[
https://issues.apache.org/jira/browse/CAMEL-23685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-23685:
--------------------------------
Fix Version/s: 4.21.0
> Expose public token validation API for incoming Bearer tokens (JWT and opaque)
> ------------------------------------------------------------------------------
>
> Key: CAMEL-23685
> URL: https://issues.apache.org/jira/browse/CAMEL-23685
> Project: Camel
> Issue Type: Improvement
> Components: camel-oauth
> Affects Versions: 4.20.0
> Reporter: Luigi De Masi
> Assignee: Luigi De Masi
> Priority: Major
> Fix For: 4.21.0
>
>
> {{camel-oauth}} currently provides OAuth support mainly for
> producer/client-side token acquisition. It should also expose a reusable
> public API for validating incoming
> {{Authorization: Bearer}} tokens on consumer/resource-server routes.
> This issue adds a public OAuth token validation API for incoming Bearer
> tokens, supporting both JWT and opaque tokens.
> h2. Scope
> * Add a public SPI/API for validating incoming Bearer tokens.
> * Support JWT validation using JWKS, signature validation, expiry, issuer,
> and audience checks.
> * Support opaque token validation using OAuth 2.0 token introspection.
> * Support named OAuth validation profiles using {{camel.oauth.<profile>.*}}
> properties.
> * Allow components and route code to call token validation without directly
> depending on {{camel-oauth}} implementation classes.
> h2. platform-http SPI extension
> In addition to the generic validation API, this issue adds an opt-in
> {{platform-http}} integration point.
> A `platform-http` consumer can enable Bearer token validation with:
> {code:java}
> from("platform-http:/secure?oauthProfile=myprofile")
> .to("direct:businessLogic");
> {code}
> Validation remains disabled by default. Existing {{platform-http}} users are
> not affected unless they explicitly configure {{{}oauthProfile{}}}.
> To support platform-specific HTTP runtimes, the {{platform-http}} SPI is
> expanded with a security handler hook. Platform HTTP engines can override the
> secured consumer
> creation path and install validation in their native HTTP/security layer.
> Engines that do not override it use a default Camel fallback that wraps the
> route processor and
> validates before route processing.
> This lets Camel provide a portable default while still allowing Quarkus,
> Spring Boot, Vert.x, or other platform integrations to follow their native
> security model later.
> h3. Example profile
> {code:java}
>
> camel.oauth.myprofile.jwks-endpoint=https://idp.example.com/.well-known/jwks.json
> camel.oauth.myprofile.expected-issuer=https://idp.example.com
> camel.oauth.myprofile.expected-audience=my-api{code}
> h3. Runtime behavior
> * Missing or malformed Bearer token: HTTP 401.
> * Invalid token: HTTP 401.
> * Token validation infrastructure/configuration failure: HTTP 503.
> * Valid token: route processing continues, and the validation result is
> exposed on the Exchange.
> h3. Validation result contract
> The public validation result exposes resource-server-oriented token data:
> * principal name / subject
> * issuer and audience
> * token scopes
> * immutable token attributes/claims
> * validation failure category for fail-closed HTTP handling
> The result intentionally does not perform role/group/authority mapping in
> this issue. Platform integrations such as Spring Boot and Quarkus can map
> claims to their native security models later.
> h3. Non-goals
> * Do not enable authentication automatically for existing consumers.
> * Do not force {{platform-http}} to depend on Spring Security, Quarkus
> Security, or any single framework security model.
> * Do not add authorization/role enforcement in this issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
