# SIG Breakout Session: 2025-09-10 - Date: 10 September 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Vinod Anandan - Thomas Darimont - Pascal Knüppel - Stefan Wiedemann - Arndt Schwenkschuster (SPIRL) - Rodrick Awambeng - Forkim Akwichek - Ingrid Kamga ## Focus on OpenID4VCI Issues - We discussed the following issues - Extend realm UI configuration by OID4VCI attributes: https://github.com/keycloak/keycloak/pull/41757 - Add support for parsing and understanding authorization_details at the Token Endpoint: https://github.com/keycloak/keycloak/pull/40751 - Add support for credential_request_encryption in metadata: https://github.com/keycloak/keycloak/pull/42169 - Update the issuer metadata for signed metadata: https://github.com/keycloak/keycloak/pull/42428 - Allow configuration of clientId in TargetRoleMapper again: https://github.com/keycloak/keycloak/pull/42377 - Verify that the wallet correctly constructs key attestation JWTs with required JOSE headers and JWT body parameters: https://github.com/keycloak/keycloak/issues/41579 - Adjust Credential Issuer Metadata well-known endpoint: https://github.com/keycloak/keycloak/issues/41589 - Update the authorization_details in the Authorization Request logic: https://github.com/keycloak/keycloak/issues/41586 - (Thomas) Question for the end: Before we declare openid4vci “supported” in Keycloak, are there plans to provide an example application, or run the current openid4vci conformance tests? - (Thomas) Is there an issue for running the conformance tests? - (Thomas) FYI: Vote to Approve OpenID for Verifiable Credential Issuance 1.0 Final Specification - (Thomas) Poll uses: OpenID for Verifiable Credential Issuance 1.0: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-17.html - (Thomas) This poll is open. Voting started on September 1, 2025 and ends on September 15, 2025. - (Stefan) Example Wallet App https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui - (Stefan) Example VCI Issuer based on Keycloak https://github.com/FIWARE/VCVerifier - (Stefan) Demo https://github.com/FIWARE/data-space-connector/blob/main/doc/MARKETPLACE_INTEGRATION.md#demo-usage - (Pascal) Ubique Wallet Example App https://alpaka.ubique.ch/shared/app/build/xT7xWvQmTe - (Thomas) New issue for Test-setup for OpenID Foundation Conformance tests for OpenID4VCI Support: https://github.com/keycloak/keycloak/issues/42505 - (Thomas) Propose to add a test setup for VCI to the https://github.com/keycloak/keycloak-oauth-sig/tree/main/conformance-tests-env ## New Support ### 1. Workload/Agentic Identity Specification: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) Issue: - [Support authenticating clients with SPIFFE/SPIRE](https://github.com/keycloak/keycloak/issues/41907) PoC: - [Keycloak and SPIRE for Agent Identity](https://github.com/christian-posta/keycloak-agent-identity) - [keycloak-spiffe](https://github.com/CarrettiPro/keycloak-spiffe) 10 September 2025: - Refactor JWTValidator to allow use both for self-signed and federated client assertions: (PoC from Stian) https://github.com/keycloak/keycloak/pull/42472 - https://github.com/keycloak/keycloak/issues/42230#issuecomment-3264197706 - WLID update: both Transaction Tokens and Identity Chaining are undergoing working group last call - we can expect both to be published as RFCs soon. Some links: - https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/ - https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/ ### 2. OAuth 2.0 for First-Party Applications (FiPA) Specification: [OAuth 2.0 for First-Party Applications](https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/) Discussion: [#38796](https://github.com/keycloak/keycloak/discussions/38796) 10 September 2025: - (Ingrid) Suggestion to rename this topic to "User Authentication Via Credentaial Presentation" - (Thomas) Should we rather create a dedicated topic for this? - Look at this discussion: [#42197](https://github.com/keycloak/keycloak/discussions/42197) ### 3. Shared Signals Framework (SSF) Specification: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoC: [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) 10 September 2025: ### 4. OpenID Federation 1.0 (OIDFED) Specification: - [OpenID Federation 1.0 - draft 43](https://openid.net/specs/openid-federation-1_0.html) Epic Ticket: [#40509](https://github.com/keycloak/keycloak/issues/40509) Slack: https://cloud-native.slack.com/archives/C096PUDTC3U 10 September 2025: ### 5. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Ticket: [#39287](https://github.com/keycloak/keycloak/issues/39287) Discussion: [#40413](https://github.com/keycloak/keycloak/discussions/40413) PoC : https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation 10 September 2025: ### 6. Model Context Protocol (MCP) Specification: - [Base Protocol - Authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization) Pull request active: [#35711](https://github.com/keycloak/keycloak/pull/35711), [#41440](https://github.com/keycloak/keycloak/pull/41440) 10 September 2025: - Takashi: PR #41440 was merged. - Takashi: 1 of 2 issues were resolved. (+1 resolved, 50%) ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OID4VCI) Specification: - [OpenID for Verifiable Credential Issuance - draft 15](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html) - [OpenID for Verifiable Credential Issuance - draft 16](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-16.html) - [OpenID for Verifiable Credential Issuance - draft 17](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html) Open Pull requests: https://github.com/keycloak/keycloak/pulls?q=is%3Apr+is%3Aopen+OID4VCI 10 September 2025: Epic Ticket: [[OID4VCI] Implementing support for OID4VCI ID2 Draft 15](https://github.com/keycloak/keycloak/issues/39273) 23 of 28 issues were resolved (82%) Epic Ticket: [[OID4VCI] Implementing Support for OID4VCI ID2 draft 16](https://github.com/keycloak/keycloak/issues/41569) 8 of 21 issues were resolved (+8 resolved, 38%) ### 8. Token Exchange 10 September 2025: External to internal token exchange - No updates ### 9. Demonstrating Proof-of-Possession (DPoP) Epic Ticket: [#22311](https://github.com/keycloak/keycloak/issues/22311) 10 September 2025: - Takashi: 14 of 16 issues were resolved. (+3 resolved +1 added, 86%) ### 10. Passkeys Epic Ticket: [#23656](https://github.com/keycloak/keycloak/issues/23656) 10 September 2025: - Takashi: 26 of 26 issues were resolved. (100%) - Takashi: Keycloak 26.4 will offically support Passkeys. - Takashi: This work has been completed, so it was removed from the work list of OAuth SIG. ### 11. FAPI 2.0 FINAL - FAPI 2.0 Security Profile Final specification was released on this Feburary. - FAPI 2.0 Message Signing Final specification will be released on September or October. #### FAPI 2.0 Security Profile Final Epic Ticket: [#38769](https://github.com/keycloak/keycloak/issues/38769) 10 September 2025: - Takashi: 4 of 4 issues were resolved. (+2 resolved, 100%) - Takashi: Keycloak 26.4 will offically FAPI 2.0 Security Profile Final. - Takashi: This work has been completed, so it was removed from the work list of OAuth SIG. #### FAPI 2.0 Message Signing Final Epic Ticket: [#41311](https://github.com/keycloak/keycloak/issues/41311) 10 September 2025: - Takashi: 3 of 3 issues was resolved. (+2 resolved, 100%) - Takashi: Keycloak 26.4 will offically FAPI 2.0 Message Siging Final (not yet published at this time). - Takashi: This work has been completed, so it was removed from the work list of OAuth SIG. ### Others ## Recordings https://us06web.zoom.us/rec/share/A1vwQ81pSqfJTubantjYIyTa00sP1gPEWj3g4-OGkFOuX2txJVqE2TUCDilrhMP6.38DjyDIDH2qrgOgj Passcode: &A@=0vBP