replaced and removed deprecated token methods (#27715)

closes #19671 Signed-off-by: Mark Banierink <mark.banierink@nedap.com> Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-23 09:23:37 +02:00 · 2024-04-23 09:23:37 +02:00 · ad32896725
commit ad32896725
parent 8e48bac278
42 changed files with 216 additions and 259 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
@ -110,7 +110,7 @@ public class BearerTokenRequestAuthenticator {
            challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage());
            return AuthOutcome.FAILED;
        }
-        if (token.getIssuedAt() < deployment.getNotBefore()) {
+        if (token.getIat() < deployment.getNotBefore()) {
            log.debug("Stale token");
            challenge = challengeResponse(exchange,  OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token");
            return AuthOutcome.FAILED;
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
@ -369,7 +369,7 @@ public class OAuthRequestAuthenticator {
        if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {
            deployment.updateNotBefore(tokenResponse.getNotBeforePolicy());
        }
-        if (token.getIssuedAt() < deployment.getNotBefore()) {
+        if (token.getIat() < deployment.getNotBefore()) {
            log.error("Stale token");
            return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null);
        }
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
@ -88,11 +88,11 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext
    }

    public boolean isActive() {
-        return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() >= deployment.getNotBefore();
+        return token != null && this.token.isActive() && deployment!=null && this.token.getIat() >= deployment.getNotBefore();
    }

    public boolean isTokenTimeToLiveSufficient(AccessToken token) {
-        return token != null && (token.getExpiration() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime();
+        return token != null && (token.getExp() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime();
    }

    public KeycloakDeployment getDeployment() {
--- a/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java
+++ b/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java
@ -43,13 +43,13 @@ public class RefreshableKeycloakSecurityContextTest {

 		TokenMetadataRepresentation token = new TokenMetadataRepresentation();
 		token.setActive(true);
-		token.issuedAt(4999);
+		token.iat(4999L);

 		RefreshableKeycloakSecurityContext sut = new RefreshableKeycloakSecurityContext(keycloakDeployment,null,null,token,null, null, null);

 		assertFalse(sut.isActive());

-		token.issuedAt(5000);
+		token.iat(5000L);
 		assertTrue(sut.isActive());
 	}
 	
--- a/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java
+++ b/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java
@ -18,12 +18,10 @@
 package org.keycloak.adapters.installed;

 import java.awt.Desktop;
-import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.PrintStream;
-import java.io.PrintWriter;
 import java.io.Reader;
 import java.net.InetSocketAddress;
 import java.net.URI;
@ -37,16 +35,9 @@ import java.util.UUID;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.ForkJoinPool;
 import java.util.concurrent.TimeUnit;
-import java.util.regex.Matcher;
 import java.util.regex.Pattern;

-import javax.ws.rs.client.Entity;
-import javax.ws.rs.core.Form;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Response;
-
 import org.jboss.resteasy.client.jaxrs.ResteasyClient;
-import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
 import org.keycloak.adapters.KeycloakDeployment;
@ -314,7 +305,7 @@ public class KeycloakInstalled {
    }

    public String getTokenString(long minValidity, TimeUnit unit) throws VerificationException, IOException, ServerRequest.HttpFailure {
-        long expires = ((long) token.getExpiration()) * 1000 - unit.toMillis(minValidity);
+        long expires = ((long) token.getExp()) * 1000 - unit.toMillis(minValidity);
        if (expires < System.currentTimeMillis()) {
            refreshToken();
        }
--- a/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java
+++ b/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java
@ -106,7 +106,7 @@ public class TokenCallable implements Callable<String> {
    }

    public boolean isTokenTimeToLiveSufficient(AccessToken token) {
-        return token != null && (token.getExpiration() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
+        return token != null && (token.getExp() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
    }

    /**
--- a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java
+++ b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java
@ -182,10 +182,10 @@ public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
        reqToken.subject(clientId);
        reqToken.audience(realmInfoUrl);

