# SIG Breakout Session: 2025-09-24 - Date: 24 September 2025 - Time: 11:00 - 12:00 UTC in 1 hour 07:00 - 08:00 EDT (UTC-4) 12:00 - 13:00 BST (UTC+1) 13:00 - 14:00 CEST (UTC+2) 14:00 - 15:00 EEST (UTC+3) 16:30 - 17:30 IST (UTC+5:30) 20:00 - 21:00 JST (UTC+9) 21:00 - 22:00 AEST (UTC+10) ## Agenda Agenda Items to discuss - OID4VCI Status ## Attendees - Takashi Norimatsu - Ingrid Kamga - Thomas Darimont - Arndt Schwenkschuster - Vinod Anandan - Bertrand Ogen - Rodrick Awambeng - Assah Bismark - Forkim Akwichek - Francis Pouatcha - Stefan Wiedemann ## Notes - (Vinod) This is the last breakout session before the Keycloak release 26.4 - (Vinod) Thanks for working in OID4VCI support in Keycloak (special thanks to adorsys team for their efforts) - Open PRs: - OID4VCI Extend the ClientScope UI https://github.com/keycloak/keycloak/pull/42858 - OID4VCI Fix authorization_details generation and credential identifier mapping for conformance tests https://github.com/keycloak/keycloak/pull/42819 - The current conformance test for OpenID4VCI is in preview status. We expect some minor changes toward an offical version test. Maybe an official version will be released for a month, when the OpenID foudation officially provider a certificate program for OpenID4VCI. - The conformance test for OpenID4VCI is based on [HAIP](https://openid.github.io/OpenID4VC-HAIP/openid4vc-high-assurance-interoperability-profile-wg-draft.html), which means that PAR is mandatory. - Issue to promote OID4VCI from experimental to preview https://github.com/keycloak/keycloak/issues/42889 - (Thomas) Is there an issue for providing documentation about the oid4vci feature? - (Group) Regarding the need to prepare OpenID4VCI promotion to Preview feature: server admin documentation in adorsys repository : https://github.com/keycloak/keycloak/blob/main/docs/documentation/server_admin/topics/oid4vci/vc-issuer-configuration.adoc - (Thomas) A use-case focussed guide might be helpful - (Forkim) Demonstrates OIDF Conformance Tests for OpenID4VCI with Keycloak OID4VCI - (Group) Cheering :) It works, all test pass - (Forkim) Adorsys https://github.com/adorsys/keycloak-ssi-deployment/tree/oid4vci-conformance-test-16/conformance_test_utils - (Thomas) Can we add this tests to the Keycloak "variant" of the conformance testsuite https://github.com/keycloak/keycloak-oauth-sig/tree/main/conformance-tests-env - (Forkim) Currently there are issues with using PAR in the conformance tests and Keycloak - (Vinod) Keycloak 26.4 ETA September 30th https://github.com/keycloak/keycloak/milestone/61 - (Group) Discussions on Attestation based Client Authentication - (Arndt) Attestation-based client auth is something else compared to SPIFFE/Kubernetes client auth - (Arndt) There will be an Meeting in Canada / Montreal around OAuth / Spiffe integrations: https://datatracker.ietf.org/doc/agenda-interim-2025-oauth-09-oauth-01/ - (Arndt) MCP OAuth Client ID Metadata draft https://www.ietf.org/archive/id/draft-parecki-oauth-client-id-metadata-document-03.html - (Topic switch back to OID4VCI) - (Vinod) Are you (Adrosys) planning to use the Lissi Wallet? https://www.lissi.id/ - (Adrosys) We need to change some code for that - (Vinod) Does anybody knows other Wallets that support OID4VCI Draft 16 that we could use for testing? - (Thomas) I'll try to find a list that I can share. ## New Support ### 1. Workload/Agentic Identity Specification: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) Issue: - [Support authenticating clients with SPIFFE/SPIRE](https://github.com/keycloak/keycloak/issues/41907) PoC: - [Keycloak and SPIRE for Agent Identity](https://github.com/christian-posta/keycloak-agent-identity) - [keycloak-spiffe](https://github.com/CarrettiPro/keycloak-spiffe) Epic Issue: - [Preview federated client authentication](https://github.com/keycloak/keycloak/issues/42230) 24 September 2025: - ### 3. Shared Signals Framework (SSF) Specification: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoC: [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) 24 September 2025: - ### 4. OpenID Federation 1.0 (OIDFED) Specification: - [OpenID Federation 1.0 - draft 43](https://openid.net/specs/openid-federation-1_0.html) Epic Issue: [#40509](https://github.com/keycloak/keycloak/issues/40509) Slack: https://cloud-native.slack.com/archives/C096PUDTC3U 24 September 2025: - ### 5. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Ticket: [#39287](https://github.com/keycloak/keycloak/issues/39287) Discussion: [#40413](https://github.com/keycloak/keycloak/discussions/40413) PoC : https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slack: Discussion on OAuth Attestation-based client authentication https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949 24 September 2025: - ### 6. Model Context Protocol (MCP) Specification: - [Base Protocol - Authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization) Pull request active: [#35711](https://github.com/keycloak/keycloak/pull/35711) 24 September 2025: - Takashi: 1 of 2 issues were resolved. (no progress, 50%) - As for RFC 8707 Resource Indicators support, [#35711](https://github.com/keycloak/keycloak/pull/35711), adding a feature flag can be considered. - [OAuth Client ID Metadata Document](https://www.ietf.org/archive/id/draft-parecki-oauth-client-id-metadata-document-03.html#name-client-metadata-documents-f) is a promising alternative of DCR in MCP. ## Refinement ### 7. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specification: - [OpenID for Verifiable Credential Issuance - draft 15](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html) - [OpenID for Verifiable Credential Issuance - draft 16](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-16.html) - [OpenID for Verifiable Credential Issuance - draft 17](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-17.html) - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Pull request active(https://github.com/keycloak/keycloak/pulls?q=is%3Apr+is%3Aopen+OID4VCI ): [#42858](https://github.com/keycloak/keycloak/pull/42858), [#42819](https://github.com/keycloak/keycloak/pull/42819) Epic Issue: [[OID4VCI] Implementing support for OID4VCI ID2 Draft 15](https://github.com/keycloak/keycloak/issues/39273) 27 of 28 issues were resolved (+1 resolved, 96%) Epic Issue: [[OID4VCI] Implementing Support for OID4VCI ID2 draft 16](https://github.com/keycloak/keycloak/issues/41569) 22 of 23 issues were resolved (+2 resolved, +1 added 96%) 24 September 2025: - ### 8. Token Exchange Epic Issue: [External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) Epic Issue: [Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) 24 September 2025: - ### 9. Demonstrating Proof-of-Possession (DPoP) Epic Ticket: [#22311](https://github.com/keycloak/keycloak/issues/22311) 24 September 2025: - Takashi: 21 of 21 issues were resolved. (+7 resolved, +5 added, 100%) - Takashi: Keycloak 26.4 will offically support DPoP. - Takashi: The working item completed, so I will remove it from the agenda of the next OAuth SIG meeting. ### Others ## Recordings TBA