[
https://issues.apache.org/jira/browse/CAMEL-23685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on CAMEL-23685 started by Luigi De Masi.
---------------------------------------------
> Expose public token validation API for incoming Bearer tokens (JWT and opaque)
> ------------------------------------------------------------------------------
>
> Key: CAMEL-23685
> URL: https://issues.apache.org/jira/browse/CAMEL-23685
> Project: Camel
> Issue Type: Improvement
> Components: camel-oauth
> Affects Versions: 4.20.0
> Reporter: Luigi De Masi
> Assignee: Luigi De Masi
> Priority: Major
>
> {{camel-oauth}} supports acquiring OAuth tokens and verifying them
> internally during acquisition ({{UserProfile.verifyToken()}}). However, there
> is no public API for validating an _incoming_ Bearer token received from
> an external caller.
> Any Camel component or route that accepts authenticated HTTP requests
> needs to validate tokens on the consumer side. Today the options are:
> * Use {{OAuthBearerTokenProcessor}}, which couples to the Vert.x OAuth2
> provider
> * Re-implement JWT/introspection validation from scratch
> * Skip validation entirely
> A provider-agnostic, public validation API would allow any component to
> verify incoming tokens using the same OAuth profile configuration already
> used for token acquisition.
> h3. Proposed API
> A new public method on {{OAuthHelper}} (or a dedicated SPI):
> {code:java}
> OAuthHelper.validateIncomingToken(CamelContext context, String
> profileName, String token)
> → returns validated claims (sub, exp, scope, etc.)
> → throws on invalid/expired/revoked token
> {code}
> h3. Validation strategy
> *1. JWT tokens* — local verification: parse the JWT, fetch JWKS from the
> profile's discovery endpoint (with caching and key rotation), verify
> signature, expiration, audience, issuer. The logic already exists in
> {{UserProfile.verifyToken()}} but is private.
> *2. Opaque tokens* — remote verification via RFC 7662 introspection:
> call the IdP's introspection endpoint with client credentials from the
> profile. {{OAuthConfig.introspectionPath}} already exists but is unused
> for validation.
> h3. Existing building blocks
> ||What||Where||Status||
> |JWT signature + audience
> verification|{{UserProfile.verifyToken()}}|Private, needs extraction|
> |JWKS fetching and caching|{{OAuthConfig.getJWKSet()}} /
> {{setJWKSet()}}|Exists, needs wiring for consumer-side|
> |Introspection endpoint URL|{{OAuthConfig.introspectionPath}}|Field
> exists, unused|
> |Vert.x-specific token
> auth|{{VertxOAuth.authenticate(TokenCredentials)}}|Works but couples callers
> to Vert.x|
> h3. Acceptance criteria
> * Public API for validating incoming tokens, provider-agnostic (not
> Vert.x-specific)
> * JWT tokens validated locally via JWKS (signature, expiry, audience)
> * Opaque tokens validated via RFC 7662 introspection
> * JWKS caching with key rotation support
> * Discoverable via existing FactoryFinder pattern (optional
> {{camel-oauth}} on classpath)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
