Is it possible to use priority 60, so that this new authenticator is added after existing ones (also note other authenticators that they increase by 10)

We can unfortunately not do that at the moment. AFAIU, the first (alternative) client authenticator that succeeds determines the outcome. e.g. if client secret passes, abca is not checked

ABCA is the stronger authorization mechanism - this is checked by OpenID conformance.

I have more details on how this plays with public clients and direct access grants if you care to know.

Yes, ok. Maybe we can discuss that on one of next meetings? At least for this PR it should be OK since the feature is experimental.

I wonder if this is really needed? I assume that if client is authenticating with ABCA, it should be always confidential client? Is it possible to make sure that only confidential clients authenticate with ABCA?

Public clients are not supposed to authenticate with any client authentication methods. They usually use just client_id parameter to "identify" themselves in the request andfor this purpose, we just use expectedClientAuthType set to KeycloakModelUtils.getDefaultClientAuthenticatorType() .

There was indeed a change in the spec from “mechanism for public clients to authenticate” to “general client authentication mechanism”. The draft decoupled itself from OAuth’s client-type distinction entirely - it effectively introduces a third model: attested clients (orthogonal to public/confidential).

This shift aligns with the underlying idea: attestation provides hardware/software-backed proof which can substitute:

• secrets (confidential clients)
• or lack thereof (public clients)

Without this change, the AttestationBasedClientAuthenticator is not called for confidential clients. I added a test thereof.

Note, an invalid abca request or missing attester pub key currently fails in the AttestationBasedClientAuthenticator but is silently ignored because some other ClientAuthenticator succeeds - this might be a TODO

Yes, more details would be good. Maybe we can discuss on one of our next meetings?

Just to doublecheck: Is it this specification draft, which you talk about https://datatracker.ietf.org/doc/html/draft-ietf-oauth-attestation-based-client-auth-08 ?

This change is OK in this PR, but we possibly need to figure this as a follow-up to avoid directly referencing the concrete authenticator from ClientAuthenticationFlow .

It is actually https://www.ietf.org/archive/id/draft-ietf-oauth-attestation-based-client-auth-07.html
which I have bookmarked. I could however not find a reference to it in https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-1_0-final.html @thomasdarimont could you perhaps confirm the exact abca spec version that we ought to use?

I think this change should not be needed and may have security implications.

For the setup of Keycloak behind reverse proxy, you may take a look on how to configure hostname. See the "Server" guides from https://www.keycloak.org/guides . Especially https://www.keycloak.org/server/hostname or https://www.keycloak.org/server/reverseproxy might be probably useful.

Also not sure if you are aware, but there is environment in the Keycloak org, which is maintained mostly by @tnorimat and which contains some support for running conformance tests: https://github.com/keycloak/keycloak-oauth-sig .

For example see here how Keycloak is configured (there are other config files as well): https://github.com/keycloak/keycloak-oauth-sig/blob/main/conformance-tests-env/docker-compose.yml#L159

I already set the hostname

start-dev
--hostname=https://keycloak.nessustech.io:8443
--proxy-headers=xforwarded
--features=oid4vc-vci,oid4vc-vci-preauth-code,client-auth-abca
--bootstrap-admin-username=admin
--bootstrap-admin-password=*****
--db=postgres
--db-url=jdbc:postgresql://localhost:32543/keycloak
--db-username=postgres
--db-password=*****
--log-level=org.keycloak.protocol.oid4vc:debug,org.keycloak.services:debug,org.keycloak.events:debug,org.keycloak.authentication:debug,root:info

Can we perhaps investigate this separately?

Yes, it would be good to investigate this separately. But will be good if you can remove this change from this PR as it is not directly related to OAuth 2.0 attestation-based client auth, but seems rather as a setup issue.

DPoP is supported feature and should not be updated to possibly insecure way due your (maybe incorrect) setup of hostname.

Do you have a chance to try https://github.com/keycloak/keycloak-oauth-sig and compare with your setup?

I assume this is temporary (as we briefly discussed on the meeting yesterday) and should probably identity provider mechanisms similarly like for example CLIENT_AUTH_FEDERATED is using (See for example FederatedJWTClientAuthenticator and related classes for the inspiration).

But it is probably fine this way for the initial PRand we can update later.

Yes, ok. Maybe we can discuss that on one of next meetings? At least for this PR it should be OK since the feature is experimental.

Yes, more details would be good. Maybe we can discuss on one of our next meetings?

Just to doublecheck: Is it this specification draft, which you talk about https://datatracker.ietf.org/doc/html/draft-ietf-oauth-attestation-based-client-auth-08 ?

This change is OK in this PR, but we possibly need to figure this as a follow-up to avoid directly referencing the concrete authenticator from ClientAuthenticationFlow .

Yes, it would be good to investigate this separately. But will be good if you can remove this change from this PR as it is not directly related to OAuth 2.0 attestation-based client auth, but seems rather as a setup issue.

DPoP is supported feature and should not be updated to possibly insecure way due your (maybe incorrect) setup of hostname.

Do you have a chance to try https://github.com/keycloak/keycloak-oauth-sig and compare with your setup?