oscerd opened a new pull request, #24527:
URL: https://github.com/apache/camel/pull/24527

   Fixes [CAMEL-23768](https://issues.apache.org/jira/browse/CAMEL-23768).
   
   ## Problem
   
   `KeycloakPublicKeyResolver` ignored the JWT header `kid` and returned the 
**first** key in the JWKS, and `KeycloakSecurityProcessor` never passed the kid 
through (`getPublicKey(null)`). During key rotation (multiple keys present) 
this could pick the wrong key and reject an otherwise-valid token. The token is 
still cryptographically verified against a real key, so this is a 
**correctness/availability** matter, not a bypass.
   
   ## Change
   
   - `KeycloakSecurityHelper.extractKeyId(token)` — pulls the `kid` from the 
JWS header using Keycloak's own `JWSInput` (existing dependency); returns 
`null` if absent/unparseable.
   - `KeycloakSecurityProcessor` — extracts the kid and passes it to 
`resolver.getPublicKey(kid)`.
   - `KeycloakPublicKeyResolver.getPublicKey` — forces one refresh when the kid 
is unknown (to pick up rotated keys), then delegates to a new package-visible 
`selectKey` that **fails closed** (throws) when a kid is given but no key 
matches. The first-key fallback is kept only when the token carries no kid.
   
   ## Tests
   
   - `KeycloakPublicKeyResolverTest` — matching kid selects that key (not the 
first); unknown kid fails closed; null kid falls back to the first key (JWKS 
built from generated RSA keys, no container).
   - `KeycloakSecurityHelperTest` — `extractKeyId` returns the header kid / 
`null` for a malformed token.
   - Full reactor build (`mvn clean install -DskipTests`, 1871 modules) green; 
no generated-file impact (plain Java).
   
   ## Compatibility / backport
   
   Correctness fix, `fixVersions` 4.18.4 / 4.22.0 (camel-keycloak does not 
exist on the 4.14.x line). Default behaviour for a single-key JWKS is unchanged.
   
   ---
   _Claude Code on behalf of Andrea Cosentino_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to