Luigi De Masi created CAMEL-23685:
-------------------------------------
Summary: Expose public token validation API for incoming Bearer
tokens (JWT and opaque)
Key: CAMEL-23685
URL: https://issues.apache.org/jira/browse/CAMEL-23685
Project: Camel
Issue Type: Improvement
Components: camel-oauth
Affects Versions: 4.20.0
Reporter: Luigi De Masi
Assignee: Luigi De Masi
{{camel-oauth}} supports acquiring OAuth tokens and verifying them internally
during acquisition ({{UserProfile.verifyToken()}}). However, there
is no public API for validating an _incoming_ Bearer token received from
an external caller.
Any Camel component or route that accepts authenticated HTTP requests
needs to validate tokens on the consumer side. Today the options are:
* Use {{OAuthBearerTokenProcessor}}, which couples to the Vert.x OAuth2
provider
* Re-implement JWT/introspection validation from scratch
* Skip validation entirely
A provider-agnostic, public validation API would allow any component to
verify incoming tokens using the same OAuth profile configuration already
used for token acquisition.
h3. Proposed API
A new public method on {{OAuthHelper}} (or a dedicated SPI):
{code:java}
OAuthHelper.validateIncomingToken(CamelContext context, String
profileName, String token)
→ returns validated claims (sub, exp, scope, etc.)
→ throws on invalid/expired/revoked token
{code}
h3. Validation strategy
*1. JWT tokens* — local verification: parse the JWT, fetch JWKS from the
profile's discovery endpoint (with caching and key rotation), verify
signature, expiration, audience, issuer. The logic already exists in
{{UserProfile.verifyToken()}} but is private.
*2. Opaque tokens* — remote verification via RFC 7662 introspection: call
the IdP's introspection endpoint with client credentials from the
profile. {{OAuthConfig.introspectionPath}} already exists but is unused
for validation.
h3. Existing building blocks
||What||Where||Status||
|JWT signature + audience
verification|{{UserProfile.verifyToken()}}|Private, needs extraction|
|JWKS fetching and caching|{{OAuthConfig.getJWKSet()}} /
{{setJWKSet()}}|Exists, needs wiring for consumer-side|
|Introspection endpoint URL|{{OAuthConfig.introspectionPath}}|Field
exists, unused|
|Vert.x-specific token
auth|{{VertxOAuth.authenticate(TokenCredentials)}}|Works but couples callers to
Vert.x|
h3. Acceptance criteria
* Public API for validating incoming tokens, provider-agnostic (not
Vert.x-specific)
* JWT tokens validated locally via JWKS (signature, expiry, audience)
* Opaque tokens validated via RFC 7662 introspection
* JWKS caching with key rotation support
* Discoverable via existing FactoryFinder pattern (optional
{{camel-oauth}} on classpath)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
