SIG Breakout Session: 2025-10-29

# SIG Breakout Session: 2025-10-29 - Date: 29 October 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss ## Attendees - Bertrand Ogen - Vinod Anandan - Pascal Knüppel - Hugo Hakim Damer - Rodrick Awambeng - Ingrid Kamga - Assah Bismark ## Notes Notes by Topic ## New Support ### 1. Workload/Agentic Identity Specification: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) Oct 29th 2025 ### 2. Shared Signals Framework (SSF) Specification: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoC: [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) Oct 29th 2025: ### 3. OpenID Federation 1.0 (OIDFED) Specification: - [OpenID Federation 1.0 - draft 43](https://openid.net/specs/openid-federation-1_0.html) Discussion: https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-14727205 Epic Issue: [#40509](https://github.com/keycloak/keycloak/issues/40509) Slack: https://cloud-native.slack.com/archives/C096PUDTC3U https://github.com/keycloak/keycloak/issues/42634 https://github.com/keycloak/keycloak/issues/42635 Oct 29th 2025: ### 4. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Ticket: [#39287](https://github.com/keycloak/keycloak/issues/39287) Discussion: [#40413](https://github.com/keycloak/keycloak/discussions/40413) PoC : https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slack: Discussion on OAuth Attestation-based client authentication https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949 10.29.2025 - Clarity on : https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/152 - Pascal shared his comments on testing wallets: https://github.com/keycloak/keycloak/issues/42505 - For the funke event adorsys used the LISSI Wallet. We tested many wallets and the LISSI wallet was the closest. - Stefan could have this wallet working: https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui - Please let us all gather the comments in the ticket: https://github.com/keycloak/keycloak/issues/42505 - Pascal suggests to add a proof parameter to make it backward compatible. Changed allready made by Ingrid and adorsys team. Adorsys team will submit a pull request. Oct 29th 2025 ### 5. Model Context Protocol (MCP) Specification: - [Base Protocol - Authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization) Pull request active: [#35711](https://github.com/keycloak/keycloak/pull/35711) 29 October 2025: Takashi: I am now reviewing the following PR. Add CORS support to OIDC dynamic client registration endpoints https://github.com/keycloak/keycloak/pull/43625 The PR will resolve the issue that prevent MCP Inspector, MCP project’s official tool for debugging MCP Client/Servers, from working with Keycloak. Support dynamic client registration for MCP Inspector https://github.com/keycloak/keycloak/issues/43514 I confirmed that the MCP Inspector works well with this Keycloak. ### 5a. OAuth2 Resource Indicators - Oct 29th 2025 https://github.com/keycloak/keycloak/pull/35711#issuecomment-3380054867 ## Refinement ### 6. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specification: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) - Gap Analysis to Final Spec: https://github.com/keycloak/keycloak/issues/43396 Oct 29th 2025: - Takashi sent an email, will be reviewing the PR: https://github.com/keycloak/keycloak/pull/43215 - pascal is requesting to review/approve the same PR. - This PR is also reviewed by takashi: https://github.com/keycloak/keycloak/pull/43182. All comment were reviewed. - Help requested from SIG Members: https://github.com/keycloak/keycloak/pull/43506 - Marek review waiting for Ingrid address: https://github.com/keycloak/keycloak/pull/43599#discussion_r2450929366 - Pascal has created a ticket to control the parameter KeyAttestationRequired: https://github.com/keycloak/keycloak/issues/43801 ### 6.a Token Status List - Adorsys implement's draft 12 in concordance with the draft 16 of OID4VCI. Adorsys is planing to send a pull request to push the code to main stream! ### 7. Token Exchange Epic Issue: [External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) Epic Issue: [Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) 29th Oct 2025: ### Others ## Recordings