Andrea Cosentino created CAMEL-23875:
----------------------------------------
Summary: camel-keycloak: add optional audience (aud) validation to
token verification
Key: CAMEL-23875
URL: https://issues.apache.org/jira/browse/CAMEL-23875
Project: Camel
Issue Type: Improvement
Components: camel-keycloak
Reporter: Andrea Cosentino
h3. Background
camel-keycloak validates incoming bearer tokens in two ways: local JWT
verification ({{KeycloakSecurityHelper.parseAndVerifyAccessToken}}) and OAuth
2.0 token introspection. Both verify the token subject, active/expiry state,
and issuer, but neither inspects the token's {{aud}} (audience) claim, and
{{KeycloakSecurityPolicy}} exposes no audience-related option.
In a realm that issues tokens to more than one client, a correctly-signed token
minted for one client is accepted by a route intended for another, because only
realm/client roles are compared. Operators relying on Keycloak's multi-client
separation currently cannot ask camel-keycloak to enforce which client a token
was issued for.
Camel's own security review checklist lists audience checking as something an
authentication component should be able to enforce, and the newer camel-oauth
stack ({{JwtTokenValidator}}) already validates audience by default with an
explicit opt-out.
h3. Proposed change
* Add an optional {{expectedAudience}} (or similarly named) field to
{{KeycloakSecurityPolicy}}, following the existing {{@UriParam}} conventions
used for {{validateIssuer}}.
* When configured, extend the local verification path
({{parseAndVerifyAccessToken}}, ~lines 53-81) and the introspection path to
reject a token whose {{aud}} claim does not include the expected value.
* Document the multi-client behavior in the camel-keycloak component docs.
h3. Affected code
*
{{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityHelper.java}}
*
{{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityPolicy.java}}
h3. Notes
Backward compatible: audience checking only applies when an expected audience
is configured. Tests should cover a matching audience, a non-matching audience,
and no audience configured (current behavior preserved).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)