Thomas Diesler created CAMEL-22581:
--------------------------------------
Summary: OAuth may validate token audience incorrectly
Key: CAMEL-22581
URL: https://issues.apache.org/jira/browse/CAMEL-22581
Project: Camel
Issue Type: Bug
Components: camel-oauth
Reporter: Thomas Diesler
Assignee: Thomas Diesler
Tassos says:
It seems that the camel-oauth library, while verifying the JWT token, the
library expects the audience value to be equal to clientId. Is it by design or
is it a bug? More specifically inside the *{*}UserProfile.java{*}*
{code:java}
if (!target.isEmpty()) {
if (!idToken && jwtOptions.getAudience() != null) {
for (String el : jwtOptions.getAudience()) {
if (!target.contains(el)) {
throw new OAuthException("Invalid JWT audience. expected: " +
el);
}
}
} else if (!target.contains(config.getClientId())) {
throw new OAuthException("Invalid JWT audience. expected: " +
config.getClientId());
}
}
{code}
However, in OAuth2 access tokens, "aud" is normally the resource server (the
API audience), not the client_id.
If it is by design is it possibly to make the audience verification optional?
When used on the client side it would make sense. Or is it there a way to
configure that?
Best regards,
Tassos
PS: it is regarding to the client_credentials flow.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
