[ 
https://issues.apache.org/jira/browse/CAMEL-23875?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrea Cosentino resolved CAMEL-23875.
--------------------------------------
    Resolution: Fixed

Fixed on main via https://github.com/apache/camel/pull/24477 (4.22.0) and 
backported to camel-4.18.x via https://github.com/apache/camel/pull/24540 
(4.18.4).

_Claude Code on behalf of Andrea Cosentino (@oscerd)_

> camel-keycloak: add optional audience (aud) validation to token verification
> ----------------------------------------------------------------------------
>
>                 Key: CAMEL-23875
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23875
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-keycloak
>            Reporter: Andrea Cosentino
>            Assignee: Adriano Machado
>            Priority: Major
>             Fix For: 4.18.4, 4.22.0
>
>
> h3. Background
> camel-keycloak validates incoming bearer tokens in two ways: local JWT 
> verification ({{KeycloakSecurityHelper.parseAndVerifyAccessToken}}) and OAuth 
> 2.0 token introspection. Both verify the token subject, active/expiry state, 
> and issuer, but neither inspects the token's {{aud}} (audience) claim, and 
> {{KeycloakSecurityPolicy}} exposes no audience-related option.
> In a realm that issues tokens to more than one client, a correctly-signed 
> token minted for one client is accepted by a route intended for another, 
> because only realm/client roles are compared. Operators relying on Keycloak's 
> multi-client separation currently cannot ask camel-keycloak to enforce which 
> client a token was issued for.
> Camel's own security review checklist lists audience checking as something an 
> authentication component should be able to enforce, and the newer camel-oauth 
> stack ({{JwtTokenValidator}}) already validates audience by default with an 
> explicit opt-out.
> h3. Proposed change
> * Add an optional {{expectedAudience}} (or similarly named) field to 
> {{KeycloakSecurityPolicy}}, following the existing {{@UriParam}} conventions 
> used for {{validateIssuer}}.
> * When configured, extend the local verification path 
> ({{parseAndVerifyAccessToken}}, ~lines 53-81) and the introspection path to 
> reject a token whose {{aud}} claim does not include the expected value.
> * Document the multi-client behavior in the camel-keycloak component docs.
> h3. Affected code
> * 
> {{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityHelper.java}}
> * 
> {{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityPolicy.java}}
> h3. Notes
> Backward compatible: audience checking only applies when an expected audience 
> is configured. Tests should cover a matching audience, a non-matching 
> audience, and no audience configured (current behavior preserved).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to