oscerd opened a new pull request, #23958: URL: https://github.com/apache/camel/pull/23958
This implements [CAMEL-23738](https://issues.apache.org/jira/browse/CAMEL-23738). `KeycloakSecurityPolicy` performs access-token verification (signature, issuer and expiry for local JWT, or active state and issuer for token introspection) only inside the role and permission checks in `KeycloakSecurityProcessor`. Those checks are skipped when `requiredRoles` and `requiredPermissions` are both empty — the default, and the documented "Basic Setup" — so the token was not verified in that configuration. This change makes `beforeProcess()` always authenticate the token when one is present, independently of whether roles or permissions are configured. Role and permission checks now run only after authentication, and an invalid or unverifiable token is rejected the same way a missing token is. ### Changes - `KeycloakSecurityProcessor`: add `authenticateToken()` and invoke it when no roles/permissions are configured; the existing role/permission code paths are unchanged (no double verification). - New `KeycloakSecurityProcessorTest` covering local JWT and token-introspection modes with no roles/permissions configured. - Component docs note and 4.21 upgrade-guide entry for the behavior change. ### Testing - `camel-keycloak` module: unit tests + Testcontainers integration tests green. - Full reactor `mvn clean install -DskipTests`: green. _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
