[
https://issues.apache.org/jira/browse/CAMEL-23760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18089351#comment-18089351
]
Andrea Cosentino commented on CAMEL-23760:
------------------------------------------
Upgrade-guide doc-sync of the camel-oauth UserProfile entry to the 4.18 and
4.14 guides on main: https://github.com/apache/camel/pull/24044. Code backports
to camel-4.18.x/4.14.x still pending.
_Claude Code on behalf of Andrea Cosentino_
> camel-oauth: require a JWK set to verify token signatures in UserProfile
> ------------------------------------------------------------------------
>
> Key: CAMEL-23760
> URL: https://issues.apache.org/jira/browse/CAMEL-23760
> Project: Camel
> Issue Type: Improvement
> Components: camel-oauth
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
> Fix For: 4.14.8, 4.18.3, 4.21.0
>
>
> UserProfile token verification did not require a JWK set: when the configured
> JWK set was missing or empty, the JWS signature check was skipped. This
> change makes the signature check mandatory - when no JWK set is available to
> verify a token, the token is rejected rather than accepted. Deployments with
> a correctly resolved JWK set are unaffected; this aligns the legacy
> UserProfile path with the JwtTokenValidator SPI path, which already fails
> closed on this condition.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
