SIG Meeting: 2025-12-03 30th Meeting (75th from Ex FAPI-SIG)

# SIG Meeting: 2025-12-03 30th Meeting (75th from Ex FAPI-SIG) - Date: 3 December 2025 - Time: 12:00 - 13:00 UTC in 1 hour 08:00 - 9:00 EDT (UTC-4) 12:00 - 13:00 GMT (UTC+0) 13:00 - 14:00 CET (UTC+1) 13:00 - 14:00 WAT (UTC+1) 14:00 - 15:00 EET (UTC+2) 17:30 - 18:30 IST (UTC+5:30) 21:00 - 22:00 JST (UTC+9) 22:00 - 23:00 AEST (UTC+10) Zoom Link: https://us06web.zoom.us/j/81611246656 ## Agenda Agenda Items to discuss ## Attendees - Takashi Norimatsu - Francis Pouatcha - Bertrand Ogen - Thomas Darimont - Rodrick Awambeng - Thomas Diesler - Vinod Anandan - Konstantinos Georgilakis - Martin Besozzi - Stefan Wiedemann ## Notes Notes by Topic ## New Support ### 0. AuthZEN Specifications: - https://openid.net/wg/authzen/ AuthZEN Github - https://github.com/openid/authzen - https://github.com/openid/authzen/tree/main/interop/authzen-idp - https://authzen-interop.net/ AuthZEN IdP Interop: - https://sts.authzen-interop.net/ Thomas gives a live demo sts.authzen-interop.net. Discussion how AuthZEN can be integrated with Keycloak. Martin: Adding AuthZEN support to keycloak is a first step, but there are still many open questions to cover. ### 1. Workload/Agentic Identity Specifications: - [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) - [OAuth Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/) - [OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials](https://datatracker.ietf.org/doc/draft-kasselman-oauth-dcr-trusted-issuer-token/) - [OAuth Client Registration on First Use with SPIFFE](https://datatracker.ietf.org/doc/draft-kasselman-oauth-spiffe/) - [OAuth SPIFFE Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/) - [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) - [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) Dmitry: Presents a brief update on the OAuth WG (Dec 2025) - IETF124 Last meeting in Montreal Canada - Transaction Tokens - pupr claim is new scope - Keycloak Integration for TX Tokens WIP status - Align with current draft version - Dmitry: Suggests a generic mapper infrastructure for token exchange - Suggests adding expression language support for more flexible mappers - Some EL candiates: - Jakarta EL - MVEL - [CEL](https://cel.dev/) | [Spec](https://github.com/google/cel-spec) | [Java impl](https://github.com/google/cel-java) | [Fork with fewer Deps](https://github.com/projectnessie/cel-java) - Martin: How to specify the transaction context - Dmitry: Explains how transaction context works - Arndt: There’s request context (rctx) and transaction context (tctx) - Arndt / Martin: Token-Exchange is to generic, Transaction-Tokens could be more specific and better suited for AI use-cases. - Dmitry: If incoming token is dpop bound, the transaction service cannot validate the dpop proof. - Dmitry: [PoC Implementation](https://github.com/dteleguin/keycloak-tts) - OAuth SPIFFE Client Authentication - Spec adopted as an Internet draft - Available as a preview feature in Keycloak 26.4.x - Martin: SPIFFE get's a lot of transaction - Dmitry: Companion topic "How to register a SPIFFE client" - Different mechanisms - Client ID Metadata Document - Adapoted as internet draft - Alternative to client registration - Dmitry: We currently have no robust way for JWK retrieval - We could take some inspiration from [enhanced-jwk-retrieval](https://connect2id.com/products/nimbus-jose-jwt/examples/enhanced-jwk-retrieval) - Dmitry: Suggests dedicating a breakout session to CIMD - DPoP - new draft dpop-device-flow - new draft oauth-jwt-dpop-grant - Can be built on existing DPoP support in Keycloak - RFC 7523bis - oauth-jwt-dpop-grant - Can affect client authentication in Keycloak - e.g. more specific "typ" claim - SD-JWT - Published as RFC 9901 - SD-JWT-VC: approaching WGLC - Keycloak: need to update OpenID4VCI impl - IETF 125 Schenzen - March 2026 ### 2. Shared Signals Framework (SSF) Specifications: - [OpenID Shared Signals Framework