oscerd opened a new pull request, #24527: URL: https://github.com/apache/camel/pull/24527
Fixes [CAMEL-23768](https://issues.apache.org/jira/browse/CAMEL-23768). ## Problem `KeycloakPublicKeyResolver` ignored the JWT header `kid` and returned the **first** key in the JWKS, and `KeycloakSecurityProcessor` never passed the kid through (`getPublicKey(null)`). During key rotation (multiple keys present) this could pick the wrong key and reject an otherwise-valid token. The token is still cryptographically verified against a real key, so this is a **correctness/availability** matter, not a bypass. ## Change - `KeycloakSecurityHelper.extractKeyId(token)` — pulls the `kid` from the JWS header using Keycloak's own `JWSInput` (existing dependency); returns `null` if absent/unparseable. - `KeycloakSecurityProcessor` — extracts the kid and passes it to `resolver.getPublicKey(kid)`. - `KeycloakPublicKeyResolver.getPublicKey` — forces one refresh when the kid is unknown (to pick up rotated keys), then delegates to a new package-visible `selectKey` that **fails closed** (throws) when a kid is given but no key matches. The first-key fallback is kept only when the token carries no kid. ## Tests - `KeycloakPublicKeyResolverTest` — matching kid selects that key (not the first); unknown kid fails closed; null kid falls back to the first key (JWKS built from generated RSA keys, no container). - `KeycloakSecurityHelperTest` — `extractKeyId` returns the header kid / `null` for a malformed token. - Full reactor build (`mvn clean install -DskipTests`, 1871 modules) green; no generated-file impact (plain Java). ## Compatibility / backport Correctness fix, `fixVersions` 4.18.4 / 4.22.0 (camel-keycloak does not exist on the 4.14.x line). Default behaviour for a single-key JWKS is unchanged. --- _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
