[
https://issues.apache.org/jira/browse/CAMEL-23685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Luigi De Masi updated CAMEL-23685:
----------------------------------
Description:
{{camel-oauth}} currently provides OAuth support mainly for
producer/client-side token acquisition. It should also expose a reusable public
API for validating incoming
{{Authorization: Bearer}} tokens on consumer/resource-server routes.
This issue adds a public OAuth token validation API for incoming Bearer tokens,
supporting both JWT and opaque tokens.
h2. Scope
* Add a public SPI/API for validating incoming Bearer tokens.
* Support JWT validation using JWKS, signature validation, expiry, issuer, and
audience checks.
* Support opaque token validation using OAuth 2.0 token introspection.
* Support named OAuth validation profiles using {{camel.oauth.<profile>.*}}
properties.
* Allow components and route code to call token validation without directly
depending on {{camel-oauth}} implementation classes.
h2. platform-http SPI extension
In addition to the generic validation API, this issue adds an opt-in
{{platform-http}} integration point.
A `platform-http` consumer can enable Bearer token validation with:
{code:java}
from("platform-http:/secure?oauthProfile=myprofile")
.to("direct:businessLogic");
{code}
Validation remains disabled by default. Existing {{platform-http}} users are
not affected unless they explicitly configure {{{}oauthProfile{}}}.
To support platform-specific HTTP runtimes, the {{platform-http}} SPI is
expanded with a security handler hook. Platform HTTP engines can override the
secured consumer
creation path and install validation in their native HTTP/security layer.
Engines that do not override it use a default Camel fallback that wraps the
route processor and
validates before route processing.
This lets Camel provide a portable default while still allowing Quarkus, Spring
Boot, Vert.x, or other platform integrations to follow their native security
model later.
h3. Example profile
{code:java}
camel.oauth.myprofile.jwks-endpoint=https://idp.example.com/.well-known/jwks.json
camel.oauth.myprofile.expected-issuer=https://idp.example.com
camel.oauth.myprofile.expected-audience=my-api{code}
h3. Runtime behavior
* Missing or malformed Bearer token: HTTP 401.
* Invalid token: HTTP 401.
* Token validation infrastructure/configuration failure: HTTP 503.
* Valid token: route processing continues, and the validation result is
exposed on the Exchange.
h3. Validation result contract
The public validation result exposes resource-server-oriented token data:
* principal name / subject
* issuer and audience
* token scopes
* immutable token attributes/claims
* validation failure category for fail-closed HTTP handling
The result intentionally does not perform role/group/authority mapping in this
issue. Platform integrations such as Spring Boot and Quarkus can map claims to
their native security models later.
h3. Non-goals
* Do not enable authentication automatically for existing consumers.
* Do not force {{platform-http}} to depend on Spring Security, Quarkus
Security, or any single framework security model.
* Do not add authorization/role enforcement in this issue.
was:
{{camel-oauth}} currently provides OAuth support mainly for
producer/client-side token acquisition. It should also expose a reusable public
API for validating incoming
{{Authorization: Bearer}} tokens on consumer/resource-server routes.
This issue adds a public OAuth token validation API for incoming Bearer tokens,
supporting both JWT and opaque tokens.
h2. Scope
* Add a public SPI/API for validating incoming Bearer tokens.
* Support JWT validation using JWKS, signature validation, expiry, issuer, and
audience checks.
* Support opaque token validation using OAuth 2.0 token introspection.
* Support named OAuth validation profiles using {{camel.oauth.<profile>.*}}
properties.
* Allow components and route code to call token validation without directly
depending on {{camel-oauth}} implementation classes.
h2. platform-http SPI extension
In addition to the generic validation API, this issue adds an opt-in
{{platform-http}} integration point.
A `platform-http` consumer can enable Bearer token validation with:
{code:java}
from("platform-http:/secure?oauthProfile=myprofile")
.to("direct:businessLogic");
{code}
Validation remains disabled by default. Existing {{platform-http}} users are
not affected unless they explicitly configure {{{}oauthProfile{}}}.
To support platform-specific HTTP runtimes, the {{platform-http}} SPI is
expanded with a security handler hook. Platform HTTP engines can override the
secured consumer
creation path and install validation in their native HTTP/security layer.