Specification 1.0 Final](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html) - [OpenID Continuous Access Evaluation Profile 1.0 Final](https://openid.net/specs/openid-caep-1_0-final.html) - [OpenID RISC Profile Specification 1.0](https://openid.net/specs/openid-risc-1_0-final.html) PoCs: - [Shared Signals Framework for Keycloak](https://github.com/identitytailor/keycloak-ssf-support) Issues: - [#43616 Add initial support for OpenID Shared Signals Framework](https://github.com/keycloak/keycloak/issues/43614) Active Draft PRs: [#43950 Initial support for Shared Signals Framework with Push Delivery](https://github.com/keycloak/keycloak/pull/43950) Thomas: Update on SSF Thomas: Did review with Stian, feature is approved wit some minor changes requested. Thomas: Minimal implementation: SSF Receiver with HTTP Push delivery support and externally created SSF Streams only. Thomas: Currently we reuse the identity provider infrastructure Thomas: Keycloak will be able to act as an SSF Receiver. Martin: How can we used this? Thomas: There will be an SPI, and some more user friendly UI later (e.g. an integration with Identity Providers) ### 3. OpenID Federation 1.0 (OIDFED) Specifications: - [OpenID Federation 1.0 - draft 45](https://openid.net/specs/openid-federation-1_0.html) Discussions: - [#31027Support for OpenID Federation 1.0](https://github.com/keycloak/keycloak/discussions/31027#discussioncomment-14727205) Epic Issues: - [#40509 OpenID Federation implementation](https://github.com/keycloak/keycloak/issues/40509) Slacks: - https://cloud-native.slack.com/archives/C096PUDTC3U - https://github.com/keycloak/keycloak/issues/42634 - https://github.com/keycloak/keycloak/issues/42635 ### 4. Attestation-Based Client Auth Specification: - [OAuth 2.0 Attestation-Based Client Authentication (ver 07)](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/) Discussion: [#40413 Support for OAuth 2.0 Attestation-Based Client Authentication](https://github.com/keycloak/keycloak/discussions/40413) PoCs : - https://github.com/thomasdarimont/keycloak/tree/poc/client-attestation Slacks: - [Discussion on OAuth Attestation-based client authentication](https://cloud-native.slack.com/archives/C05KR0TL4P8/p1758286805101949) Ingrid: GAP Analysis between latest draft and PoC PR by Thomas ### 5. Model Context Protocol (MCP) Specifications: - [Version 2025-03-26: Authorization](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) - [Version 2025-06-18: Authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) - [Version 2025-11-25: Authorization](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) #### Standards Compliance MCP requires | Standard | 2025-03-26 | 2025-06-18 | 2025-11-25 | Keycloak 26.5 | | - | - | - | - | - | | [Internet Draft - The OAuth 2.1 Authorization Framework](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-14) | MUST | MUST | MUST | Supported | | [RFC 8414 OAuth 2.0 Authorization Server Metadata](https://datatracker.ietf.org/doc/html/rfc8414) | MUST | MUST | MUST | Supported | | [RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591) | SHOULD | SHOULD | MAY | Supported | | [Internet Draft - OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/html/rfc7591) | - | - | SHOULD | Not supported | #### MCP version compliance The basic criteria for compliance: "Keycloak supports MCP" means that Keycloak meets all MUST and SHOULD requirements by MCP. | MCP Version | Conformance | | - | - | | [2025-03-26](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) | Supported | | [2025-06-18](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) | Supported (\*1) | | [2025-11-25](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization) | Supported without OAuth Client ID Metadata Document (\*1) | \*1: Regarding the feature "Token Audience Binding", MCP specification does not explicitly mandate an authorization server to support but Keycloak needs to support in practice. There are several workaound for