2026-05-28 –, Work Lab II
In this talk, we will introduce the two emerging OAuth technologies related to workload identity, namely Transaction Tokens and SPIFFE Client Authentication, and demonstrate them working together.
Human and workload identities are different in many aspects, such as issuance, verification, lifecycle, lifetime, and scope. OAuth offers a mature framework for the former.
The latter is covered by technologies like SPIFFE, which help ensure that inter-workload calls be properly authenticated. The zero trust world adds a new requirement - the calls need to be non-spurious, which means they must be associated with a valid human identity as well.
How do we enforce both human and workload identity at the same time, in a portable, efficient and extensible manner? A new Internet draft called Transaction Tokes offers a solution. Another draft, named OAuth SPIFFE Client Authentication, bridges the gap between SPIFFE and OAuth.
Keycloak is a mature, feature-rich and highly extensible open-source IAM solution. Its ultimate extensibility has allowed us to quickly prototype both Transaction Tokens and SPIFFE Client Authentication and to create an end-to-end demo.
In this talk, we will give an introduction to both SPIFFE and Transaction Tokens, recap the progress from inception to implementation, and will demonstrate the two emerging technologies working together, using Keycloak as a platform. We will also explore the potential of using Google Common Expression Language (CEL) in the OAuth ecosystem.
Pieter Kasselman is an Identity Enthusiast, focused on standards based identity products. Pieter has over 25 years' experience as a technologist and engineer, working on bringing new technologies and business models to market. Pieter's first encounter with identity was his final year project which used neural networks to identify users based on typing patterns. Since then he worked in a number of roles as an information security analyst, software engineer and program manager in industries that include finance, software, silicon and cloud. His diverse background gives him a unique perspective of the importance of identity and the role of identity standards as both a business enabler and the first line of defence for.
Dmitry is a principal engineer at Backbase UK. He is a Keycloak contributor, expert and consultant, and also a founder of Carretti Consulting.