[
https://issues.apache.org/jira/browse/CAMEL-23685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Luigi De Masi updated CAMEL-23685:
----------------------------------
Description:
{{camel-oauth}} currently provides OAuth support mainly for
producer/client-side token acquisition. It should also expose a reusable public
API for validating incoming
{{Authorization: Bearer}} tokens on consumer/resource-server routes.
This issue adds a public OAuth token validation API for incoming Bearer tokens,
supporting both JWT and opaque tokens.
h2. Scope
* Add a public SPI/API for validating incoming Bearer tokens.
* Support JWT validation using JWKS, signature validation, expiry, issuer, and
audience checks.
* Support opaque token validation using OAuth 2.0 token introspection.
* Support named OAuth validation profiles using {{camel.oauth.<profile>.*}}
properties.
* Allow components and route code to call token validation without directly
depending on {{camel-oauth}} implementation classes.
h2. platform-http SPI extension
In addition to the generic validation API, this issue adds an opt-in
{{platform-http}} integration point.
A `platform-http` consumer can enable Bearer token validation with:
{code:java}
from("platform-http:/secure?oauthProfile=myprofile")
.to("direct:businessLogic");
{code}
Validation remains disabled by default. Existing {{platform-http}} users are
not affected unless they explicitly configure {{{}oauthProfile{}}}.
To support platform-specific HTTP runtimes, the {{platform-http}} SPI is
expanded with a security handler hook. Platform HTTP engines can override the
secured consumer
creation path and install validation in their native HTTP/security layer.
Engines that do not override it use a default Camel fallback that wraps the
route processor and
validates before route processing.
This lets Camel provide a portable default while still allowing Quarkus, Spring
Boot, Vert.x, or other platform integrations to follow their native security
model later.
h3. Example profile
{code:java}
camel.oauth.myprofile.jwks-endpoint=https://idp.example.com/.well-known/jwks.json
camel.oauth.myprofile.expected-issuer=https://idp.example.com
camel.oauth.myprofile.expected-audience=my-api{code}
h3. Runtime behavior
* Missing or malformed Bearer token: HTTP 401.
* Invalid token: HTTP 401.
* Token validation infrastructure/configuration failure: HTTP 503.
* Valid token: route processing continues, and the validation result is
exposed on the Exchange.
h3. Non-goals
* Do not enable authentication automatically for existing consumers.
* Do not force {{platform-http}} to depend on Spring Security, Quarkus
Security, or any single framework security model.
* Do not add authorization/role enforcement in this issue.
was:
{{camel-oauth}} supports acquiring OAuth tokens and verifying them internally
during acquisition ({{UserProfile.verifyToken()}}). However, there
is no public API for validating an _incoming_ Bearer token received from
an external caller.
Any Camel component or route that accepts authenticated HTTP requests
needs to validate tokens on the consumer side. Today the options are:
* Use {{OAuthBearerTokenProcessor}}, which couples to the Vert.x OAuth2
provider
* Re-implement JWT/introspection validation from scratch
* Skip validation entirely
A provider-agnostic, public validation API would allow any component to
verify incoming tokens using the same OAuth profile configuration already
used for token acquisition.
h3. Proposed API
A new public method on {{OAuthHelper}} (or a dedicated SPI):
{code:java}
OAuthHelper.validateIncomingToken(CamelContext context, String
profileName, String token)
→ returns validated claims (sub, exp, scope, etc.)
→ throws on invalid/expired/revoked token
{code}
h3. Validation strategy
*1. JWT tokens* — local verification: parse the JWT, fetch JWKS from the
profile's discovery endpoint (with caching and key rotation), verify
signature, expiration, audience, issuer. The logic already exists in
{{UserProfile.verifyToken()}} but is private.
