Andrea Cosentino created CAMEL-23738:
----------------------------------------
Summary: camel-keycloak: always verify the access token in
KeycloakSecurityPolicy regardless of configured roles/permissions
Key: CAMEL-23738
URL: https://issues.apache.org/jira/browse/CAMEL-23738
Project: Camel
Issue Type: Improvement
Components: camel-keycloak
Affects Versions: 4.20.0
Reporter: Andrea Cosentino
h3. Background
In {{KeycloakSecurityProcessor.beforeProcess()}}, access-token verification
(signature, issuer and expiry checks done by
{{KeycloakSecurityHelper.parseAndVerifyAccessToken()}}, and the
token-introspection path) is reached only from {{validateRoles()}} and
{{validatePermissions()}}. Those are invoked conditionally:
{code:java}
if (!policy.getRequiredRolesAsList().isEmpty()) {
validateRoles(accessToken, exchange);
}
if (!policy.getRequiredPermissionsAsList().isEmpty()) {
validatePermissions(accessToken, exchange);
}
{code}
{{KeycloakSecurityPolicy}} defaults both {{requiredRoles}} and
{{requiredPermissions}} to empty. So when a policy is configured without roles
or permissions (the documented "Basic Setup"), the inbound token is checked for
presence but is not verified — no signature, issuer or expiry check runs, and
the introspection endpoint is not called.
This is inconsistent with the component's own documented capability "Token
validation — Verify access tokens from Keycloak".
h3. Proposed change
* Perform token verification in {{beforeProcess()}} whenever a token is present
and the policy is applied, independently of whether
{{requiredRoles}}/{{requiredPermissions}} are configured.
* Run role and permission checks _after_ verification, rather than using them
as the gate that triggers verification.
* Treat an invalid or unverifiable token the same as a missing token (reject
with {{CamelAuthorizationException}}), consistent with the documented error
handling.
* Apply the same ordering to both the local JWT path and the introspection path.
h3. Affected code
*
{{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityProcessor.java}}
*
{{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityPolicy.java}}
h3. Tests
* Add a regression test asserting that an invalid token is rejected when
{{requiredRoles}} and {{requiredPermissions}} are both empty, for both local
JWT verification and introspection modes.
h3. Documentation
* Clarify in {{keycloak-component.adoc}} that token verification is always
performed when a token is present, independent of role/permission configuration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
