[
https://issues.apache.org/jira/browse/CAMEL-23738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Cosentino resolved CAMEL-23738.
--------------------------------------
Resolution: Fixed
> camel-keycloak: always verify the access token in KeycloakSecurityPolicy
> regardless of configured roles/permissions
> -------------------------------------------------------------------------------------------------------------------
>
> Key: CAMEL-23738
> URL: https://issues.apache.org/jira/browse/CAMEL-23738
> Project: Camel
> Issue Type: Improvement
> Components: camel-keycloak
> Affects Versions: 4.20.0
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
> Fix For: 4.18.3, 4.21.0
>
>
> h3. Background
> In {{KeycloakSecurityProcessor.beforeProcess()}}, access-token verification
> (signature, issuer and expiry checks done by
> {{KeycloakSecurityHelper.parseAndVerifyAccessToken()}}, and the
> token-introspection path) is reached only from {{validateRoles()}} and
> {{validatePermissions()}}. Those are invoked conditionally:
> {code:java}
> if (!policy.getRequiredRolesAsList().isEmpty()) {
> validateRoles(accessToken, exchange);
> }
> if (!policy.getRequiredPermissionsAsList().isEmpty()) {
> validatePermissions(accessToken, exchange);
> }
> {code}
> {{KeycloakSecurityPolicy}} defaults both {{requiredRoles}} and
> {{requiredPermissions}} to empty. So when a policy is configured without
> roles or permissions (the documented "Basic Setup"), the inbound token is
> checked for presence but is not verified — no signature, issuer or expiry
> check runs, and the introspection endpoint is not called.
> This is inconsistent with the component's own documented capability "Token
> validation — Verify access tokens from Keycloak".
> h3. Proposed change
> * Perform token verification in {{beforeProcess()}} whenever a token is
> present and the policy is applied, independently of whether
> {{requiredRoles}}/{{requiredPermissions}} are configured.
> * Run role and permission checks _after_ verification, rather than using them
> as the gate that triggers verification.
> * Treat an invalid or unverifiable token the same as a missing token (reject
> with {{CamelAuthorizationException}}), consistent with the documented error
> handling.
> * Apply the same ordering to both the local JWT path and the introspection
> path.
> h3. Affected code
> *
> {{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityProcessor.java}}
> *
> {{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityPolicy.java}}
> h3. Tests
> * Add a regression test asserting that an invalid token is rejected when
> {{requiredRoles}} and {{requiredPermissions}} are both empty, for both local
> JWT verification and introspection modes.
> h3. Documentation
> * Clarify in {{keycloak-component.adoc}} that token verification is always
> performed when a token is present, independent of role/permission
> configuration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