-        int now = Time.currentTime();
-        reqToken.issuedAt(now);
-        reqToken.expiration(now + this.tokenTimeout);
-        reqToken.notBefore(now);
+        long now = Time.currentTime();
+        reqToken.iat(now);
+        reqToken.exp(now + this.tokenTimeout);
+        reqToken.nbf(now);

        return reqToken;
    }
--- a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java
+++ b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java
@ -131,11 +131,11 @@ public class JWTClientSecretCredentialsProvider implements ClientCredentialsProv
        reqToken.subject(clientId);
        reqToken.audience(realmInfoUrl);

-        int now = Time.currentTime();
-        reqToken.issuedAt(now);
+        long now = Time.currentTime();
+        reqToken.iat(now);
        // the same as in KEYCLOAK-2986, JWTClientCredentialsProvider's timeout field
-        reqToken.expiration(now + 10);
-        reqToken.notBefore(now);
+        reqToken.exp(now + 10);
+        reqToken.nbf(now);
        return reqToken;
    }

--- a/core/src/main/java/org/keycloak/representations/AccessToken.java
+++ b/core/src/main/java/org/keycloak/representations/AccessToken.java
@ -205,22 +205,6 @@ public class AccessToken extends IDToken {
        return (AccessToken) super.id(id);
    }

-    @Override
-    public AccessToken expiration(int expiration) {
-        return (AccessToken) super.expiration(expiration);
-    }
-
-    @Override
-    public AccessToken notBefore(int notBefore) {
-        return (AccessToken) super.notBefore(notBefore);
-    }
-
-
-    @Override
-    public AccessToken issuedAt(int issuedAt) {
-        return (AccessToken) super.issuedAt(issuedAt);
-    }
-
    @Override
    public AccessToken issuer(String issuer) {
        return (AccessToken) super.issuer(issuer);
--- a/core/src/main/java/org/keycloak/representations/IDToken.java
+++ b/core/src/main/java/org/keycloak/representations/IDToken.java
@ -154,27 +154,10 @@ public class IDToken extends JsonWebToken {
        return auth_time;
    }

-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #getAuth_time()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public int getAuthTime() {
-        return auth_time != null ? auth_time.intValue() : 0;
-    }
-
    public void setAuth_time(Long auth_time) {
        this.auth_time = auth_time;
    }

-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #setAuth_time(Long)} ()} instead.
-     */
-    public void setAuthTime(int authTime) {
-        this.auth_time = Long.valueOf(authTime);
-    }
-
-
    public String getSessionId() {
        return sessionId;
    }
--- a/core/src/main/java/org/keycloak/representations/JsonWebToken.java
+++ b/core/src/main/java/org/keycloak/representations/JsonWebToken.java
@ -77,64 +77,28 @@ public class JsonWebToken implements Serializable, Token {
        return exp;
    }

-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public int getExpiration() {
-        return exp != null ? exp.intValue() : 0;
-    }
-
    public JsonWebToken exp(Long exp) {
        this.exp = exp;
        return this;
    }

-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #exp(Long)} instead.
-     */
-    public JsonWebToken expiration(int expiration) {
-        this.exp = Long.valueOf(expiration);
-        return this;
-    }
-
    @JsonIgnore
    public boolean isExpired() {
-        return exp != null && exp != 0 ? Time.currentTime() > exp : false;
+        return exp != null && exp != 0 && Time.currentTime() > exp;
    }

    public Long getNbf() {
        return nbf;
    }

-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #getNbf()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public int getNotBefore() {
-        return nbf != null ? nbf.intValue() : 0;
-    }
-
    public JsonWebToken nbf(Long nbf) {
        this.nbf = nbf;
        return this;
    }

