# SIG Breakout Session: 2025-10-01 - Date: 01 October 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) - General session reported to 08 October 2025 ## Agenda Agenda Items to discuss - OID4VCI Status ## Attendees - Francis Pouatcha - Thomas Darimont - Vinod Anandan - Stefan Wiedemann - Marek Posolda - Stian - Bertrand Ogen ## Notes - (Vinod) Intro - (Betrand) Current OpenID4VCI Implementation compatible with OID4VCI Draft 16 - (Betrand) Current implementation passes Conformance tests - (Thomas) OID4VCI Final is based on Draft 17 - (Vinod) Focus on OID4VCI Final - (Betrand) Estimate ~2 Weeks to catch up (mid October) - alignment of implementation with final spec - (Francis) Question: can we target support for OID4VCI for Keycloak 26.5.x ? - (Stian) How Keycloak deals with experimental / preview features - (Stian) Experimental features are announced via blog post (what is the feature about, how to try it out, -> main goal to get feedback) - (Stian) based on the feedback we can adapt the feature and turn it into preview - (Thomas) (in chat) 26.5.0 currently scheduled for Due by January 5, 2026 https://github.com/keycloak/keycloak/milestone/62 - (Marek) Reviewed (but has not done an indepth review yet) the feature in collaboration with kc-oauth-sig members - (Marek) We need to make sure that this experimental feature works does not interfer with other Keycloak functionality in a negative way. - (Thomas) (in chat) FYI, we just started work of updating the OIDF conformance tests for the OID4VIC to final. This will take us ~4 weeks to provide an updated version of the conformance tests. - (Stian) Highlights again the appreciation for the OAuth SIG work - (Stian/Francis) Blogpost shall explain what VC are, Use Cases, how does keycloak fits into it and eventually playground where people can play. Eventually even showcasing youtube video. - (Stian) Recommends to start with the blog post (later dedicated guide, etc.) - (Marek) A description of the OID4VCI use-cases and additional documentation similar to https://www.authlete.com/developers/oid4vci/ might be helpful. - (Thomas) (via chat)Another note: the OIDF regularly does OpenID4VC Interop events for the specs OpenID4VCI (Credential issuance) and OpenID4VP (Credential Presentation) to demonstrate interoperability / spec compliance against other implementors. Once we have OpenID4VCI support in keycloak, we could participate at one of the next interop events. This might give use even more visibility for that feature later on. - (Thomas/Thomas/Francis) Discussed Attestation based client Authentication (still a draft, but "required" by OpenID4VCI HAIP profile) - (Stian) OpenID4VCI feature needs to be configurable via Admin UI (not only REST API) - (Francis) Need gap analysis to check if there are some settings not configurable through the Admin UI. - (Stian) Is there an SPI that users need to implement to use the feature? - (Stefan?) no. - (Francis) Explains development of Adrosys Keycloak Fork - (Stian) Does adosys plan to provide some sort of maintainence for the feature? - (Francis) needs to be discussed - (Francis) OID4VCI not a small feature, requires some effort to maintain - (Francis) Intent to keep maintaining the OpenID4VCI feature for some time - (Stian) Need to find a way to support this (we should plan this from the beginning when adopting this feature) ## New Support ### 1. Workload/Agentic Identity Specification: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) Issue: - [Support authenticating clients with SPIFFE/SPIRE](https://github.com/keycloak/keycloak/issues/41907) PoC: - [Keycloak and SPIRE for Agent Identity](https://github.com/christian-posta/keycloak-agent-identity) - [keycloak-spiffe](https://github.com/CarrettiPro/keycloak-spiffe) Epic Issue: - [Preview federated client authentication](https://github.com/keycloak/keycloak/issues/42230) 01 October 2025: - ### 3. Shared Signals Framework (SSF) Specification: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoC: [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) 01 October 2025: - ### 4. OpenID Federation 1.0 (OIDFED) Specification: - [OpenID Federation 1.0 - draft 43](https://openid.net/specs/openid-federation-1_0.html) Epic Issue: [#40509](https://github.com/keycloak/keycloak/issues/40509) Slack: https://cloud-native.slack.com/archives/C096PUDTC3U 01 October 2025: - ### 5. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Ticket: [#39287](https://github.com/keycloak/keycloak/issues/39287) Discussion: [#40413](https://github.com/keycloak/keycloak/discussions/40413) PoC : https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slack: Discussion on OAuth Attestation-based client authentication https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949 01 October 2025: - ### 6. Model Context Protocol (MCP) Specification: - [Base Protocol - Authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization) Pull request active: [#35711](https://github.com/keycloak/keycloak/pull/35711) 01 October 2025: 24 September 2025: - Takashi: 1 of 2 issues were resolved. (no progress, 50%) - As for RFC 8707 Resource Indicators support, [#35711](https://github.com/keycloak/keycloak/pull/35711), adding a feature flag can be considered. - [OAuth Client ID Metadata Document](https://www.ietf.org/archive/id/draft-parecki-oauth-client-id-metadata-document-03.html#name-client-metadata-documents-f) is a promising alternative of DCR in MCP. ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specification: - [OpenID for Verifiable Credential Issuance - draft 15](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html) - [OpenID for Verifiable Credential Issuance - draft 16](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-16.html) - [OpenID for Verifiable Credential Issuance - draft 17](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-17.html) - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Pull request active(https://github.com/keycloak/keycloak/pulls?q=is%3Apr+is%3Aopen+OID4VCI ): [#42858](https://github.com/keycloak/keycloak/pull/42858), [#42819](https://github.com/keycloak/keycloak/pull/42819) Epic Issue: [[OID4VCI] Implementing support for OID4VCI ID2 Draft 15](https://github.com/keycloak/keycloak/issues/39273) 27 of 28 issues were resolved (+1 resolved, 96%) Epic Issue: [[OID4VCI] Implementing Support for OID4VCI ID2 draft 16](https://github.com/keycloak/keycloak/issues/41569) 22 of 23 issues were resolved (+2 resolved, +1 added 96%) 01 October 2025: 24 September 2025: - ### 8. Token Exchange Epic Issue: [External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) Epic Issue: [Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) 24 September 2025: - ### 9. Demonstrating Proof-of-Possession (DPoP) Epic Ticket: [#22311](https://github.com/keycloak/keycloak/issues/22311) 01 October 2025: 24 September 2025: - Takashi: 21 of 21 issues were resolved. (+7 resolved, +5 added, 100%) - Takashi: Keycloak 26.4 will offically support DPoP. - Takashi: The working item completed, so I will remove it from the agenda of the next OAuth SIG meeting. ### Others ## Recordings https://us06web.zoom.us/rec/share/8d0KtgvfywxJth4DwOkb5ssbTBsciUN58ICw8fia-mbm5W2HTSerIWsRNTLTJUzo.nnlpb4k-HeQT_ysT