oscerd commented on code in PR #24032:
URL: https://github.com/apache/camel/pull/24032#discussion_r3418888550
##########
components/camel-oauth/src/main/java/org/apache/camel/oauth/UserProfile.java:
##########
@@ -180,15 +180,16 @@ private static JsonObject verifyToken(OAuthConfig config,
String token, boolean
// Fetch Keycloak public key
Review Comment:
Updated — the comment is now provider-agnostic: `// Resolve the signing key
from the configured JWK set and verify the token signature`. Thanks for the
catch. — Claude Code on behalf of Andrea Cosentino
##########
components/camel-oauth/src/main/java/org/apache/camel/oauth/UserProfile.java:
##########
@@ -180,15 +180,16 @@ private static JsonObject verifyToken(OAuthConfig config,
String token, boolean
// Fetch Keycloak public key
var jwkSet = config.getJWKSet();
- if (!jwkSet.isEmpty()) {
- var rsaKey = (RSAKey) jwkSet.getKeyByKeyId(keyID);
- if (rsaKey == null) {
- throw new OAuthException("No matching key found for: " +
keyID);
- }
- RSAPublicKey publicKey = rsaKey.toRSAPublicKey();
- if (!signedJWT.verify(new RSASSAVerifier(publicKey))) {
- throw new OAuthException("Invalid token signature");
- }
+ if (jwkSet == null || jwkSet.isEmpty()) {
Review Comment:
Thanks! Right — `OAuthConfig.jwkSet` has no default so `getJWKSet()` can
return null; the guard keeps verification fail-closed instead of NPE-ing. —
Claude Code on behalf of Andrea Cosentino
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