-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #nbf(Long)} instead.
-     */
-    @Deprecated
    @JsonIgnore
-    public JsonWebToken notBefore(int notBefore) {
-        this.nbf = Long.valueOf(notBefore);
-        return this;
-    }
-
-    @JsonIgnore
-    public boolean isNotBefore(int allowedTimeSkew) {
-        return nbf != null ? Time.currentTime() + allowedTimeSkew >= nbf : true;
+    public boolean isNotBefore(long allowedTimeSkew) {
+        return nbf == null || Time.currentTime() + allowedTimeSkew >= nbf;
    }

    /**
@ -165,21 +129,12 @@ public class JsonWebToken implements Serializable, Token {
        return iat;
    }

-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #getIat()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public int getIssuedAt() {
-        return iat != null ? iat.intValue() : 0;
-    }
-
    /**
     * Set issuedAt to the current time
     */
    @JsonIgnore
    public JsonWebToken issuedNow() {
-        iat = Long.valueOf(Time.currentTime());
+        iat = (long) Time.currentTime();
        return this;
    }

@ -188,17 +143,6 @@ public class JsonWebToken implements Serializable, Token {
        return this;
    }

-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #iat(Long)} ()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public JsonWebToken issuedAt(int issuedAt) {
-        this.iat = Long.valueOf(issuedAt);
-        return this;
-    }
-
-
    public String getIssuer() {
        return issuer;
    }
--- a/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java
+++ b/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java
@ -42,14 +42,14 @@ public class DockerResponseToken extends JsonWebToken {
    }

    @Override
-    public DockerResponseToken expiration(final int expiration) {
-        super.expiration(expiration);
+    public DockerResponseToken exp(final Long expiration) {
+        super.exp(expiration);
        return this;
    }

    @Override
-    public DockerResponseToken notBefore(final int notBefore) {
-        super.notBefore(notBefore);
+    public DockerResponseToken nbf(final Long notBefore) {
+        super.nbf(notBefore);
        return this;
    }

@ -60,8 +60,8 @@ public class DockerResponseToken extends JsonWebToken {
    }

    @Override
-    public DockerResponseToken issuedAt(final int issuedAt) {
-        super.issuedAt(issuedAt);
+    public DockerResponseToken iat(final Long issuedAt) {
+        super.iat(issuedAt);
        return this;
    }

--- a/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java
@ -44,9 +44,9 @@ public class PermissionTicketToken extends JsonWebToken {
        if (accessToken != null) {
            id(TokenIdGenerator.generateId());
            subject(accessToken.getSubject());
-            expiration(accessToken.getExpiration());
-            notBefore(accessToken.getNotBefore());
-            issuedAt(accessToken.getIssuedAt());
+            this.exp(accessToken.getExp());
+            this.nbf(accessToken.getNbf());
+            iat(accessToken.getIat());
            issuedFor(accessToken.getIssuedFor());
        }
        if (audience != null) {
--- a/core/src/test/java/org/keycloak/RSAVerifierTest.java
+++ b/core/src/test/java/org/keycloak/RSAVerifierTest.java
@ -120,7 +120,7 @@ public abstract class RSAVerifierTest {

    @Test
    public void testNotBeforeGood() throws Exception {
-        token.notBefore(Time.currentTime() - 100);
+        token.nbf(Time.currentTime() - 100L);

        String encoded = new JWSBuilder()
                .jsonContent(token)
@ -136,7 +136,7 @@ public abstract class RSAVerifierTest {

    @Test
    public void testNotBeforeBad() {
-        token.notBefore(Time.currentTime() + 100);
+        token.nbf(Time.currentTime() + 100L);

        String encoded = new JWSBuilder()
                .jsonContent(token)
@ -153,7 +153,7 @@ public abstract class RSAVerifierTest {

    @Test
    public void testExpirationGood() throws Exception {
-        token.expiration(Time.currentTime() + 100);
+        token.exp(Time.currentTime() + 100L);

        String encoded = new JWSBuilder()
                .jsonContent(token)
@ -169,7 +169,7 @@ public abstract class RSAVerifierTest {