*2. Opaque tokens* — remote verification via RFC 7662 introspection: call
the IdP's introspection endpoint with client credentials from the
profile. {{OAuthConfig.introspectionPath}} already exists but is unused
for validation.
h3. Existing building blocks
||What||Where||Status||
|JWT signature + audience
verification|{{UserProfile.verifyToken()}}|Private, needs extraction|
|JWKS fetching and caching|{{OAuthConfig.getJWKSet()}} /
{{setJWKSet()}}|Exists, needs wiring for consumer-side|
|Introspection endpoint URL|{{OAuthConfig.introspectionPath}}|Field
exists, unused|
|Vert.x-specific token
auth|{{VertxOAuth.authenticate(TokenCredentials)}}|Works but couples callers to
Vert.x|
h3. Acceptance criteria
* Public API for validating incoming tokens, provider-agnostic (not
Vert.x-specific)
* JWT tokens validated locally via JWKS (signature, expiry, audience)
* Opaque tokens validated via RFC 7662 introspection
* JWKS caching with key rotation support
* Discoverable via existing FactoryFinder pattern (optional
{{camel-oauth}} on classpath)
> Expose public token validation API for incoming Bearer tokens (JWT and opaque)
> ------------------------------------------------------------------------------
>
> Key: CAMEL-23685
> URL: https://issues.apache.org/jira/browse/CAMEL-23685
> Project: Camel
> Issue Type: Improvement
> Components: camel-oauth
> Affects Versions: 4.20.0
> Reporter: Luigi De Masi
> Assignee: Luigi De Masi
> Priority: Major
>
> {{camel-oauth}} currently provides OAuth support mainly for
> producer/client-side token acquisition. It should also expose a reusable
> public API for validating incoming
> {{Authorization: Bearer}} tokens on consumer/resource-server routes.
> This issue adds a public OAuth token validation API for incoming Bearer
> tokens, supporting both JWT and opaque tokens.
> h2. Scope
> * Add a public SPI/API for validating incoming Bearer tokens.
> * Support JWT validation using JWKS, signature validation, expiry, issuer,
> and audience checks.
> * Support opaque token validation using OAuth 2.0 token introspection.
> * Support named OAuth validation profiles using {{camel.oauth.<profile>.*}}
> properties.
> * Allow components and route code to call token validation without directly
> depending on {{camel-oauth}} implementation classes.
> h2. platform-http SPI extension
> In addition to the generic validation API, this issue adds an opt-in
> {{platform-http}} integration point.
> A `platform-http` consumer can enable Bearer token validation with:
> {code:java}
> from("platform-http:/secure?oauthProfile=myprofile")
> .to("direct:businessLogic");
> {code}
> Validation remains disabled by default. Existing {{platform-http}} users are
> not affected unless they explicitly configure {{{}oauthProfile{}}}.
> To support platform-specific HTTP runtimes, the {{platform-http}} SPI is
> expanded with a security handler hook. Platform HTTP engines can override the
> secured consumer
> creation path and install validation in their native HTTP/security layer.
> Engines that do not override it use a default Camel fallback that wraps the
> route processor and
> validates before route processing.
> This lets Camel provide a portable default while still allowing Quarkus,
> Spring Boot, Vert.x, or other platform integrations to follow their native
> security model later.
> h3. Example profile
> {code:java}
>
> camel.oauth.myprofile.jwks-endpoint=https://idp.example.com/.well-known/jwks.json
> camel.oauth.myprofile.expected-issuer=https://idp.example.com
> camel.oauth.myprofile.expected-audience=my-api{code}
> h3. Runtime behavior
> * Missing or malformed Bearer token: HTTP 401.
> * Invalid token: HTTP 401.
> * Token validation infrastructure/configuration failure: HTTP 503.
> * Valid token: route processing continues, and the validation result is
> exposed on the Exchange.
> h3. Non-goals
> * Do not enable authentication automatically for existing consumers.
> * Do not force {{platform-http}} to depend on Spring Security, Quarkus
> Security, or any single framework security model.
> * Do not add authorization/role enforcement in this issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
