CAMEL-23760: camel-oauth - require a JWK set to verify token signatures in UserProfile#24032
CAMEL-23760: camel-oauth - require a JWK set to verify token signatures in UserProfile#24032oscerd wants to merge 1 commit into
Conversation
…es in UserProfile Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
davsclaus
left a comment
davsclaus
left a comment
There was a problem hiding this comment.
Nice security hardening — the fail-closed approach aligns UserProfile with the JwtTokenValidator SPI path and closes a real gap where tokens could be accepted without signature verification.
No blocking issues found. Two minor suggestions inline.
Note: CI checks have not reported yet on this branch — please verify green before merging.
This review does not replace specialized AI review tools (CodeRabbit, Sourcery) or static analyzers (SonarCloud).
This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.
| @@ -180,15 +180,16 @@ private static JsonObject verifyToken(OAuthConfig config, String token, boolean | |||
|
|
|||
| // Fetch Keycloak public key | |||
There was a problem hiding this comment.
Nit: this comment is a leftover from when the code was Keycloak-specific. The verification is now provider-agnostic (works with any OIDC IdP). Consider updating:
| // Fetch Keycloak public key | |
| // Verify JWS signature against configured JWK set |
| if (!signedJWT.verify(new RSASSAVerifier(publicKey))) { | ||
| throw new OAuthException("Invalid token signature"); | ||
| } | ||
| if (jwkSet == null || jwkSet.isEmpty()) { |
There was a problem hiding this comment.
Good catch adding the null check here — the old code would have thrown an NPE if getJWKSet() returned null (which it can, since OAuthConfig.jwkSet has no default). This is a correctness fix beyond the stated scope of the PR and worth calling out in the description.
3 participants
Description
The
camel-oauthUserProfiletoken verification skipped the JWS signature check when the configured JWK set was missing or empty, leaving the signature unverified in that case. This makes the signature check mandatory:nullor empty), the token is now rejected with anOAuthExceptionrather than accepted.UserProfilepath with theJwtTokenValidatorSPI path, which already fails closed on this condition.Behaviour change
Documented in the 4.21 upgrade guide.
Testing
Adds
UserProfileTestwith three cases: rejection on an empty JWK set, rejection on a missing JWK set, and acceptance when the signature verifies against a matching key.Claude Code on behalf of Andrea Cosentino.
🤖 Generated with Claude Code