oscerd opened a new pull request, #24076:
URL: https://github.com/apache/camel/pull/24076
Backport of #24032 (CAMEL-23760) to `camel-4.14.x`.
## What
`UserProfile.verifyToken(...)` previously skipped token signature
verification when no JWK set was available (fail-open). This change makes it
fail-closed: when the configured JWK set is `null` or empty, it now throws an
`OAuthException` ("Cannot verify token signature: no JWK set available")
instead of silently continuing without verifying the signature.
## Changes
- `UserProfile.java` — require a non-empty JWK set before verifying; throw
otherwise.
- `UserProfileTest.java` — 3 unit tests: empty JWKS rejected, missing JWKS
rejected, valid signature accepted.
## Notes
- Pure cherry-pick of the production fix + new unit test; the surrounding
`verifyToken` body is unchanged otherwise.
- Per the backport upgrade-guide policy, the upgrade-guide entry for this
change already lives on `main` in the **4_14** guide (added in #24044) — this
maintenance-branch PR intentionally contains no guide change.
- `camel-oauth` module build + the 3 new tests pass locally on
`4.14.8-SNAPSHOT`.
---
_Claude Code on behalf of Andrea Cosentino_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
