This is an automated email from the ASF dual-hosted git repository. apupier pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel.git
commit b268dd42c29a3e76e2d0e1ecbdaa4c89db2cb638 Author: Aurélien Pupier <[email protected]> AuthorDate: Thu May 21 17:55:18 2026 +0200 Configure Keycloak 26.6.2 test to include the client ID in the aud claim of issued tokens, ensuring that when the same client performs token introspection, the validation passes. this is now required https://www.keycloak.org/docs/latest/upgrading/index.html#token-introspection-now-validates-audience-claim ``` Token introspection now validates audience claim The OAuth2 token introspection endpoint now validates that the authenticated client is present in the token’s audience (aud) claim before allowing introspection. Previously, any authenticated client could introspect any valid token. Now, the introspection endpoint returns {"active": false} if the authenticated client is not in the token’s audience ``` Co-authored-by: IBM Bob IDE 1.0.2 Signed-off-by: Aurélien Pupier <[email protected]> --- .../security/KeycloakTokenIntrospectionIT.java | 28 ++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/components/camel-keycloak/src/test/java/org/apache/camel/component/keycloak/security/KeycloakTokenIntrospectionIT.java b/components/camel-keycloak/src/test/java/org/apache/camel/component/keycloak/security/KeycloakTokenIntrospectionIT.java index 72715c0a2a07..6ea0dd76db85 100644 --- a/components/camel-keycloak/src/test/java/org/apache/camel/component/keycloak/security/KeycloakTokenIntrospectionIT.java +++ b/components/camel-keycloak/src/test/java/org/apache/camel/component/keycloak/security/KeycloakTokenIntrospectionIT.java @@ -17,6 +17,7 @@ package org.apache.camel.component.keycloak.security; import java.util.Arrays; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Set; @@ -53,6 +54,7 @@ import org.keycloak.admin.client.resource.RealmResource; import org.keycloak.admin.client.resource.UserResource; import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.CredentialRepresentation; +import org.keycloak.representations.idm.ProtocolMapperRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.UserRepresentation; @@ -172,6 +174,11 @@ public class KeycloakTokenIntrospectionIT extends CamelTestSupport { // Get client secret TEST_CLIENT_SECRET = clientResource.getSecret().getValue(); + + // Add audience mapper to include this client in the token audience + // This is required for Keycloak 26.6.2+ token introspection + addAudienceMapper(clientResource); + LOG.info("Created test client: {} with secret for introspection", TEST_CLIENT_ID); } else { throw new RuntimeException("Failed to create client. Status: " + response.getStatus()); @@ -179,6 +186,23 @@ public class KeycloakTokenIntrospectionIT extends CamelTestSupport { response.close(); } + private static void addAudienceMapper(ClientResource clientResource) { + ProtocolMapperRepresentation audienceMapper + = new ProtocolMapperRepresentation(); + audienceMapper.setName("audience-mapper"); + audienceMapper.setProtocol("openid-connect"); + audienceMapper.setProtocolMapper("oidc-audience-mapper"); + + Map<String, String> config = new HashMap<>(); + config.put("included.client.audience", TEST_CLIENT_ID); + config.put("access.token.claim", "true"); + config.put("id.token.claim", "false"); + audienceMapper.setConfig(config); + + clientResource.getProtocolMappers().createMapper(audienceMapper); + LOG.info("Added audience mapper to client: {}", TEST_CLIENT_ID); + } + private static void createTestRoles() { // Create admin role RoleRepresentation adminRole = new RoleRepresentation(); @@ -725,8 +749,8 @@ public class KeycloakTokenIntrospectionIT extends CamelTestSupport { */ private String getAccessToken(String username, String password) { try (Client client = ClientBuilder.newClient()) { - String tokenUrl = keycloakService.getKeycloakServerUrl() + "/realms/" + TEST_REALM_NAME - + "/protocol/openid-connect/token"; + String serverRealm = keycloakService.serverUrl() + "/realms/" + TEST_REALM_NAME; + String tokenUrl = serverRealm + "/protocol/openid-connect/token"; Form form = new Form() .param("grant_type", "password")
