SIG Breakout Session: 2025-11-12

# SIG Breakout Session: 2025-11-12 - Date: 12 November 2025 - Time: 12:00 - 13:00 UTC in 1 hour 08:00 - 9:00 EDT (UTC-4) 12:00 - 13:00 GMT (UTC+0) 13:00 - 14:00 CET (UTC+1) 13:00 - 14:00 WAT (UTC+1) 14:00 - 15:00 EET (UTC+2) 17:30 - 18:30 IST (UTC+5:30) 21:00 - 22:00 JST (UTC+9) 22:00 - 23:00 AEST (UTC+10) Zoom Link: https://us06web.zoom.us/j/81611246656 ## Agenda Agenda Items to discuss ## Attendees - Francis Puatcha - Bertrand Ogen - Vinod Anandan - Thomas Darimont - Dmitry Telegin - Stefan Wiedermann - Assah Bismark - Pascal Knüppel - Rodrick Awambeng - Forkim Akwichek - Georgilakis Konstantinos - Ingrid Kamga ## Notes Notes by Topic ## New Support ### 1. Workload/Agentic Identity Specification: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - 12/11/2025 WIP - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) - [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) 12/11/2025 - IETF 124 was held in Montreal, Canada. Next week Dmitry will provide a digest on topics discussed there. ### 2. Shared Signals Framework (SSF) Specification: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) 12/11/2025 Thomas - PR Sent: https://github.com/keycloak/keycloak/pull/43950 - Example provided - Impl Notes: Minimal - It is an SPI - Receiver will be connected with the new workflow support, so events can trigger workflows. PR: [#43950 Initial Support for SSF Receiver with Push based Delivery via HTTP](https://github.com/keycloak/keycloak/pull/43950) Issue: [#43614 Add initial support for OpenID Shared Signals Framework](https://github.com/keycloak/keycloak/issues/43614) PoC: [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) ### 3. OpenID Federation 1.0 (OIDFED) Specification: - [OpenID Federation 1.0 - draft 43](https://openid.net/specs/openid-federation-1_0.html) Discussion: https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-14727205 Epic Issue: [#40509](https://github.com/keycloak/keycloak/issues/40509) Slack: https://cloud-native.slack.com/archives/C096PUDTC3U https://github.com/keycloak/keycloak/issues/42634 https://github.com/keycloak/keycloak/issues/42635 ### 4. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Ticket: [#39287](https://github.com/keycloak/keycloak/issues/39287) Discussion: [#40413](https://github.com/keycloak/keycloak/discussions/40413) PoC : https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slack: Discussion on OAuth Attestation-based client authentication https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949 12/11/2025 - Thomas PoC intended to help other start. - Adorsys Team: OpenID4VCI is dependent on part of this. Team might build on top of thomas work. - We shall start collaborating on a common repo. Thomas will first ask KC-Team if we can have another KC repo under KC org, if not we could add other SIG members to the adorsys repo. ### 5. Model Context Protocol (MCP) Specification: - [Base Protocol - Authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization) Pull request active: [#35711](https://github.com/keycloak/keycloak/pull/35711) 12 November 2025: Takashi: no progress in this week. ## Refinement ### 6. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specification: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) 12/11/2025 - Feedbacks from Marek on diverse tickets and corresponding pull requests. - https://github.com/keycloak/keycloak/pull/44153 - https://github.com/keycloak/keycloak/pull/44106 - https://github.com/keycloak/keycloak/pull/43182 - https://github.com/keycloak/keycloak/pull/43951 - https://github.com/keycloak/keycloak/pull/44128 [UI PR] - https://github.com/keycloak/keycloak/pull/43834 - Gap Analysis to Final Spec: https://github.com/keycloak/keycloak/issues/43396 12/11/2025 - UP PR in gap ticket. Marekt will check and pull attention of the maintainer team. Blog Post: - https://github.com/ADORSYS-GIS/keycloak-web/pull/1 - Vinod suggest post is made easier for non OpenID4VCI technical people. - Team will be testing multipass and if it works screen will be updated in the blog. ### 6.a Token Status List https://github.com/oauth-wg/draft-ietf-oauth-status-list?tab=readme-ov-file#implementations-open-source 12/11/2025 - Is status list server is sepearate, there is no standard interface between the status list server and the status list provider. - Feedback shall be given as comment to status list spec providers while drafting a prototype. ### 7. Token Exchange Epic Issue: [External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) Epic Issue: [Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) 12/11/2025 - No update - Team still working on the JWT Grant (Experimental) - Token Exchange V1 will be removed once all use cases supported are addressed in the new version. ### 8. Opentd4VCI Wallet Testing 12/11/2025 - Walet testing: https://github.com/keycloak/keycloak/issues/42505 ### Others ## Recordings