[
https://issues.apache.org/jira/browse/CAMEL-23504?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on CAMEL-23504 started by Andrea Cosentino.
------------------------------------------------
> camel-keycloak: KeycloakSecurityHelper.parseAndVerifyAccessToken should
> include the IS_ACTIVE predicate on TokenVerifier
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: CAMEL-23504
> URL: https://issues.apache.org/jira/browse/CAMEL-23504
> Project: Camel
> Issue Type: Bug
> Components: camel-keycloak
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
>
> {{KeycloakSecurityHelper.parseAndVerifyAccessToken}} builds a
> {{TokenVerifier}} chain as follows:
> {code:java}
> TokenVerifier.create(tokenString, AccessToken.class)
> .publicKey(publicKey)
> .withChecks(
> TokenVerifier.SUBJECT_EXISTS_CHECK,
> new TokenVerifier.RealmUrlCheck(expectedIssuer));
> {code}
> The Keycloak {{TokenVerifier}} exposes a built-in {{IS_ACTIVE}} predicate
> that validates the token's {{exp}} and {{nbf}} claims. It is not included in
> the {{withChecks(...)}} call. Because {{withChecks(...)}} appends to an
> initially empty internal check list (the upstream defaults are only installed
> when {{withDefaultChecks()}} is invoked), {{IS_ACTIVE}} is not applied, and
> the helper does not validate the token's validity window.
> *Proposal:* align with the upstream default check set by either adding
> {{TokenVerifier.IS_ACTIVE}} to the {{withChecks(...)}} invocation, e.g.
> {code:java}
> .withChecks(
> TokenVerifier.SUBJECT_EXISTS_CHECK,
> TokenVerifier.IS_ACTIVE,
> new TokenVerifier.RealmUrlCheck(expectedIssuer));
> {code}
> or by chaining {{.withDefaultChecks()}} and then adding the {{RealmUrlCheck}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
