Description
Description
Implement OpenID Federation in Keycloak.
Documentation for implementation in Authlete is here.
Keycloak plugin for explicit registration based on older draft.
We propose realm admin being able to enable OpenID Federation (default false). When enabling, group admin could configure OpenID Federation (including required fields such as authority_hints. This will expose OpenID Federation metadata ( /.well-known/openid-federation ) and related functionality, fe explicit and automatic registration.
Our initial goal is supporting Keycloak being able to be OP and RP with both explicit and automatic registration.
However, epic is open for other OpenID Federation entities/ functionalities.
Discussion
Issues
- OpenID Federation OP with explicit registration #40511
- explicit registration with Trust Chain in a OpenID Federation OP #40748
- OpenID Federation RP with explicit registration #40512
- Support for different key uses by authentication protocol #40515
- ENTITY_STATEMENT as TokenCategory for EntityStatement entity in Openid Federation and configuration #40546 ( Openid Federation implementation could start with ACCESS token as category (limitation))
Motivation
OpenID Federation enables participation in an identity federation of entities using OpenID Connect and OAuth 2.0 and offers a robust framework for establishing dynamic trust between OpenID Providers (OPs) and Relying Parties (RPs), significantly simplifying the management of large-scale identity federations. By leveraging this specification, Keycloak will enable the dynamic establishment of trust between OPs and RPs, facilitate secure interactions authenticated via Trust Anchors, and crucially, eliminate the need for cumbersome manual or bilateral trust agreements