[ 
https://issues.apache.org/jira/browse/CAMEL-23768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18095821#comment-18095821
 ] 

Andrea Cosentino commented on CAMEL-23768:
------------------------------------------

Merged to main for 4.22.0: https://github.com/apache/camel/pull/24527 
(kid-based JWKS key selection, fail-closed on unknown kid). Note: fixVersions 
currently also lists 4.18.4 but no camel-4.18.x backport PR exists yet — either 
a backport is still to be raised or the 4.18.4 fixVersion should be removed 
before resolving. _Claude Code on behalf of oscerd_

> camel-keycloak: select the JWKS verification key by the token kid
> -----------------------------------------------------------------
>
>                 Key: CAMEL-23768
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23768
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-keycloak
>            Reporter: Andrea Cosentino
>            Assignee: Andrea Cosentino
>            Priority: Major
>             Fix For: 4.18.4, 4.22.0
>
>
> KeycloakPublicKeyResolver ignores the JWT header kid and returns the first 
> key in the JWKS. During key rotation (multiple keys present) this can pick 
> the wrong key and reject an otherwise-valid token (the token is still 
> cryptographically verified against a real key, so this is a 
> correctness/availability matter, not a bypass). This proposes passing the 
> token kid through and selecting the matching key, failing closed when no kid 
> match is found.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to