SSIG Breakout Session: 2025-02-19

SIG Breakout Session: 2025-02-19 - Date: Wed 19 February 2025 - Time: 12:00 - 13:00 UTC in 1 hour ## Agenda Agenda Items to discuss ## Attendees - Francis Pouatcha - Rodrick Awambeng - Ingrid Kamga - Ogen Bertrand - Thomas Darimont - Pascal Knüppel - Takashi Norimatsu ## Notes Notes by Topic ### General ### OID4VCI (10 minutes) Main Ticket: https://github.com/keycloak/keycloak/issues/32961 - Closed: - https://github.com/keycloak/keycloak/issues/32958 - https://github.com/keycloak/keycloak/issues/32959 - Open: https://github.com/keycloak/keycloak/issues/32967 - waiting for Thomas' feedback Sample Deployments: - Open: https://github.com/adorsys/keycloak-ssi-deployment - Depends on: https://github.com/keycloak/keycloak/issues/32957 (revived) Document Versions of Spec supported by Keycloak-Version - OID4VCI - draft 14 - SD-JWT - draft 13 - SD-JWT VC - draft 04 - OpenID4VP - draft 20 - [Token Status List](https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/)? - not for the moment: OCSP & CRL ### OAuth First Party Application (5 minutes) - FIPA: https://github.com/keycloak/keycloak/discussions/25014 - API Based Auth: https://github.com/keycloak/keycloak/discussions/36924 - Analysis completed by Ingrid, being actually implemented. ### DPoP (5 minutes) Main ticket: https://github.com/keycloak/keycloak/issues/22311 Need urgent consideration: - https://github.com/keycloak/keycloak/issues/36475 - https://github.com/keycloak/keycloak/issues/36476 Maybe common look at this at KC-DevDay (Takashi, Thomas) or OAtuh Security Workshop (Dmitry, Takashi, Thomas) ### [SSF](https://sharedsignals.guide/) Presented last Breakout by Thomas - Test: https://scim.dev/ - https://scim.dev/playground/ - https://scim.dev/playground/sharedsignalframework/ - POC: https://github.com/thomasdarimont/keycloak/tree/poc/shared-signals Meeting with Keycloak Maintainers on 02/20th for focussed architectural discussion on how to integrate. ### [SPIFFE](https://spiffe.io/) Presented in last general session by Dmitry. Dmitry approached oAuth working group on the mailing list to make sure the usage of SVID is standard compliant. There is an RFC for a JWT assertion profile for oAuth. - Suggestion of using automatic client registration for spiffe clients. - Automatic registration is easier but - Need to think of whole life cycle. e.g cleanup - Planed work with IBM Team. - SPIFFE-ID go into the `sub` claim and need to e identical with the client id. - Thomas: We might need a new abstraction to differentiate volatile workloads from clients in Keycloak - See: [Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants](https://datatracker.ietf.org/doc/html/rfc7521) - 5.2. General Assertion Format and Processing Rules ### Key selection on Identity Providers (5 minutes) - https://github.com/keycloak/keycloak/discussions/35039 - We might need a sub abstraction of Identity Providers (or trusted parties) inside a single Realm - Consider the __trusted party__ abstraction - Thomas: Look at the org.keycloak.broker.provider.AbstractIdentityProvider class. Could be the right location for managing of provider specific keys. We could provide an optional like "Use custom private Key: on/off" with an input field for a custom private key in the IdentityProviderConfiguration - Thomas: Alterantive: Refactor SAML Identity Provider and add a protected method to determine the key to use, to allow custom SAMLIdentityProviders to use different keys. - Dmitry trying to connect to Ben Cresitello-Dittmar (@ben95cd) as an experienced person in this domain. ### Other Topics #### Keyconf25 - Survey started: https://forms.office.com/Pages/ResponsePage.aspx?id=hFQsXiLlnUeRylFdbgziKBgok6UO9mxHnShifZvG4ehUMVVNS1lRQlpJNTFSM0tHRU5QS0RPSlI2Ry4u ## Recording https://us06web.zoom.us/rec/share/p7G9vCxGmlgOzXXrapxwP4c5f_0eY643Ez0mkEBjyiGDRSzIxX7WSGK0jpcIt_oh.DvwFl6qtzngZek1i