Andrea Cosentino created CAMEL-23875:
----------------------------------------

             Summary: camel-keycloak: add optional audience (aud) validation to 
token verification
                 Key: CAMEL-23875
                 URL: https://issues.apache.org/jira/browse/CAMEL-23875
             Project: Camel
          Issue Type: Improvement
          Components: camel-keycloak
            Reporter: Andrea Cosentino


h3. Background

camel-keycloak validates incoming bearer tokens in two ways: local JWT 
verification ({{KeycloakSecurityHelper.parseAndVerifyAccessToken}}) and OAuth 
2.0 token introspection. Both verify the token subject, active/expiry state, 
and issuer, but neither inspects the token's {{aud}} (audience) claim, and 
{{KeycloakSecurityPolicy}} exposes no audience-related option.

In a realm that issues tokens to more than one client, a correctly-signed token 
minted for one client is accepted by a route intended for another, because only 
realm/client roles are compared. Operators relying on Keycloak's multi-client 
separation currently cannot ask camel-keycloak to enforce which client a token 
was issued for.

Camel's own security review checklist lists audience checking as something an 
authentication component should be able to enforce, and the newer camel-oauth 
stack ({{JwtTokenValidator}}) already validates audience by default with an 
explicit opt-out.

h3. Proposed change

* Add an optional {{expectedAudience}} (or similarly named) field to 
{{KeycloakSecurityPolicy}}, following the existing {{@UriParam}} conventions 
used for {{validateIssuer}}.
* When configured, extend the local verification path 
({{parseAndVerifyAccessToken}}, ~lines 53-81) and the introspection path to 
reject a token whose {{aud}} claim does not include the expected value.
* Document the multi-client behavior in the camel-keycloak component docs.

h3. Affected code

* 
{{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityHelper.java}}
* 
{{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityPolicy.java}}

h3. Notes

Backward compatible: audience checking only applies when an expected audience 
is configured. Tests should cover a matching audience, a non-matching audience, 
and no audience configured (current behavior preserved).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to