SIG Breakout Session: 2025-03-12 20th Meeting

SIG Breakout Session: 2025-03-12 - Date: Wed 12 March 2025 - Time: 12:00 - 13:00 UTC in 1 hour ## Agenda Agenda Items to discuss https://hackmd.io/@keycloak-oauth-sig ## Attendees - Francis Pouatcha - Rodrick Awambeng - Assah Bismark - Motouom Victoire - Pascal Knüppel - Stefan Wiedemann - Takashi Norimatsu ## Notes Notes by Topic ### General ### OID4VCI (10 minutes) Main Ticket: https://github.com/keycloak/keycloak/issues/32961 - Open: - https://github.com/keycloak/keycloak/issues/32967 - waiting for Thomas' feedback - See: https://github.com/keycloak/keycloak/pull/35498 - https://github.com/keycloak/keycloak/issues/32957 - Pascal and Stefan will review the OID4VCIRolleMapper and provide feedback. - Revocation List specifications are still in the work Sample Deployments: - Open: https://github.com/adorsys/keycloak-ssi-deployment - Depends on: https://github.com/keycloak/keycloak/issues/32957 Document Versions of Spec supported by Keycloak-Version - OID4VCI - draft 14 - SD-JWT - draft 13 --> draft 17? - SD-JWT VC - draft 04 --> draft 08? - OpenID4VP - draft 20 --> draft 24? - BuDru is forced to update to OID4VCI draft 15. - OIDF is also writing compatibility test on OID4VCI draft 15. - @Thomas OSW2025 it was announced that the plan for OID4VC is to publish 1.0 Final of OpenID4VP, OpenID4VCI, and HAIP around June 2025 - @Thomas: no opposition to using Json Schema to validate documents like the issuer meta data (e,g, https://issuer.eudiw.dev/.well-known/openid-credential-issuer) - [Token Status List](https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/) and [Identifier List](https://c2bo.github.io/draft-bormann-identifier-list/draft-bormann-identifier-list.html#section-4)? - no planed support for the moment: OCSP & CRL ### OAuth First Party Application (5 minutes) - FIPA: https://github.com/keycloak/keycloak/discussions/25014 - API Based Auth: https://github.com/keycloak/keycloak/discussions/36924 - Analysis completed by Ingrid, being actually implemented. - Status: still working on the demo. ### DPoP (5 minutes) Main ticket: https://github.com/keycloak/keycloak/issues/22311 Need urgent consideration: - https://github.com/keycloak/keycloak/issues/36475 - https://github.com/keycloak/keycloak/issues/36476 Maybe common look at this at KC-DevDay (Takashi, Thomas) or OAtuh Security Workshop (Dmitry, Takashi, Thomas) ### [SSF](https://sharedsignals.guide/) Presented last Breakout by Thomas - Test: https://scim.dev/ - https://scim.dev/playground/ - https://scim.dev/playground/sharedsignalframework/ - Outdated POC (SSF Transmitter): https://github.com/thomasdarimont/keycloak/tree/poc/shared-signals - Maintained PoC (SSF Receiver): https://github.com/identitytailor/keycloak-ssf-support Architectural discussion on how to integrate SSF into keycloak - Update: KC Maintainers w/Thomas discussed maintainability of the service. - Might endup being a side car to prevent complexity. ### Workload Identity #### [SPIFFE](https://spiffe.io/) - Status: PoC from IBM with ??? - Shall be presented ??? - https://github.com/maia-iyer/spire-demos/tree/main/keycloak_token_exchange - Issue: Enable Signed JWT Client Authenticator to support natively Kubernetes https://github.com/keycloak/keycloak/issues/37600 - Improvement to the class structure of the client authenticator in keycloak #### Transaction Token - No status ### Key selection on Identity Providers (5 minutes) - https://github.com/keycloak/keycloak/discussions/35039 - We might need a sub abstraction of Identity Providers (or trusted parties) inside a single Realm - Consider the __trusted party__ abstraction - Thomas: Look at the org.keycloak.broker.provider.AbstractIdentityProvider class. Could be the right location for managing of provider specific keys. We could provide an optional like "Use custom private Key: on/off" with an input field for a custom private key in the IdentityProviderConfiguration - Thomas: Alterantive: Refactor SAML Identity Provider and add a protected method to determine the key to use, to allow custom SAMLIdentityProviders to use different keys. - Dmitry trying to connect to Ben Cresitello-Dittmar (@ben95cd) as an experienced person in this domain. - Status: no ### Other Topics #### Keyconf25 - Survey started: https://forms.office.com/Pages/ResponsePage.aspx?id=hFQsXiLlnUeRylFdbgziKBgok6UO9mxHnShifZvG4ehUMVVNS1lRQlpJNTFSM0tHRU5QS0RPSlI2Ry4u - Decision to do one day, as Budget for a two day conference is out of reach. - Comment published to CNCF Chat. - Backbase interested in a booth! ## Recording https://us06web.zoom.us/rec/share/sDxGOGC-OC_vTb6BAQZSWSHKDFLDSw0klTimLWOKcII4XmaZ1XLPabTB9zDQZo6f.O1xGqWczKRAOPdYx