oscerd opened a new pull request, #24540: URL: https://github.com/apache/camel/pull/24540
## Backport of #24477 Cherry-pick of #24477 onto `camel-4.18.x`. **Original PR:** #24477 - CAMEL-23875: camel-keycloak - add optional audience (aud) validation to token verification **Original author:** @ammachado **Target branch:** `camel-4.18.x` **JIRA:** https://issues.apache.org/jira/browse/CAMEL-23875 ### What this backports Adds the opt-in `expectedAudience` option to `KeycloakSecurityPolicy`. When set, tokens whose `aud` claim does not contain every configured audience are rejected — enforced on both the local JWT verification path (via Keycloak's `TokenVerifier.audience(...)`) and the token-introspection path. **Disabled by default for backward compatibility.** This lets operators on the 4.18.x line close the multi-client token-confusion gap (a token issued for one client being accepted by a route intended for another client in the same realm). ### Backport notes - The three core classes (`KeycloakSecurityHelper`, `KeycloakSecurityPolicy`, `KeycloakSecurityProcessor`) and the `KeycloakSecurityPolicyTest` / `KeycloakSecurityProcessorTest` cherry-picked cleanly. - `KeycloakSecurityHelperTest` had a trivial import-block conflict; resolved to match the upstream file exactly (simple names, no FQCNs). - **Documentation:** the upstream change edited `keycloak-security.adoc`, which does **not** exist on 4.18.x — that page was introduced on `main` by the later docs split (CAMEL-23806) which is intentionally not backported. The new *Audience Validation* section was therefore ported into `keycloak-component.adoc`, where the security-policy documentation lives on 4.18.x. ### Original description > Add opt-in `expectedAudience` option to `KeycloakSecurityPolicy` so tokens whose `aud` claim does not contain every configured audience are rejected. This prevents a token issued for one client from being accepted by routes intended for another client in multi-client Keycloak realms. Enforced on both local JWT verification (via Keycloak's `TokenVerifier.audience`) and token introspection. Disabled by default for backward compatibility. --- _Claude Code on behalf of Andrea Cosentino (@oscerd)_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