Engines that do not override it use a default Camel fallback that wraps the
route processor and
validates before route processing.
This lets Camel provide a portable default while still allowing Quarkus, Spring
Boot, Vert.x, or other platform integrations to follow their native security
model later.
h3. Example profile
{code:java}
camel.oauth.myprofile.jwks-endpoint=https://idp.example.com/.well-known/jwks.json
camel.oauth.myprofile.expected-issuer=https://idp.example.com
camel.oauth.myprofile.expected-audience=my-api{code}
h3. Runtime behavior
* Missing or malformed Bearer token: HTTP 401.
* Invalid token: HTTP 401.
* Token validation infrastructure/configuration failure: HTTP 503.
* Valid token: route processing continues, and the validation result is
exposed on the Exchange.
h3. Non-goals
* Do not enable authentication automatically for existing consumers.
* Do not force {{platform-http}} to depend on Spring Security, Quarkus
Security, or any single framework security model.
* Do not add authorization/role enforcement in this issue.
> Expose public token validation API for incoming Bearer tokens (JWT and opaque)
> ------------------------------------------------------------------------------
>
> Key: CAMEL-23685
> URL: https://issues.apache.org/jira/browse/CAMEL-23685
> Project: Camel
> Issue Type: Improvement
> Components: camel-oauth
> Affects Versions: 4.20.0
> Reporter: Luigi De Masi
> Assignee: Luigi De Masi
> Priority: Major
>
> {{camel-oauth}} currently provides OAuth support mainly for
> producer/client-side token acquisition. It should also expose a reusable
> public API for validating incoming
> {{Authorization: Bearer}} tokens on consumer/resource-server routes.
> This issue adds a public OAuth token validation API for incoming Bearer
> tokens, supporting both JWT and opaque tokens.
> h2. Scope
> * Add a public SPI/API for validating incoming Bearer tokens.
> * Support JWT validation using JWKS, signature validation, expiry, issuer,
> and audience checks.
> * Support opaque token validation using OAuth 2.0 token introspection.
> * Support named OAuth validation profiles using {{camel.oauth.<profile>.*}}
> properties.
> * Allow components and route code to call token validation without directly
> depending on {{camel-oauth}} implementation classes.
> h2. platform-http SPI extension
> In addition to the generic validation API, this issue adds an opt-in
> {{platform-http}} integration point.
> A `platform-http` consumer can enable Bearer token validation with:
> {code:java}
> from("platform-http:/secure?oauthProfile=myprofile")
> .to("direct:businessLogic");
> {code}
> Validation remains disabled by default. Existing {{platform-http}} users are
> not affected unless they explicitly configure {{{}oauthProfile{}}}.
> To support platform-specific HTTP runtimes, the {{platform-http}} SPI is
> expanded with a security handler hook. Platform HTTP engines can override the
> secured consumer
> creation path and install validation in their native HTTP/security layer.
> Engines that do not override it use a default Camel fallback that wraps the
> route processor and
> validates before route processing.
> This lets Camel provide a portable default while still allowing Quarkus,
> Spring Boot, Vert.x, or other platform integrations to follow their native
> security model later.
> h3. Example profile
> {code:java}
>
> camel.oauth.myprofile.jwks-endpoint=https://idp.example.com/.well-known/jwks.json
> camel.oauth.myprofile.expected-issuer=https://idp.example.com
> camel.oauth.myprofile.expected-audience=my-api{code}
> h3. Runtime behavior
> * Missing or malformed Bearer token: HTTP 401.
> * Invalid token: HTTP 401.
> * Token validation infrastructure/configuration failure: HTTP 503.
> * Valid token: route processing continues, and the validation result is
> exposed on the Exchange.
> h3. Validation result contract
> The public validation result exposes resource-server-oriented token data:
> * principal name / subject
> * issuer and audience
> * token scopes
> * immutable token attributes/claims
> * validation failure category for fail-closed HTTP handling
> The result intentionally does not perform role/group/authority mapping in
> this issue. Platform integrations such as Spring Boot and Quarkus can map
> claims to their native security models later.
> h3. Non-goals
> * Do not enable authentication automatically for existing consumers.
> * Do not force {{platform-http}} to depend on Spring Security, Quarkus
> Security, or any single framework security model.
> * Do not add authorization/role enforcement in this issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
