[jira] [Commented] (CAMEL-22581) OAuth may validate token audience incorrectly

Mon, 27 Oct 2025 03:49:08 -0700 


    [ 
https://issues.apache.org/jira/browse/CAMEL-22581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18033178#comment-18033178
 ] 

Thomas Diesler commented on CAMEL-22581:
----------------------------------------

Generally ...

{{aud}} = who the token is meant for.
Recipients must check it matches their identifier per [RFC 7519 
§4.1.3|https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3]

In case of an access_token I believe is true what you say - aud would contain 
the resource identifier when given in the Authorization Request
In case of an id_token, the relying party (RP) (i.e. the Camel app) would need 
to verify that the issued id_token is indeed meant for the app, in which case 
aud must contain the client_id

See [3.1.3.7.  ID Token 
Validation|https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation]

I would relax the target audience check like this ...


{code:java}
if (idToken && !targetAudience.contains(clientId)) {
    throw new OAuthException("Invalid JWT audience. Expected to contain: " + 
clientId);
} {code}

> OAuth may validate token audience incorrectly 
> ----------------------------------------------
>
>                 Key: CAMEL-22581
>                 URL: https://issues.apache.org/jira/browse/CAMEL-22581
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-oauth
>            Reporter: Thomas Diesler
>            Assignee: Thomas Diesler
>            Priority: Major
>             Fix For: 4.16.0
>
>
> Tassos says:
> It seems that the camel-oauth library, while verifying the JWT token, the 
> library expects the audience value to be equal to clientId. Is it by design 
> or is it a bug? More specifically inside the *{*}UserProfile.java{*}*
> {code:java}
> if (!target.isEmpty()) {
>     if (!idToken && jwtOptions.getAudience() != null) {
>         for (String el : jwtOptions.getAudience()) {
>             if (!target.contains(el)) {
>                 throw new OAuthException("Invalid JWT audience. expected: " + 
> el);
>             }
>         }
>     } else if (!target.contains(config.getClientId())) {
>         throw new OAuthException("Invalid JWT audience. expected: " + 
> config.getClientId());
>     }
> }
> {code}
> However, in OAuth2 access tokens, "aud" is normally the resource server (the 
> API audience), not the client_id.
> If it is by design is it possibly to make the audience verification optional? 
> When used on the client side it would make sense. Or is it there a way to 
> configure that?
> Best regards,
> Tassos
> PS: it is regarding to the client_credentials flow.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to