# SIG Breakout Session: 2025-07-16 - Date: Wed 16 July 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Vinod Anandan - Thomas Darimont - Ingrid Kamga - Rodrick Awambeng - Bertrand Ogen - Forkim Akwichek - Dmitry Telegin - Costas Georilakis ## Notes ## New Support ### 1. Workload Identity - Transaction Token, SPIFEE 16 July 2025: Focusing on the specification than implmentation. Next week there will be more documents avilble for review - Automatic Client Registration - SPIFFE Link to the event: [IETF 123](https://events.oauth.net/2025/07/ietf-123-madrid-ASzyJKU1TnAV) ### 2. OAuth 2.0 for First-Party Applications (FiPA) 16 July 2025: https://github.com/keycloak/keycloak/discussions/38796#discussioncomment-13709180 ### 3. Shared Signals Framework (SSF) 16 July 2025: No updates ### 4. OpenID Federation 1.0 (OIDFED) 16 July 2025: To followup off-line with Thomas https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-13749859 OpenId Federation OP back end - initial commit https://github.com/eosc-kc/keycloak/tree/40511_openid_federation_op Draft PR should be ready by August ### 5. Client Attestation 16 July 2025: No updates. Whoever interested in this, Please reach out to Thomas to get insights for client attestation implmentation in the OIDF conformance test suite . https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/ ### 6. Model Context Protocol (MCP) 16 July 2025: - Takashi: no progress https://github.com/keycloak/keycloak/pull/35711 Requesting review from the SIG community, espeically @Taskashi @Costas. We will need to request re-review from Stian, Marek. ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OID4VCI) https://github.com/keycloak/keycloak/pull/40751 PR is ready for re-review, kindly requesting review from @Thomas @Pascal @Ingrid https://github.com/keycloak/keycloak/pull/41001 Ogen to update PR with recommendation by EOD, will be ready for potential re-review by tomorrow. Requesting re-review from @Ingrid *We will focus on supporting OID4VCI Draft 16 mandatory spec aligned with the OIDF conformance test suite.* ### 8. Token Exchange - no update - no update // 16 July 2025 ### 9. Demonstrating Proof-of-Possession (DPoP) - Epic Issue: [#22311](https://github.com/keycloak/keycloak/issues/22311) - Takashi: 11 of 15 issues were resolved. (+1 resolved, 73%) - Takashi: I asked the Keycloak development team to make DPoP officially supported excluding currently open issues. 16 July 2025: Waiting from Keycloak core team's (Marek agrees with the proposal) feedback on promoting DPoP as an official supported feature. https://github.com/keycloak/keycloak/pull/35443 Add FAPI 2.0 + DPoP security profile as default profile of client policies PR merged. ### 10. Passkeys - Epic Issue: [#23656](https://github.com/keycloak/keycloak/issues/23656) - Takashi: 19 of 21 issues were resolved. (+2 resolved, 90%) 16 July 2025: Pending on the following issues for the official supported feature. https://github.com/keycloak/keycloak/issues/40696 https://github.com/keycloak/keycloak/issues/29558 ### 11. FAPI 2.0 FINAL - Epic Issue: [#38769](https://github.com/keycloak/keycloak/issues/38769) - Takashi: 0 of 4 issues were resolved. (+4 newly created, 1 PR submitted, 0%) - Takashi: regarding FAPI 2.0 Security Profile Final, due to [#41119](https://github.com/keycloak/keycloak/issues/41119), Keycloak can pass some conformance tests among the five conformance profiles' conformance tests of FAPI 2.0 Serurity Profile Final specification: * FAPI2SP MTLS + MTLS: passed * FAPI2SP MTLS + DPOP: passed * FAPI2SP private key + MTLS: not passed * FAPI2SP private key + DPOP: not passed * FAPI2SP OpenID Connect: passed (if not using private_key_jwt as client authentication method) - Takashi: regarding FAPI 2.0 Message Signing Final, due to [#41119](https://github.com/keycloak/keycloak/issues/41119) and [#41181](https://github.com/keycloak/keycloak/issues/41181), Keycloak can pass some conformance tests among the two conformance profiles' conformance tests of FAPI 2.0 Message Signing Final specification: * FAPI2MS JAR: passed (if not using private_key_jwt as client authentication method) * FAPI2MS JARM: passed (if not using private_key_jwt as client authentication method) - Thomas: see the following PRs for the private_key_jwt issue: - https://github.com/keycloak/keycloak/pull/38754 - https://github.com/keycloak/keycloak/pull/38830 ### Others - Takashi: I completed support for AU-CDR Adv. OP w/ Private Key, PAR, JARM conformance profile tests. According to [Australia CDR security profile specification](https://consumerdatastandardsaustralia.github.io/standards/#authentication-flows), From May 12th 2025, JARM is mandatory. And confirmed that keycloak 26.3 can pass the conformance test. ## Recordings https://us06web.zoom.us/rec/share/3AA6XQUcqAncMG-RYv0v9ZLm4Xe2qhoymTeeNyel5ig6Ngey0Fuw6dq5mHSTE6JU.R2akBFhMx9BlzH-m