SIG Breakout Session: 2026-01-14

# SIG Breakout Session: 2026-01-14 - Date: 14 January 2026 - Time: 12:00 - 13:00 UTC in 1 hour 08:00 - 9:00 EDT (UTC-4) 12:00 - 13:00 GMT (UTC+0) 13:00 - 14:00 CET (UTC+1) 13:00 - 14:00 WAT (UTC+1) 14:00 - 15:00 EET (UTC+2) 17:30 - 18:30 IST (UTC+5:30) 21:00 - 22:00 JST (UTC+9) 22:00 - 23:00 AEST (UTC+10) Zoom Link: https://us06web.zoom.us/j/81611246656 ## Agenda Agenda Items to discuss ## Attendees - Bertrand Ogen - Francis Pouatcha - Vinod Anandan - Peter Skopek - Thomas Diesler - Rodrick Awambeng ## Notes Notes by Topic Keycloak 26.5.0 released yesterday (06.01.2026) https://www.keycloak.org/2026/01/keycloak-2650-released ### SIG WG Calendar Handling Vinod: Suggestion to use a dedicated CNCF calendar (https://www.cncf.io/calendar/) to manage the SIG WG events. Thomas: Keycloak already has a dedicated cncf calendar https://zoom-lfx.platform.linuxfoundation.org/meetings/keycloak Vinod: Is time still okay Group: Hard to find a time that works for all, quick consensus: we keep the current time for now ### Regular Notes - Calls for Updates - Takashi: Update on MCP Support - Dmitry: Transaction Tokens - Thomas: Shared Signals Framework - Gregilakis: OAuth2 Resource Indicators - Vinod: OpenID4VCI ### MCP Support Last year novemeber last release of MCP spec Takashi: is working on adding support for Client ID Metadata document spec (CIMD) See: https://www.keycloak.org/securing-apps/mcp-authz-server ### Transaction Tokens Dmitry: is working on Kubernetes based demo environment for TT that works with Keycloak's Spiffe support. ### Shared Signals Framework Thomas: Still working on SSF Receiver support in Keycloak (adding remaining tests). Side note remarks: Working on finalizing OpenID conformance tests for SSF Transmitters - ETA end of January ### Resource Indicators Thomas: No update Pending PR (Draft): https://github.com/keycloak/keycloak/pull/35711 2026-01-14 ### OpenID4VCI Vinod: Discuss PR https://github.com/keycloak/keycloak/pull/44834 Group: Suggestion to create a dedicated ticket for the format of the pre-auth-code (opaque or JWT). Vinod: Discussion https://github.com/keycloak/keycloak/discussion/44764 Pascal: Discussion about which system should present the QR code to the user. Pascal (and Thomas Diesler) suggest that the QR code should be shown by Keycloak (the credential issuer). Marek/Pascal: This discussion is related to multiple different topics. Suggestion to split this discussion up into more focussed separate discussions. Vinod: Blog Post on OpenID4VCI support https://github.com/keycloak/keycloak-web/pull/682 2026-02-14 ## New Support ### 1. AuthZEN Specifications: - https://openid.net/wg/authzen/ AuthZEN Github - https://github.com/openid/authzen - https://github.com/openid/authzen/tree/main/interop/authzen-idp - https://authzen-interop.net/ AuthZEN IdP Interop: - https://sts.authzen-interop.net/ 2026-01-14 ### 2. Workload/Agentic Identity Specifications: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) - [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) Related Epic Issue: - 21/22 [#43152 Authorization Grants](https://github.com/keycloak/keycloak/issues/43152) 2026-02-14 ### 3. Shared Signals Framework (SSF) Specifications: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoCs: - [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) Issues: - [#43616 Add initial support for OpenID Shared Signals Framework](https://github.com/keycloak/keycloak/issues/43614) Active Draft PRs: [#43950 Initial support for Shared Signals Framework with Push Delivery](https://github.com/keycloak/keycloak/pull/43950) 2026-01-14 ### 4. OpenID Federation 1.0 (OIDFED) Specifications: - [OpenID Federation 1.0 - draft 45](https://openid.net/specs/openid-federation-1_0.html) Discussions: - [#31027Support for OpenID Federation 1.0](https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-14727205) Epic Issues: - 0/10 [#40509 OpenID Federation implementation](https://github.com/keycloak/keycloak/issues/40509) Slacks: - https://cloud-native.slack.com/archives/C096PUDTC3U - https://github.com/keycloak/keycloak/issues/42634 - https://github.com/keycloak/keycloak/issues/42635 ### 5. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication (ver 07)](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Discussion: [#40413 Support for OAuth 2.0 Attestation-Based Client Authentication](https://github.com/keycloak/keycloak/discussions/40413) PoCs : - https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slacks: - [Discussion on OAuth Attestation-based client authentication](https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949) Epic Issues: - 0/5 [#43136 Add support for OAuth 2.0 Attestation-based client authentication](https://github.com/keycloak/keycloak/issues/43136) ### 6. Model Context Protocol (MCP) Specifications: - [Version 2025-03-26: Authorization](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) - [Version 2025-06-18: Authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) - [Version 2025-11-25: Authorization](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) #### Standards Compliance MCP requires and MCP version compliance [Integrating with Model Context Protocol (MCP)](https://www.keycloak.org/securing-apps/mcp-authz-server) #### Token Audience Binding (for 2025-06-18, 2025-11-25) Active PRs: - [#35711 Add support for RFC 8707 OAuth2 Resource Indicators](https://github.com/keycloak/keycloak/pull/35711) #### OAuth Client ID Metadata Document (for 2025-11-25) Issues: - [#45106 OAuth Client ID Metadata Document](https://github.com/keycloak/keycloak/issues/45106) 2026-1-7: Takashi: I am now working on OAuth Client ID Metadata Document support. 2026-1-14 ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specifications: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Active PRs: - https://github.com/keycloak/keycloak/pull/45028 - https://github.com/keycloak/keycloak/pull/45011 - https://github.com/keycloak/keycloak/pull/44995 - https://github.com/keycloak/keycloak/pull/44851 - https://github.com/keycloak/keycloak/pull/44946 - https://github.com/keycloak/keycloak/pull/44874 - https://github.com/keycloak/keycloak/pull/44840 - https://github.com/keycloak/keycloak/pull/45004 - https://github.com/keycloak/keycloak/pull/45008 - https://github.com/keycloak/keycloak/pull/45043 Epic Issues: - 6/8 [#43396 [OID4VCI] Implementing support for OID4VCI Final Version](https://github.com/keycloak/keycloak/issues/43396) - 6/9 [#43932 Promote OID4VCI to preview feature](https://github.com/keycloak/keycloak/issues/43932) - 16/42 [#43936 [OID4VCI] Feedback from IBM team on OID4VCI feature](https://github.com/keycloak/keycloak/issues/43936) Discussion: - [#44764 Integration of AIA to OID4VCI Pre-authorization code flow](https://github.com/keycloak/keycloak/discussions/44764) Blog Posts: - [Draft blog post on the support of OpenID4VCI](https://github.com/keycloak/keycloak-web/pull/682) 2026-01-14 ### 7.a Token Status List Specifications: - [Token Status List](https://github.com/oauth-wg/draft-ietf-oauth-status-list?tab=readme-ov-file#implementations-open-source) 2026-01-14: ### Others - [Keycloak User Group UK](https://www.meetup.com/keycloak-user-group-uk/). First Meeting to be hosted at Backbase (tentatively, Spring 2026). ## Recordings https://us06web.zoom.us/j/81611246656