SIG Breakout Session: 2026-01-21

# SIG Breakout Session: 2026-01-21 - Date: 21 January 2026 - Time: 12:00 - 13:00 UTC in 1 hour 08:00 - 9:00 EDT (UTC-4) 12:00 - 13:00 GMT (UTC+0) 13:00 - 14:00 CET (UTC+1) 13:00 - 14:00 WAT (UTC+1) 14:00 - 15:00 EET (UTC+2) 17:30 - 18:30 IST (UTC+5:30) 21:00 - 22:00 JST (UTC+9) 22:00 - 23:00 AEST (UTC+10) Zoom Link: https://zoom-lfx.platform.linuxfoundation.org/meeting/96822989424?password=b61bd841-bb84-48e3-a88b-f1750d41d801 ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Bertrand Ogen - Vinod Andandan - Peter Skopek - Rodrick Awambeng - Marek Posolda ## Notes Notes by Topic Keycloak 26.5.1 released yesterday (06.01.2026) https://www.keycloak.org/2026/01/keycloak-2651-released ### Regular Notes - Calls for Updates - Takashi: MCP Support update ### MCP Support I sent the Draft PR for Client ID Metadata Document support - (Draft PR) [#45285 Persistent CIMD](https://github.com/keycloak/keycloak/pull/45285) ### OID4VCI https://hackmd.io/vHQueAO-SaeSDx2bbTxnAQ ## New Support ### 1. AuthZEN Specifications: - https://openid.net/wg/authzen/ AuthZEN Github - https://github.com/openid/authzen - https://github.com/openid/authzen/tree/main/interop/authzen-idp - https://authzen-interop.net/ AuthZEN IdP Interop: - https://sts.authzen-interop.net/ 2026-01-14 ### 2. Workload/Agentic Identity Specifications: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) - [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) Related Epic Issue: - 21/22 [#43152 Authorization Grants](https://github.com/keycloak/keycloak/issues/43152) ### 3. Shared Signals Framework (SSF) Specifications: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoCs: - [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) Issues: - [#43616 Add initial support for OpenID Shared Signals Framework](https://github.com/keycloak/keycloak/issues/43614) Active Draft PRs: [#43950 Initial support for Shared Signals Framework with Push Delivery](https://github.com/keycloak/keycloak/pull/43950) ### 4. OpenID Federation 1.0 (OIDFED) Specifications: - [OpenID Federation 1.0 - draft 45](https://openid.net/specs/openid-federation-1_0.html) Discussions: - [#31027Support for OpenID Federation 1.0](https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-14727205) Epic Issues: - 0/10 [#40509 OpenID Federation implementation](https://github.com/keycloak/keycloak/issues/40509) Slacks: - https://cloud-native.slack.com/archives/C096PUDTC3U - https://github.com/keycloak/keycloak/issues/42634 - https://github.com/keycloak/keycloak/issues/42635 ### 5. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication (ver 07)](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Discussion: [#40413 Support for OAuth 2.0 Attestation-Based Client Authentication](https://github.com/keycloak/keycloak/discussions/40413) PoCs : - https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slacks: - [Discussion on OAuth Attestation-based client authentication](https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949) Epic Issues: - 0/5 [#43136 Add support for OAuth 2.0 Attestation-based client authentication](https://github.com/keycloak/keycloak/issues/43136) ### 6. Model Context Protocol (MCP) Specifications: - [Version 2025-03-26: Authorization](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) - [Version 2025-06-18: Authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) - [Version 2025-11-25: Authorization](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) #### Standards Compliance MCP requires and MCP version compliance [Integrating with Model Context Protocol (MCP)](https://www.keycloak.org/securing-apps/mcp-authz-server) #### Token Audience Binding (for 2025-06-18, 2025-11-25) Active PRs: - [#35711 Add support for RFC 8707 OAuth2 Resource Indicators](https://github.com/keycloak/keycloak/pull/35711) #### OAuth Client ID Metadata Document (for 2025-11-25) Issues: - [#45106 OAuth Client ID Metadata Document](https://github.com/keycloak/keycloak/issues/45106) Active PRs: - (Draft PR) [#45285 Persistent CIMD](https://github.com/keycloak/keycloak/pull/45285) ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specifications: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Active PRs: - https://github.com/keycloak/keycloak/pull/45028 - https://github.com/keycloak/keycloak/pull/45011 - https://github.com/keycloak/keycloak/pull/44840 - https://github.com/keycloak/keycloak/pull/45008 Epic Issues: - 6/8 [#43396 [OID4VCI] Implementing support for OID4VCI Final Version](https://github.com/keycloak/keycloak/issues/43396) - 7/9 [#43932 Promote OID4VCI to preview feature](https://github.com/keycloak/keycloak/issues/43932) - 23/52 [#43936 [OID4VCI] Feedback from IBM team on OID4VCI feature](https://github.com/keycloak/keycloak/issues/43936) Discussion: - [#44764 Integration of AIA to OID4VCI Pre-authorization code flow](https://github.com/keycloak/keycloak/discussions/44764) ### 7.a Token Status List Specifications: - [Token Status List](https://github.com/oauth-wg/draft-ietf-oauth-status-list?tab=readme-ov-file#implementations-open-source) ### Others - [Keycloak User Group UK](https://www.meetup.com/keycloak-user-group-uk/). First Meeting to be hosted at Backbase (tentatively, Spring 2026). ## Recordings TBA