    @Test
    public void testExpirationBad() {
-        token.expiration(Time.currentTime() - 100);
+        token.exp(Time.currentTime() - 100L);

        String encoded = new JWSBuilder()
                .jsonContent(token)
--- a/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java
+++ b/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java
@ -82,37 +82,37 @@ public class JsonWebTokenTest {

    @Test
    public void isActiveReturnFalseWhenBeforeTimeInFuture() {
-        int currentTime = Time.currentTime();
-        int futureTime = currentTime + 10;
+        long currentTime = Time.currentTime();
+        long futureTime = currentTime + 10;
        JsonWebToken jsonWebToken = new JsonWebToken();
-        jsonWebToken.notBefore(futureTime);
+        jsonWebToken.nbf(futureTime);
        assertFalse(jsonWebToken.isActive());
    }

    @Test
    public void isActiveReturnTrueWhenBeforeTimeInPast() {
-        int currentTime = Time.currentTime();
-        int pastTime = currentTime - 10;
+        long currentTime = Time.currentTime();
+        long pastTime = currentTime - 10;
        JsonWebToken jsonWebToken = new JsonWebToken();
-        jsonWebToken.notBefore(pastTime);
+        jsonWebToken.nbf(pastTime);
        assertTrue(jsonWebToken.isActive());
    }

    @Test
    public void isActiveShouldReturnTrueWhenBeforeTimeInFutureWithinTimeSkew() {
-        int notBeforeTime = Time.currentTime() + 5;
+        long notBeforeTime = Time.currentTime() + 5;
        int allowedClockSkew = 10;
        JsonWebToken jsonWebToken = new JsonWebToken();
-        jsonWebToken.notBefore(notBeforeTime);
+        jsonWebToken.nbf(notBeforeTime);
        assertTrue(jsonWebToken.isActive(allowedClockSkew));
    }

    @Test
    public void isActiveShouldReturnFalseWhenWhenBeforeTimeInFutureOutsideTimeSkew() {
-        int notBeforeTime = Time.currentTime() + 10;
+        long notBeforeTime = Time.currentTime() + 10;
        int allowedClockSkew = 5;
        JsonWebToken jsonWebToken = new JsonWebToken();
-        jsonWebToken.notBefore(notBeforeTime);
+        jsonWebToken.nbf(notBeforeTime);
        assertFalse(jsonWebToken.isActive(allowedClockSkew));
    }

--- a/docs/documentation/release_notes/topics/25_0_0.adoc
+++ b/docs/documentation/release_notes/topics/25_0_0.adoc
@ -130,4 +130,21 @@ For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
 It is now possible to specify the `cache`, `cache-stack`, and `cache-config-file` options during runtime.
 This eliminates the need to execute the build phase and rebuild your image due to them.

+For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
+
+= Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes
+
+In this release, we are finally removing deprecated methods from the following classes:
+
+* `AccessToken`
+* `IDToken`
+* `JsonWebToken`
+
+For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
+
+= Method `getExp` added to `SingleUseObjectKeyModel`
+
+As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`,
+the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values.
+
 For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
--- a/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc
+++ b/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc
@ -268,4 +268,36 @@ The new indexes are both applied to the `RESOURCE_SERVER_PERM_TICKET` table. If
 {project_name} will skip the creation of the indexes by default during the automatic schema migration, and will instead log the SQL statements
 on the console during migration. In this case, the statements must be run manually in the DB after {project_name}'s startup.

