Andrea Cosentino created CAMEL-23504:
----------------------------------------
Summary: camel-keycloak:
KeycloakSecurityHelper.parseAndVerifyAccessToken should include the IS_ACTIVE
predicate on TokenVerifier
Key: CAMEL-23504
URL: https://issues.apache.org/jira/browse/CAMEL-23504
Project: Camel
Issue Type: Bug
Components: camel-keycloak
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
{{KeycloakSecurityHelper.parseAndVerifyAccessToken}} builds a {{TokenVerifier}}
chain as follows:
{code:java}
TokenVerifier.create(tokenString, AccessToken.class)
.publicKey(publicKey)
.withChecks(
TokenVerifier.SUBJECT_EXISTS_CHECK,
new TokenVerifier.RealmUrlCheck(expectedIssuer));
{code}
The Keycloak {{TokenVerifier}} exposes a built-in {{IS_ACTIVE}} predicate that
validates the token's {{exp}} and {{nbf}} claims. It is not included in the
{{withChecks(...)}} call. Because {{withChecks(...)}} appends to an initially
empty internal check list (the upstream defaults are only installed when
{{withDefaultChecks()}} is invoked), {{IS_ACTIVE}} is not applied, and the
helper does not validate the token's validity window.
*Proposal:* align with the upstream default check set by either adding
{{TokenVerifier.IS_ACTIVE}} to the {{withChecks(...)}} invocation, e.g.
{code:java}
.withChecks(
TokenVerifier.SUBJECT_EXISTS_CHECK,
TokenVerifier.IS_ACTIVE,
new TokenVerifier.RealmUrlCheck(expectedIssuer));
{code}
or by chaining {{.withDefaultChecks()}} and then adding the {{RealmUrlCheck}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
