The IETF just published a framework for AI agent identity. AIMS composes SPIFFE, WIMSE, and OAuth 2.0 into an 8-layer model that replaces static API keys with proper workload identity. 53% of MCP servers still use API keys — this changes that.

https://iamdevbox.com/posts/ietf-aims-ai-agent-identity-management-system-spiffe-oauth/?utm_source=mastodon&utm_medium=social&utm_campaign=blog_post

#AIAgentSecurity #OAuth #SPIFFE #IAM #IdentitySecurity

There's a new article in the #Keycloak blog about federated client authentication, where you rely on an external provider (like a #Kubernetes cluster with service account token, or a generic #SPIFFE client) to authenticate confidential clients. https://www.keycloak.org/2026/01/federated-client-authentication

Would love to take a closer look at that functionality at some point, especially for a use case where you authenticate Keycloak service accounts (to get tokens for M2M calls in a microservice architecture) through that method. Might be really great for getting rid of some secrets that have to be frequently rotated. But currently, I have no time to do this. Has anyone already used this? How well does it work? Worth investigating, or still too flaky?

#KubeCon 2025
Anchoring Trust in the Age of AI: Identities Across Humans, Machines, and Models - Yuan Tang and Anjali Telang

KServe is a CNCF incubator project

https://kserve.github.io/website/

#SPIFFE #SPIRE #Keycloak

🎉 Self-Hosted Human and Machine #Identity in #Keycloak 🎉

Our 26.4 release brings great updates with #passkeys and the latest security best practices for #OpenID Connect with #FAPI and DPoP.
Automatically roll out and rotate client credentials with #spiffe, #spire and #Kubernetes service account tokens.

Start your #sovereign journey and read all in our latest #cncf blog post:
https://www.cncf.io/blog/2025/11/07/self-hosted-human-and-machine-identities-in-keycloak-26-4/

#Keycloak 26.4 is out with a lot of new capabilities for your self-hosted #iam:

* #Passkeys
* Client Authentication to use #SPIFFE or #Kubernetes service account tokens
* Simplified deployments across multiple availability zones to boost availability.
* #FAPI 2 Final
* #DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported.

Read more the full release announcement: https://www.keycloak.org/2025/09/keycloak-2640-released

Zero Trust в облаке: практическое руководство

В этом руководстве рассматривается современный подход к безопасности — Zero Trust Network Access (ZTNA) — и показано, как его реализовать с помощью SPIFFE/SPIRE и OpenID Connect (OIDC). Материала много, по этому я предоставлю его в сухой форме. В основе ZTNA лежит принцип «никогда не доверяй, всегда проверяй»: каждый запрос на доступ считается потенциально небезопасным и проходит обязательную аутентификацию и авторизацию. По сравнению с классическими VPN-сетями решения ZTNA на базе SPIFFE/SPIRE и OIDC: Ускоряют процедуру аутентификации в 20–80 раз, Повышают производительность на 46–64 %, В облаках AWS и Google Cloud позволяют снизить задержки до 50–100 мс вместо привычных 2–4 с.

https://habr.com/ru/articles/917440/

#zerotrust #spiffe #spire #oidc #kubernetes #aws #gcp #ztna #security

Seriously?

#Spire #SPIFFE

#CNCF wasmCloud is adopting SPIFFE as the standard for introducing workload identity that spans on-prem, edges + clouds. #SPIFFE adoption is growing and is a perfect fit for WebAssembly workload identity. Read Joonas Bergius's post for details ✨

https://wasmcloud.com/blog/2025-03-04-why-were-adopting-spiffe-for-webassembly-workload-identity/

Time to get hands-on at #CNSCon
Tutorial: Demystifying and Enabling Workload Identity Across the Cloud Native Ecosystem - from Andrew Block, Anjali Telang, and Trilok Geer, Red Hat; and Mariusz Sabath and Maia Iyer, IBM

#Spiffe #Spire