-See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit.
+See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit.
+
+= Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes
+
+The following methods were removed from the `AccessToken` class:
+
+* `expiration`. Use the `exp` method instead.
+* `notBefore`. Use the `nbf` method instead.
+* `issuedAt`. Use the `iat` method instead.
+
+The following methods were removed from the `IDToken` class:
+
+* `getAuthTime` and `setAuthTime`. Use the `getAuth_time` and `setAuth_time` methods, respectively.
+* `notBefore`. Use the `nbf` method instead.
+* `issuedAt`. Use the `iat` method instead.
+* `setSessionState`. Use the `setSessionId` method instead (See the details above in the section about `session_state` claim)
+
+The following methods were removed from the `JsonWebToken` class:
+
+* `expiration`. Use the `exp` method instead.
+* `notBefore`. Use the `nbf` method instead.
+* `issuedAt`. Use the `iat` method instead.
+
+You should also expect both `exp` and `nbf` claims not set in tokens as they are optional. Previously, these claims were
+being set with a value of `0` what does not make mush sense because their value should be a valid `NumericDate`.
+
+= Method `getExp` added to `SingleUseObjectKeyModel`
+
+As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`,
+the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values.
+
+The previous `getExpiration` method is now deprecated and you should prefer using new newly introduced `getExp` method
+to avoid overflow after 2038.
--- a/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java
+++ b/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java
@ -200,10 +200,10 @@ public class AuthUtil {
        reqToken.subject(clientId);
        reqToken.audience(realmInfoUrl);

-        int now = Time.currentTime();
-        reqToken.issuedAt(now);
-        reqToken.expiration(now + sigLifetime);
-        reqToken.notBefore(now);
+        long now = Time.currentTime();
+        reqToken.iat(now);
+        reqToken.exp(now + sigLifetime);
+        reqToken.nbf(now);

        String signedRequestToken = new JWSBuilder()
                .jsonContent(reqToken)
--- a/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java
+++ b/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java
@ -39,7 +39,15 @@ public interface SingleUseObjectKeyModel {
    /**
     * Returns absolute number of seconds since the epoch in UTC timezone when the token expires.
     */
-    int getExpiration();
+    Long getExp();
+
+    /**
+     * @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead.
+     */
+    @Deprecated
+    default int getExpiration() {
+        return getExp().intValue();
+    }

    /**
     * @return Single-use random value used for verification whether the relevant action is allowed.
@ -49,6 +57,6 @@ public interface SingleUseObjectKeyModel {
    default String serializeKey() {
        String userId = getUserId();
        String encodedUserId = userId == null ? "" : Base64.encodeBytes(userId.getBytes(StandardCharsets.UTF_8));
-        return String.format("%s.%d.%s.%s", encodedUserId, getExpiration(), getActionVerificationNonce(), getActionId());
+        return String.format("%s.%d.%s.%s", encodedUserId, getExp(), getActionVerificationNonce(), getActionId());
    }
 }
--- a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java
+++ b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java
@ -158,7 +158,7 @@ public class DefaultActionToken extends DefaultActionTokenKey implements SingleU
        String issuerUri = getIssuer(realm, uri);

        this
-          .issuedAt(Time.currentTime())
+          .issuedNow()
          .id(getActionVerificationNonce().toString())
          .issuer(issuerUri)
          .audience(issuerUri);
--- a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java
@ -19,6 +19,8 @@

 package org.keycloak.authentication.authenticators.client;

+import java.util.Optional;
+
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.MultivaluedMap;
 import jakarta.ws.rs.core.Response;
@ -166,7 +168,7 @@ public class JWTClientValidator {
        }

        // KEYCLOAK-2986, token-timeout or token-expiration in keycloak.json might not be used
-        if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < currentTime) {
+        if ((token.getExp() == null || token.getExp() <= 0) && token.getIat() + 10 < currentTime) {
            throw new RuntimeException("Token is not active");
        }

@ -180,7 +182,7 @@ public class JWTClientValidator {
        if (client == null) throw new IllegalStateException("Incorrect usage. Variable 'client' is null. Need to validate client first before validateToken reuse");

        SingleUseObjectProvider singleUseCache = context.getSession().singleUseObjects();
-        int lifespanInSecs = Math.max(token.getExpiration() - currentTime, 10);
+        long lifespanInSecs = Math.max(Optional.ofNullable(token.getExp()).orElse(0L) - currentTime, 10);
        if (singleUseCache.putIfAbsent(token.getId(), lifespanInSecs)) {
            logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", token.getId(), lifespanInSecs, client.getClientId());

