Andrea Cosentino created CAMEL-23768:
----------------------------------------
Summary: camel-keycloak: select the JWKS verification key by the
token kid
Key: CAMEL-23768
URL: https://issues.apache.org/jira/browse/CAMEL-23768
Project: Camel
Issue Type: Improvement
Components: camel-keycloak
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
Fix For: 4.21.0, 4.18.3
KeycloakPublicKeyResolver ignores the JWT header kid and returns the first key
in the JWKS. During key rotation (multiple keys present) this can pick the
wrong key and reject an otherwise-valid token (the token is still
cryptographically verified against a real key, so this is a
correctness/availability matter, not a bypass). This proposes passing the token
kid through and selecting the matching key, failing closed when no kid match is
found.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
