[
https://issues.apache.org/jira/browse/CAMEL-23768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Cosentino updated CAMEL-23768:
-------------------------------------
Fix Version/s: 4.22.0
(was: 4.21.0)
> camel-keycloak: select the JWKS verification key by the token kid
> -----------------------------------------------------------------
>
> Key: CAMEL-23768
> URL: https://issues.apache.org/jira/browse/CAMEL-23768
> Project: Camel
> Issue Type: Improvement
> Components: camel-keycloak
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
> Fix For: 4.18.3, 4.22.0
>
>
> KeycloakPublicKeyResolver ignores the JWT header kid and returns the first
> key in the JWKS. During key rotation (multiple keys present) this can pick
> the wrong key and reject an otherwise-valid token (the token is still
> cryptographically verified against a real key, so this is a
> correctness/availability matter, not a bypass). This proposes passing the
> token kid through and selecting the matching key, failing closed when no kid
> match is found.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
