[
https://issues.apache.org/jira/browse/CAMEL-22581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-22581:
--------------------------------
Fix Version/s: 4.16.0
> OAuth may validate token audience incorrectly
> ----------------------------------------------
>
> Key: CAMEL-22581
> URL: https://issues.apache.org/jira/browse/CAMEL-22581
> Project: Camel
> Issue Type: Bug
> Components: camel-oauth
> Reporter: Thomas Diesler
> Assignee: Thomas Diesler
> Priority: Major
> Fix For: 4.16.0
>
>
> Tassos says:
> It seems that the camel-oauth library, while verifying the JWT token, the
> library expects the audience value to be equal to clientId. Is it by design
> or is it a bug? More specifically inside the *{*}UserProfile.java{*}*
> {code:java}
> if (!target.isEmpty()) {
> if (!idToken && jwtOptions.getAudience() != null) {
> for (String el : jwtOptions.getAudience()) {
> if (!target.contains(el)) {
> throw new OAuthException("Invalid JWT audience. expected: " +
> el);
> }
> }
> } else if (!target.contains(config.getClientId())) {
> throw new OAuthException("Invalid JWT audience. expected: " +
> config.getClientId());
> }
> }
> {code}
> However, in OAuth2 access tokens, "aud" is normally the resource server (the
> API audience), not the client_id.
> If it is by design is it possibly to make the audience verification optional?
> When used on the client side it would make sense. Or is it there a way to
> configure that?
> Best regards,
> Tassos
> PS: it is regarding to the client_credentials flow.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
