Presenters
Source
Unlocking the Future of Digital Identity: Keycloak Meets the EU Digital Identity Wallet 🚀
Hey tech enthusiasts! Get ready to dive into the exciting world of digital identity, where cutting-edge technology is revolutionizing how we interact with online services. In this post, we’re going to explore the powerful synergy between Keycloak, a leading identity and access management solution, and the EU Digital Identity Wallet, a game-changer for secure and user-centric digital identification.
Dominik Schlosser, a freelance software architect with extensive experience in the IAM space, shares his insights and practical implementations, giving us a front-row seat to this evolving digital landscape.
What is the EU Digital Identity Wallet? 🤔
Imagine a secure digital vault on your device that holds all your essential identity cards. That’s precisely the vision behind the EU Digital Identity Wallet! It’s designed to:
- Centralize Identity: Store all your identity credentials in one place.
- Eliminate Paperwork: Digitize official documents, reducing the need for physical copies and faxed information.
- Empower Users: Give you complete control over your identity. You are the owner of your credentials and decide what to share with service providers.
- Mandatory Support: The public sector in the European Union is mandated to support this wallet starting in 2027. This means government portals and authorities will increasingly integrate with it.
The core principle is self-sovereign identity, meaning you explicitly grant consent for every data-sharing request.
Keycloak’s Role in the Digital Identity Ecosystem 🌐
Dominik Schlosser highlights two crucial aspects of getting credentials into and out of the wallet:
- Credential Issuance: Getting verifiable credentials into the wallet. Keycloak has experimental support for Verifiable Credential Issuance (VCI), which is moving to a preview state.
- Credential Presentation: Getting credentials out of the wallet to authenticate with service providers. This is where Keycloak truly shines, especially with the implementation of a Keycloak extension.
While Keycloak currently offers an extension for this purpose, it’s anticipated that out-of-the-box support will be integrated in the near future. This is because the EU Digital Identity Wallet relies on open standards, making it a truly interoperable ecosystem.
The User Experience: Seamless and Secure Authentication ✨
The process of using the wallet for authentication is designed to be intuitive:
- Initiating the Flow: When you need to log in to a service, you’ll
typically open your wallet app via a link or a QR code.
- For desktop devices, you scan a QR code.
- For mobile devices, you can directly open the wallet app.
- OpenID for VP: The link uses a custom scheme,
openid-for-vp, registered for each wallet implementation. This ensures a standardized way to invoke the wallet. - Requesting Information: The wallet receives a request object containing details about what the service provider needs. This object includes cryptographic proofs and a query specifying which credentials and data points are required.
- User Consent: You’ll see a consent screen, detailing exactly what information the service provider is requesting. You must actively consent to share.
- Direct Post Response: A new response mode, direct post response, is used to securely send the verifiable presentation back to the service provider.
Quantification: The German wallet implementation, developed by the government agency eID.bund, showcases this flow with a clear consent screen.
Understanding Verifiable Credentials and Formats 📄
The wallet supports credentials in two key formats:
- SD-JWT (Selective Disclosure JWT): This format allows for selective disclosure of information within a JWT. The core JWT is signed, ensuring its integrity, while specific disclosures (parts of the credential) can be added or omitted. This means you only share what’s necessary.
- MDOC (ISO standard binary issue JWT): Another standardized binary format for issuing JWTs.
The key takeaway here is that you can present only the disclosures that the verifier needs, enhancing privacy and control.
Challenges and Innovative Solutions 🛠️
The implementation of the EU Digital Identity Wallet and its integration with existing systems present some interesting challenges:
- Direct Post Endpoint: Integrating the
direct postendpoint, a newer specification, doesn’t always fit naturally into existing Keycloak setups. However, solutions are being developed. - Service Provider Adoption: Many service providers may not have the immediate means to directly support OpenID for VP.
- Wallet Connector: A fascinating use case is employing Keycloak as a wallet connector. This acts as an intermediary between older identity providers and the new wallet ecosystem, bridging the gap.
- Identifying Users Without Identifiers: A unique challenge arises when trying to identify users without traditional identifiers. The approach here is to issue self-issued credentials, leveraging the wallet’s capabilities.
- Querying Multiple Credentials: DCQL (Digital Credential Query Language) features credential sets, allowing users to query and combine multiple credentials simultaneously.
Dominik also developed a testing tool that implements a testing wallet, simplifying the development and testing process for this new ecosystem.
Key Takeaways for the Future 💡
The integration of Keycloak with the EU Digital Identity Wallet is a significant step towards a more secure, private, and user-controlled digital future.
- Keycloak Extensions: Powerful extensions are enabling this integration.
- Wallet Connector: Keycloak can act as a vital connector for legacy systems.
- Open Source: The ongoing work is largely open source, fostering collaboration and rapid development.
- Standardization: Reliance on open standards like OpenID for VP ensures interoperability and future-proofing.
The journey is ongoing, but the direction is clear: a future where your digital identity is truly yours to manage and share. Keep an eye on these developments – they’re shaping the way we’ll all interact online!