CAMEL-23504: camel-keycloak - include IS_ACTIVE check in parseAndVerifyAccessToken#23197
Merged
Conversation
…fyAccessToken KeycloakSecurityHelper.parseAndVerifyAccessToken built its TokenVerifier with only SUBJECT_EXISTS_CHECK and a RealmUrlCheck. The Keycloak TokenVerifier starts with an empty internal check list and withChecks(...) appends rather than replacing a default set, so the built-in IS_ACTIVE predicate (which validates the exp and nbf claims) was not part of the verification chain. Add IS_ACTIVE to the withChecks(...) invocation so the helper enforces the token's validity window in addition to signature, subject and issuer. Two unit tests are added in KeycloakSecurityHelperTest: * testParseAndVerifyAccessTokenRejectsExpiredToken signs a token whose exp claim is in the past and asserts that parseAndVerifyAccessToken throws VerificationException. * testParseAndVerifyAccessTokenAcceptsValidToken signs an unexpired token and asserts that verification returns the parsed claims. Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
davsclaus
approved these changes
May 13, 2026
Contributor
|
🌟 Thank you for your contribution to the Apache Camel project! 🌟 🐫 Apache Camel Committers, please review the following items:
|
Contributor
|
🧪 CI tested the following changed modules:
All tested modules (8 modules)
|
orpiske
approved these changes
May 14, 2026
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
KeycloakSecurityHelper.parseAndVerifyAccessTokenbuilt itsTokenVerifierwith only
SUBJECT_EXISTS_CHECKand aRealmUrlCheck. Keycloak'sTokenVerifierstarts with an empty internal check list andwithChecks(...)appends rather than replacing a default set, so thebuilt-in
IS_ACTIVEpredicate (which validates theexpandnbfclaims)was not part of the verification chain.
This PR adds
TokenVerifier.IS_ACTIVEto thewithChecks(...)invocationso the helper enforces the token's validity window in addition to
signature, subject, and issuer.
Tracking issue: https://issues.apache.org/jira/browse/CAMEL-23504
Changes
KeycloakSecurityHelper.java: includeTokenVerifier.IS_ACTIVEin the.withChecks(...)call.KeycloakSecurityHelperTest.java: two new teststestParseAndVerifyAccessTokenRejectsExpiredToken— signs a token whoseexpclaim is one hour in the past with an RSA key and asserts thatparseAndVerifyAccessTokenthrowsVerificationException.testParseAndVerifyAccessTokenAcceptsValidToken— signs an unexpiredtoken and asserts verification returns the parsed claims (happy-path
regression test).
Test plan
mvn installincomponents/camel-keycloak— 16/16 tests passmvn clean install -DskipTests -Dquicklyfrom repo root — BUILD SUCCESSClaude Code on behalf of Andrea Cosentino