SIG Breakout Session: 2025-12-10

# SIG Breakout Session: 2025-12-10 - Date: 10 December 2025 - Time: 12:00 - 13:00 UTC in 1 hour 08:00 - 9:00 EDT (UTC-4) 12:00 - 13:00 GMT (UTC+0) 13:00 - 14:00 CET (UTC+1) 13:00 - 14:00 WAT (UTC+1) 14:00 - 15:00 EET (UTC+2) 17:30 - 18:30 IST (UTC+5:30) 21:00 - 22:00 JST (UTC+9) 22:00 - 23:00 AEST (UTC+10) Zoom Link: https://us06web.zoom.us/j/81611246656 ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Pascal Knüppel - Vinod Anandan - Rodrick Awambeng - Ingrid Kamga - Bertrand Ogen - Thomas Diesler - Martin Besozzi - Dmitry Telegin ## Notes Notes by Topic ## New Support ### 1. AuthZEN Specifications: - https://openid.net/wg/authzen/ AuthZEN Github - https://github.com/openid/authzen - https://github.com/openid/authzen/tree/main/interop/authzen-idp - https://authzen-interop.net/ AuthZEN IdP Interop: - https://sts.authzen-interop.net/ ### 2. Workload/Agentic Identity Specifications: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) - [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) Related Epic Issue: - 20/21 [#43152 Authorization Grants](https://github.com/keycloak/keycloak/issues/43152) ### 3. Shared Signals Framework (SSF) Specifications: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoCs: - [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) Issues: - [#43616 Add initial support for OpenID Shared Signals Framework](https://github.com/keycloak/keycloak/issues/43614) Active Draft PRs: [#43950 Initial support for Shared Signals Framework with Push Delivery](https://github.com/keycloak/keycloak/pull/43950) ### 4. OpenID Federation 1.0 (OIDFED) Specifications: - [OpenID Federation 1.0 - draft 45](https://openid.net/specs/openid-federation-1_0.html) Discussions: - [#31027Support for OpenID Federation 1.0](https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-14727205) Epic Issues: - 0/10 [#40509 OpenID Federation implementation](https://github.com/keycloak/keycloak/issues/40509) Slacks: - https://cloud-native.slack.com/archives/C096PUDTC3U - https://github.com/keycloak/keycloak/issues/42634 - https://github.com/keycloak/keycloak/issues/42635 ### 5. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication (ver 07)](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Discussion: [#40413 Support for OAuth 2.0 Attestation-Based Client Authentication](https://github.com/keycloak/keycloak/discussions/40413) PoCs : - https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slacks: - [Discussion on OAuth Attestation-based client authentication](https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949) Epic Issues: - 0/5 [#43136 Add support for OAuth 2.0 Attestation-based client authentication](https://github.com/keycloak/keycloak/issues/43136) ### 6. Model Context Protocol (MCP) Specifications: - [Version 2025-03-26: Authorization](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) - [Version 2025-06-18: Authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) - [Version 2025-11-25: Authorization](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) #### Standards Compliance MCP requires | Standard | 2025-03-26 | 2025-06-18 | 2025-11-25 | Keycloak 26.5 | | - | - | - | - | - | | [Internet Draft - The OAuth 2.1 Authorization Framework](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-14) | MUST | MUST | MUST | Supported | | [RFC 8414 OAuth 2.0 Authorization Server Metadata](https://datatracker.ietf.org/doc/html/rfc8414) | MUST | MUST | MUST | Supported | | [RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591) | SHOULD | SHOULD | MAY | Supported | | [Internet Draft - OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/html/rfc7591) | - | - | SHOULD | Not supported | #### MCP version compliance The basic criteria for compliance: "Keycloak supports MCP" means that Keycloak meets all MUST and SHOULD requirements by MCP. | MCP Version | Conformance | | - | - | | [2025-03-26](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) | Supported | | [2025-06-18](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) | Supported (\*1) | | [2025-11-25](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) | Supported without OAuth Client ID Metadata Document (\*1) | \*1: Regarding the feature "Token Audience Binding", MCP specification does not explicitly mandate an authorization server to support but Keycloak needs to support in practice. There are several workaound for that. Active PRs: - [#35711 Add support for RFC 8707 OAuth2 Resource Indicators](https://github.com/keycloak/keycloak/pull/35711) - [#44572 MCP Documentation for 26.5](https://github.com/keycloak/keycloak/pull/44572) #### Token Audience Binding (for 2025-06-18, 2025-11-25) 2025-12-10: Takashi: I had created the workaround (mapper + client policies) and plan to refine it and publish it in [keycloak-playground](https://github.com/keycloak/keycloak-playground). #### OAuth Client ID Metadata Document (for 2025-11-25) 2025-12-10: Takashi: I am creating the workaround (client policies). I will refine it and publish it in [keycloak-playground](https://github.com/keycloak/keycloak-playground). ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specifications: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Active PRs: - [#44029 [OID4VCI] VC of type oid4vc_natural_person has invalid id value](https://github.com/keycloak/keycloak/pull/44029) - Draft [#44207 Polishing of key-binding in sd-jwt SDK](https://github.com/keycloak/keycloak/pull/44207) - [#44615 [OID4VCI] Expose advanced realm-level OID4VCI settings in the Admin UI](https://github.com/keycloak/keycloak/pull/44615) Active PRs newly added in this week: - Draft [#44716 Account console QR code generation for OID4VCI credentials is broken](https://github.com/keycloak/keycloak/pull/44716) - [#44765 [OID4VCI] Realign naming of attribute configuring algorithms for credential](https://github.com/keycloak/keycloak/pull/44765) Merged PRs in this week: - [#44439 [OID4VCI] Conformance Test Fixes](https://github.com/keycloak/keycloak/pull/44439) - [#44390 [OID4VCI]: Add UI for OID4VCI Protocol Mapper Configuration](https://github.com/keycloak/keycloak/pull/44390) - [#44471 [OID4VCI] Handle key_attestation_required in metadata endpoint](https://github.com/keycloak/keycloak/pull/44471) - [#44682 [OID4VCI] Fix OID4VC wallet interoperability issues](https://github.com/keycloak/keycloak/pull/44682) - [#44715 Credential offer endpoint has parameter user_id, but expects username](https://github.com/keycloak/keycloak/pull/44715) - [#44794 CredentialRequest with credentialIdentifier does not work when creden…](https://github.com/keycloak/keycloak/pull/44794) Epic Issues: - 5/8 [#43396 [OID4VCI] Implementing support for OID4VCI Final Version](https://github.com/keycloak/keycloak/issues/43396) - 3/8 [#43932 Promote OID4VCI to preview feature](https://github.com/keycloak/keycloak/issues/43932) - 7/35 [#43936 [OID4VCI] Feedback from IBM team on OID4VCI feature](https://github.com/keycloak/keycloak/issues/43936) Discussion: - [#44764 Integration of AIA to OID4VCI Pre-authorization code flow](https://github.com/keycloak/keycloak/discussions/44764) Blog Posts: - [Draft blog post on the support of OpenID4VCI](https://github.com/keycloak/keycloak-web/pull/682) ### 7.a Token Status List Specifications: - [Token Status List](https://github.com/oauth-wg/draft-ietf-oauth-status-list?tab=readme-ov-file#implementations-open-source) ### 8. Token Exchange Epic Issues: - https://github.com/keycloak/keycloak/issues/43151 : this is like an epic Ticket. - [#38335 External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) - [#40704 Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) ### 9. Opentd4VCI Wallet Testing Issues: - [Test-setup for OpenID Foundation Conformance tests for OpenID4VCI Support #42505](https://github.com/keycloak/keycloak/issues/42505) ### Others ## Recordings TBA