--- a/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java
+++ b/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java
@ -64,10 +64,10 @@ public class RPTIntrospectionProvider extends AccessTokenIntrospectionProvider {
                metadata.id(accessToken.getId());
                metadata.setAcr(accessToken.getAcr());
                metadata.type(accessToken.getType());
-                metadata.expiration(accessToken.getExpiration());
-                metadata.issuedAt(accessToken.getIssuedAt());
+                metadata.exp(accessToken.getExp());
+                metadata.iat(accessToken.getIat());
                metadata.audience(accessToken.getAudience());
-                metadata.notBefore(accessToken.getNotBefore());
+                metadata.nbf(accessToken.getNbf());
                metadata.setRealmAccess(null);
                metadata.setResourceAccess(null);

--- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@ -458,8 +458,8 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
            audience = getConfig().getTokenUrl();
        }
        jwt.audience(audience);
-        int expirationDelay = session.getContext().getRealm().getAccessCodeLifespan();
-        jwt.expiration(Time.currentTime() + expirationDelay);
+        long expirationDelay = session.getContext().getRealm().getAccessCodeLifespan();
+        jwt.exp(Time.currentTime() + expirationDelay);
        jwt.issuedNow();
        return jwt;
    }
--- a/services/src/main/java/org/keycloak/protocol/docker/DockerAuthV2Protocol.java
+++ b/services/src/main/java/org/keycloak/protocol/docker/DockerAuthV2Protocol.java
@ -105,8 +105,8 @@ public class DockerAuthV2Protocol implements LoginProtocol {

        // since realm access token is given in seconds
        final int accessTokenLifespan = realm.getAccessTokenLifespan();
-        responseToken.notBefore(responseToken.getIssuedAt())
-                .expiration(responseToken.getIssuedAt() + accessTokenLifespan);
+        responseToken.nbf(responseToken.getIat())
+                .exp(responseToken.getIat() + accessTokenLifespan);

        // Next, allow mappers to decorate the token to add/remove scopes as appropriate

@ -126,7 +126,7 @@ public class DockerAuthV2Protocol implements LoginProtocol {
                        .type("JWT")
                        .jsonContent(responseToken)
                        .rsa256(activeKey.getPrivateKey());
-                final String expiresInIso8601String = new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(responseToken.getIssuedAt() * 1000L));
+                final String expiresInIso8601String = new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(responseToken.getIat() * 1000L));

                final DockerResponse responseEntity = new DockerResponse()
                        .setToken(encodedToken)
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@ -126,7 +126,6 @@ import static org.keycloak.representations.IDToken.NONCE;
 */
 public class TokenManager {
    private static final Logger logger = Logger.getLogger(TokenManager.class);
-    private static final String JWT = "JWT";

    public static class TokenValidation {
        public final UserModel user;
@ -457,7 +456,7 @@ public class TokenManager {

        if (clientSession.getCurrentRefreshToken() != null
            && !refreshToken.getId().equals(clientSession.getCurrentRefreshToken())
-            && refreshToken.getIssuedAt() < clientSession.getTimestamp()
+            && refreshToken.getIat() < clientSession.getTimestamp()
            && startupTime <= clientSession.getTimestamp()) {
            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
        }
@ -476,7 +475,6 @@ public class TokenManager {
            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Maximum allowed refresh token reuse exceeded",
                "Maximum allowed refresh token reuse exceeded");
        }
-        return;
    }

