# SIG Meeting: 2025-01-08 19th Meeting (64th from Ex FAPI-SIG) [Meeting Slides](https://github.com/keycloak/kc-sig-fapi/blob/main/OAuth-SIG/meetings/19th/presentations/OAuth-SIG_19th_MTG_agenda.pdf) - Date: Wed 8 January 2025 - Time: 12:00 - 13:00 UTC in 1 hour ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Thomas Darimont - Francis - Vinod - Ingrid - Marek - Stefan - Rodrick - Dimtry - Pascal - Costas - Kanan ## Notes Notes by Topic ### General - Takashi presents current state of efforts - Next OAuth SIG meeting will be held on Wednesday 5th February 2025. ### OID4VCI - Blocking ticket in Review was merged: https://github.com/keycloak/keycloak/pull/35046 - Main Ticket: https://github.com/keycloak/keycloak/issues/32961 - Next blocking ticket in Review?: https://github.com/keycloak/keycloak/pull/36056 ### OAuth 2.0 Demonstrating Proof of Possession (DPoP) - No further update. - SIG member will have a talk about DPoP in FOSDEM 2025 Belgium (1st February): https://fosdem.org/2025/schedule/event/fosdem-2025-5370-using-dpop-to-use-access-tokens-securely-in-your-single-page-applications/ ### Token Exchange Update - No updates - Marek mentioned that it might make it into KC 26.2 ### Shared Signals Framework Support - Rebased [poc/shared-signals](https://github.com/thomasdarimont/keycloak/tree/poc/shared-signals) branch on current Keycloak main - Currently developing the Keycloak SSF support with the OIDF Shared Signals Framework tests as driver -- OIDF SSF Configuration tests pass already - Thomas will present Shared Signals Framework in the upcoming Keycloak maintainers call (January 9th) - Hope we can then decide how to proceed with the SSF implementation (whether as part of Keycloak core, or as an extension) Work areas: - SSF Integration API and structure - Stream Management (CRUD) + Subject / Status Management - Event Enrichtment / Recording - Support Event PUSH / PULL mechanisms - Event "storage" -- Implementation currently uses mock storage -- Idea: enrich Keycloak events to serve as the base for SSF events - Integration with Token Exchange and SCIM ### OAuth 2.0 Step-Up Authentication - We discuss this in the next session ### OpenID Connect for Identity Assurance 1.0 - We discuss this in the next session ### OAuth First Party Application - New Use Case: Exchange a verifiable presentation against a token in keycloak. TokenExchange does not have a pre-step to enforce nonce and replay protection. - State of Martin's review of spect and sales-force work. ### Other Topics - [OAuth2 Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707) -- Thomas proposes to add support for Resource Indicators -- Allows so specificy which "resources" can be managed by an authorized user / client session -- Another way to control the contents of the audience "aud" claim -- Supports modifying the aud claim (add / remove) on token refresh within the initially configured resource "bounds" -- [Discussion](https://github.com/keycloak/keycloak/discussions/35743) and [PR 35711](https://github.com/keycloak/keycloak/pull/35711) based on the initial contributions by costas with some extensions -- To discuss: Resource indicators are typically URIs however, in the context of Keycloak we could also allow the usage of client_ids since the audience claim usually contains client_ids -- To discuss: How to specify allowed resource indicators (explicitly: low / high cardinality, via SPI) ## Recording https://us06web.zoom.us/rec/share/Kr5hqfibb4HXMA_lby6MGKSfX6UdOIl9hB7CHIEJH6kTThHef5iZv1WmkxXanYzE.g5jIjZoE4XEm3hJK