Takashi: according my investigation, Keycloak supported this version partially. - [Version 2025-11-25: Authorization](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) - Takashi: under investigation. I have found that Keycloak does not support [OAuth Client ID Metadata Document](https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html) that the version of MCP requires an authorization server to support as "SHOULD" feature. Active PRs: - [#35711 Add support for RFC 8707 OAuth2 Resource Indicators](https://github.com/keycloak/keycloak/pull/35711) - Takashi: the PR is needed to make keycloak fully complies with MCP version 2025-06-18 and the future versions. 20251126 - Takashi: MCP ver 2025-11-25 was released. I have investigating its contents. - Client-ID-Metadata not yet supported by Keycloak. - Takashi to perform gap analysis and provide result by next week. ## Refinement ### 6. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specifications: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Active PRs: - [#44029 [OID4VCI] VC of type oid4vc_natural_person has invalid id value](https://github.com/keycloak/keycloak/pull/44029) - [#44370 Make sd-jwt key binding verification work with EdDSA keys](https://github.com/keycloak/keycloak/pull/44370) Merged PRs in this week: - [#43834 [OID4VCI]: Realm-Configurable Time-Claim Normalization (Randomize/Round) to Mitigate Correlation](https://github.com/keycloak/keycloak/pull/43834) - [#44227 [OID4VCI] Redesign SDJwt API and handle keybinding JWT](https://github.com/keycloak/keycloak/pull/44227) - [#44037 [OID4VCI] Fix deprecated realm-scoped well-known endpoint access](https://github.com/keycloak/keycloak/pull/44037) Epic Issues: - [#43396 [OID4VCI] Implementing support for OID4VCI Final Version](https://github.com/keycloak/keycloak/issues/43396) Blog Posts: - https://github.com/ADORSYS-GIS/keycloak-web/pull/1 2025-11-26 - PR https://github.com/keycloak/keycloak/pulls?q=is%3Apr+is%3Aopen+label%3Aarea%2Foid4vc+ - Stefan will review: https://github.com/keycloak/keycloak/pull/44389 - adorsys Team will review: https://github.com/keycloak/keycloak/pull/44471 - Client Attestation: Gap between spec and work done by Thomas, issue to be created by adorsys team and work schedule to start in January. - Blog Post: - Rodrick: removing technical details - Ingrid: CURL steps to be replaced with screen shots - Wallet: - Forkim: most of them is working on draft 15 - Labelling of PR: please notify Marek after creating a ticket so it can be labelled. - Preview - Paritiy between API configuration and UI - Documentation - Blog Post. - Feature shall be production ready. - Internal presentation by Marek to keycloak team in December with the feature OID4VCI - Conformance test: - Keycloak is compliant in every possible way, - Even with recent changes made by Thomas. - No much updates expected. ### 6.a Token Status List Specifications: - [Token Status List](https://github.com/oauth-wg/draft-ietf-oauth-status-list?tab=readme-ov-file#implementations-open-source) 20251116 - No update. ### 7. Token Exchange Epic Issues: - https://github.com/keycloak/keycloak/issues/43151 : this is like an epic Ticket. - [#38335 External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) - [#40704 Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) 20251126 - No update from last week. - KC team is working on RFC7523 (JWT Grant) as a mean to support authorization chaining accross domains. - Other use cases of Token Exchange V1 to be pursued next year. ### 8. Opentd4VCI Wallet Testing Issues: - [Test-setup for OpenID Foundation Conformance tests for OpenID4VCI Support #42505](https://github.com/keycloak/keycloak/issues/42505) 20251126 - Forkim: most of them is working on draft 15 - Wallets tested: - Niscy (https://github.com/niscy-eudiw/eudi-app-android-wallet-ui) - Niscy wallet [KO] - Only works with a preconfigured list of issuers so can't test with Keycloak, nor can we confirm if it is running on OID4VCI Final. - Valera (https://github.com/a-sit-plus/valera) - Valera [OK] - Works but with Patch code. Probably still running on Draft 15 like the Lissi wallet. - Ubique (https://alpaka.ubique.ch/shared/app/build/xT7xWvQmTe) - Issuance Flow on keycloak works perfectly. - Might be on a later draft - Ubique [KO] - Can't accept credential issued by Keycloak. Quite certainly running on Draft 13. - Heidi (another wallet by Ubique) [OK] - Works but with Patch code. Probably still running on Draft 15 like the Lissi wallet. ### Others ## Recordings https://us06web.zoom.us/rec/share/6sFDxupPDNuy0t21r5ld3unPuMExcmF2QEgYEi_XnO4HUUMf5p_RTVaiN4LNAQ3K.G4DD9QpK6TY83W8z