    public RefreshToken verifyRefreshToken(KeycloakSession session, RealmModel realm, ClientModel client, HttpRequest request, String encodedRefreshToken, boolean checkExpiration) throws OAuthErrorException {
@ -973,13 +971,13 @@ public class TokenManager {
        token.setSessionId(session.getId());
        ClientScopeModel offlineAccessScope = KeycloakModelUtils.getClientScopeByName(realm, OAuth2Constants.OFFLINE_ACCESS);
        boolean offlineTokenRequested = offlineAccessScope == null ? false
-            : clientSessionCtx.getClientScopeIds().contains(offlineAccessScope.getId());
-        token.expiration(getTokenExpiration(realm, client, session, clientSession, offlineTokenRequested));
+                : clientSessionCtx.getClientScopeIds().contains(offlineAccessScope.getId());
+        token.exp(getTokenExpiration(realm, client, session, clientSession, offlineTokenRequested));

        return token;
    }

-    private int getTokenExpiration(RealmModel realm, ClientModel client, UserSessionModel userSession,
+    private Long getTokenExpiration(RealmModel realm, ClientModel client, UserSessionModel userSession,
        AuthenticatedClientSessionModel clientSession, boolean offlineTokenRequested) {
        boolean implicitFlow = false;
        String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM);
@ -1016,7 +1014,7 @@ public class TokenManager {
                realm, client);
        expiration = sessionExpires > 0? Math.min(expiration, sessionExpires) : expiration;

-        return (int) TimeUnit.MILLISECONDS.toSeconds(expiration);
+        return TimeUnit.MILLISECONDS.toSeconds(expiration);
    }


@ -1131,15 +1129,15 @@ public class TokenManager {
                }
                refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE);
                if (realm.isOfflineSessionMaxLifespanEnabled()) {
-                    refreshToken.expiration(getExpiration(true));
+                    refreshToken.exp(getExpiration(true));
                }
                sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession);
            } else {
-                refreshToken.expiration(getExpiration(false));
+                refreshToken.exp(getExpiration(false));
            }
        }

-        private int getExpiration(boolean offline) {
+        private Long getExpiration(boolean offline) {
            long expiration = SessionExpirationUtils.calculateClientSessionIdleTimestamp(
                    offline, userSession.isRememberMe(),
                    TimeUnit.SECONDS.toMillis(clientSessionCtx.getClientSession().getTimestamp()),
@ -1151,7 +1149,7 @@ public class TokenManager {
                    realm, client);
            expiration = lifespan > 0? Math.min(expiration, lifespan) : expiration;

-            return (int) TimeUnit.MILLISECONDS.toSeconds(expiration);
+            return TimeUnit.MILLISECONDS.toSeconds(expiration);
        }

        public AccessTokenResponseBuilder generateIDToken() {
@ -1172,7 +1170,7 @@ public class TokenManager {
            idToken.issuer(accessToken.getIssuer());
            idToken.setNonce(clientSessionCtx.getAttribute(OIDCLoginProtocol.NONCE_PARAM, String.class));
            idToken.setSessionId(accessToken.getSessionId());
-            idToken.expiration(accessToken.getExpiration());
+            idToken.exp(accessToken.getExp());

            // Protocol mapper is supposed to set this in case "step_up_authentication" feature enabled
            if (!Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
@ -1229,8 +1227,8 @@ public class TokenManager {
                res.setToken(encodedToken);
                res.setTokenType(responseTokenType);
                res.setSessionState(accessToken.getSessionState());
-                if (accessToken.getExpiration() != 0) {
-                    res.setExpiresIn(accessToken.getExpiration() - Time.currentTime());
+                if (accessToken.getExp() != 0) {
+                    res.setExpiresIn(accessToken.getExp() - Time.currentTime());
                }
            }

@ -1253,8 +1251,9 @@ public class TokenManager {
            if (refreshToken != null) {
                String encodedToken = session.tokens().encode(refreshToken);
                res.setRefreshToken(encodedToken);
-                if (refreshToken.getExpiration() != 0) {
-                    res.setRefreshExpiresIn(refreshToken.getExpiration() - Time.currentTime());
+                Long exp = refreshToken.getExp();
+                if (exp != null && exp > 0) {
+                    res.setRefreshExpiresIn(exp - Time.currentTime());
                }
            }