that. Active PRs: - [#35711 Add support for RFC 8707 OAuth2 Resource Indicators](https://github.com/keycloak/keycloak/pull/35711) - [#44572 MCP Documentation for 26.5](https://github.com/keycloak/keycloak/pull/44572) Takashi: as a workaround for 2025-11-25, I am working on implementing CIMD by client policies. ## Refinement ### 6. OpenID Verifiable Credentials Issuance (OpenID4VCI) Specifications: - [OpenID for Verifiable Credential Issuance 1.0 (FINAL)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html) Active PRs: - [#44029 [OID4VCI] VC of type oid4vc_natural_person has invalid id value](https://github.com/keycloak/keycloak/pull/44029) - [#44615 [OID4VCI] Expose advanced realm-level OID4VCI settings in the Admin UI](https://github.com/keycloak/keycloak/pull/44615) - [#44471 [OID4VCI] Handle key_attestation_required in metadata endpoint](https://github.com/keycloak/keycloak/pull/44471) - [#44439 [OID4VCI] Conformance Test Fixes](https://github.com/keycloak/keycloak/pull/44439) - [#44390 [OID4VCI]: Add UI for OID4VCI Protocol Mapper Configuration](https://github.com/keycloak/keycloak/pull/44390) - [#44029 [OID4VCI] VC of type oid4vc_natural_person has invalid id value](https://github.com/keycloak/keycloak/pull/44029) - [#44574 [OID4VCI] Unable to find contextual data of... (many test fail)](https://github.com/keycloak/keycloak/issues/44574) Merged PRs in this week: - [#44370 Make sd-jwt key binding verification work with EdDSA keys](https://github.com/keycloak/keycloak/pull/44370) Epic Issues: - [#43396 [OID4VCI] Implementing support for OID4VCI Final Version](https://github.com/keycloak/keycloak/issues/43396) - [#43936 [OID4VCI] Feedback from IBM team on OID4VCI feature](https://github.com/keycloak/keycloak/issues/43936) Blog Posts: - https://github.com/ADORSYS-GIS/keycloak-web/pull/1 - Improvement PR: https://github.com/ADORSYS-GIS/keycloak-web/pull/2 Conformance testing: - Adorsys team contributed that to SIG - https://github.com/keycloak/keycloak-oauth-sig/tree/main/oid4vci-deployment 20251203 - PRs being actively reviewed. - Beware of this issue ticket: https://github.com/keycloak/keycloak/issues/44574. Adorsys team trying to replicate the errors. - Adorsys team to look into: https://github.com/keycloak/keycloak/issues/44623 - Blog post ready: https://github.com/ADORSYS-GIS/keycloak-web/blob/c78ab4517ea882248c703f6086b8b7d6c392c634/blog/2025/issue-credentials-over-openid4vci.adoc ### 6.a Token Status List Specifications: - [Token Status List](https://github.com/oauth-wg/draft-ietf-oauth-status-list?tab=readme-ov-file#implementations-open-source) ### 7. Token Exchange Epic Issues: - https://github.com/keycloak/keycloak/issues/43151 : this is like an epic Ticket. - [#38335 External to internal token exchange](https://github.com/keycloak/keycloak/issues/38335) - [#40704 Internal to external token exchange](https://github.com/keycloak/keycloak/issues/40704) ### 8. Opentd4VCI Wallet Testing Issues: - [Test-setup for OpenID Foundation Conformance tests for OpenID4VCI Support #42505](https://github.com/keycloak/keycloak/issues/42505) Wallets tested: - [Niscy](https://github.com/niscy-eudiw/eudi-app-android-wallet-ui) - Niscy wallet [KO] - Only works with a preconfigured list of issuers so can't test with Keycloak, nor can we confirm if it is running on OID4VCI Final. - [Valera](https://github.com/a-sit-plus/valera) - Valera [OK] - Works but with Patch code. Probably still running on Draft 15 like the Lissi wallet. - [Ubique](https://alpaka.ubique.ch/shared/app/build/xT7xWvQmTe) - Issuance Flow on keycloak works perfectly. - Might be on a later draft - Ubique [KO] - Can't accept credential issued by Keycloak. Quite certainly running on Draft 13. - Heidi (another wallet by Ubique) [OK] - Works but with Patch code. Probably still running on Draft 15 like the Lissi wallet. ### Others ## Recordings https://us06web.zoom.us/rec/share/15zmZ59mqD3jjvUAXlhmRH_xq5cEKYj1e186wkCf2nTZoXTqRerpkAewdU_OZtw0.Y2iXS6Zoj21IGbxo