[backport camel-4.18.x] CAMEL-23504: camel-keycloak - include IS_ACTIVE check in parseAndVerifyAccessToken#23204
Merged
oscerd merged 1 commit intoMay 14, 2026
Conversation
…fyAccessToken KeycloakSecurityHelper.parseAndVerifyAccessToken built its TokenVerifier with only SUBJECT_EXISTS_CHECK and a RealmUrlCheck. The Keycloak TokenVerifier starts with an empty internal check list and withChecks(...) appends rather than replacing a default set, so the built-in IS_ACTIVE predicate (which validates the exp and nbf claims) was not part of the verification chain. Add IS_ACTIVE to the withChecks(...) invocation so the helper enforces the token's validity window in addition to signature, subject and issuer. Two unit tests are added in KeycloakSecurityHelperTest: * testParseAndVerifyAccessTokenRejectsExpiredToken signs a token whose exp claim is in the past and asserts that parseAndVerifyAccessToken throws VerificationException. * testParseAndVerifyAccessTokenAcceptsValidToken signs an unexpired token and asserts that verification returns the parsed claims. Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
orpiske
approved these changes
May 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #23197
Cherry-pick of #23197 onto
camel-4.18.x.Original PR: #23197 — CAMEL-23504: camel-keycloak - include IS_ACTIVE check in parseAndVerifyAccessToken
Original author: @oscerd
Target branch:
camel-4.18.xTracking issue: https://issues.apache.org/jira/browse/CAMEL-23504
The bug exists on
camel-4.18.xwith the same code shape as onmain—KeycloakSecurityHelper.parseAndVerifyAccessTokenbuilds aTokenVerifierwith onlySUBJECT_EXISTS_CHECKand aRealmUrlCheck, and Keycloak'sTokenVerifier.withChecks(...)appends rather than replacing defaults, soTokenVerifier.IS_ACTIVE(theexp/nbfpredicate) is never applied. Cherry-pick applied cleanly with auto-merge.camel-4.14.xis not affected because thecamel-keycloakcomponent does not exist on that line (it was introduced in 4.15.0).Verification
git cherry-pick 82fd4094b70— clean auto-merge, no manual conflict resolutionmvn clean install -DskipTests -Dquicklyfrom repo root — BUILD SUCCESSOriginal description
See #23197.
Claude Code on behalf of Andrea Cosentino