[
https://issues.apache.org/jira/browse/CAMEL-23875?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Cosentino resolved CAMEL-23875.
--------------------------------------
Resolution: Fixed
Fixed on main via https://github.com/apache/camel/pull/24477 (4.22.0) and
backported to camel-4.18.x via https://github.com/apache/camel/pull/24540
(4.18.4).
_Claude Code on behalf of Andrea Cosentino (@oscerd)_
> camel-keycloak: add optional audience (aud) validation to token verification
> ----------------------------------------------------------------------------
>
> Key: CAMEL-23875
> URL: https://issues.apache.org/jira/browse/CAMEL-23875
> Project: Camel
> Issue Type: Improvement
> Components: camel-keycloak
> Reporter: Andrea Cosentino
> Assignee: Adriano Machado
> Priority: Major
> Fix For: 4.18.4, 4.22.0
>
>
> h3. Background
> camel-keycloak validates incoming bearer tokens in two ways: local JWT
> verification ({{KeycloakSecurityHelper.parseAndVerifyAccessToken}}) and OAuth
> 2.0 token introspection. Both verify the token subject, active/expiry state,
> and issuer, but neither inspects the token's {{aud}} (audience) claim, and
> {{KeycloakSecurityPolicy}} exposes no audience-related option.
> In a realm that issues tokens to more than one client, a correctly-signed
> token minted for one client is accepted by a route intended for another,
> because only realm/client roles are compared. Operators relying on Keycloak's
> multi-client separation currently cannot ask camel-keycloak to enforce which
> client a token was issued for.
> Camel's own security review checklist lists audience checking as something an
> authentication component should be able to enforce, and the newer camel-oauth
> stack ({{JwtTokenValidator}}) already validates audience by default with an
> explicit opt-out.
> h3. Proposed change
> * Add an optional {{expectedAudience}} (or similarly named) field to
> {{KeycloakSecurityPolicy}}, following the existing {{@UriParam}} conventions
> used for {{validateIssuer}}.
> * When configured, extend the local verification path
> ({{parseAndVerifyAccessToken}}, ~lines 53-81) and the introspection path to
> reject a token whose {{aud}} claim does not include the expected value.
> * Document the multi-client behavior in the camel-keycloak component docs.
> h3. Affected code
> *
> {{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityHelper.java}}
> *
> {{components/camel-keycloak/src/main/java/org/apache/camel/component/keycloak/security/KeycloakSecurityPolicy.java}}
> h3. Notes
> Backward compatible: audience checking only applies when an expected audience
> is configured. Tests should cover a matching audience, a non-matching
> audience, and no audience configured (current behavior preserved).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)