@ -1309,7 +1308,7 @@ public class TokenManager {

        @Override
        public boolean test(JsonWebToken t) throws VerificationException {
-            if (t.getIssuedAt() < notBefore) {
+            if (t.getIat() < notBefore) {
                throw new VerificationException("Stale token");
            }

@ -1367,7 +1366,7 @@ public class TokenManager {
        }

        LogoutToken logoutToken = logoutTokenOptional.get();
-        List<OIDCIdentityProvider> identityProviders = getOIDCIdentityProviders(realm, session).collect(Collectors.toList());
+        List<OIDCIdentityProvider> identityProviders = getOIDCIdentityProviders(realm, session).toList();
        if (identityProviders.isEmpty()) {
            return LogoutTokenValidationCode.COULD_NOT_FIND_IDP;
        }
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
@ -524,7 +524,7 @@ public class LogoutEndpoint {
            }

            if (userSessionModel != null) {
-                checkTokenIssuedAt(token.getIssuedAt(), userSessionModel);
+                checkTokenIssuedAt(token.getIat(), userSessionModel);
                logout(userSessionModel, offline);
            }
        } catch (OAuthErrorException e) {
@ -727,7 +727,7 @@ public class LogoutEndpoint {
        }
    }

-    private void checkTokenIssuedAt(int idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException {
+    private void checkTokenIssuedAt(long idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException {
        if (idTokenIssuedAt + 1 < userSession.getStarted()) {
            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Toked issued before the user session started");
        }
--- a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java
@ -56,8 +56,7 @@ public class ClientRegistrationTokenUtils {

            regToken.type(auth.getJwt().getType());
            regToken.id(auth.getJwt().getId());
-            regToken.issuedAt(Time.currentTime());
-            regToken.expiration(0);
+            regToken.issuedNow();
            regToken.issuer(auth.getJwt().getIssuer());
            regToken.audience(auth.getJwt().getIssuer());

@ -117,13 +116,13 @@ public class ClientRegistrationTokenUtils {
        return TokenVerification.success(kid, jwt);
    }

-    private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, int expiration) {
+    private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, long expiration) {
        String issuer = getIssuer(session, realm);

        jwt.type(type);
        jwt.id(id);
-        jwt.issuedAt(Time.currentTime());
-        jwt.expiration(expiration);
+        jwt.issuedNow();
+        jwt.exp(expiration);
        jwt.issuer(issuer);
        jwt.audience(issuer);

--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@ -759,9 +759,9 @@ public class AuthenticationManager {
        }

        if (session != null && session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0) {
-            token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe());
+            token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe());
        } else if (realm.getSsoSessionMaxLifespan() > 0) {
-            token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespan());
+            token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespan());
        }

        String stateChecker = (String) keycloakSession.getAttribute("state_checker");
@ -999,7 +999,7 @@ public class AuthenticationManager {
            SingleUseObjectKeyModel actionTokenKey = DefaultActionTokenKey.from(actionTokenKeyToInvalidate);
            if (actionTokenKey != null) {
                SingleUseObjectProvider singleUseObjectProvider = session.singleUseObjects();
-                singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExpiration() - Time.currentTime(), null); // Token is invalidated
+                singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExp() - Time.currentTime(), null); // Token is invalidated
            }
        }

@ -1400,8 +1400,8 @@ public class AuthenticationManager {

            AccessToken token = verifier.verify().getToken();
            if (checkActive) {
-                if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
-                    logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIssuedAt(), realm.getNotBefore());
+                if (!token.isActive() || token.getIat() < realm.getNotBefore()) {
+                    logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIat(), realm.getNotBefore());
                    return null;
                }
            }
@ -1467,7 +1467,7 @@ public class AuthenticationManager {
            return false;
        }

-        if (token.getIssuedAt() < client.getNotBefore()) {
+        if (token.getIat() < client.getNotBefore()) {
            logger.debug("Client notBefore newer than token");
            return false;
        }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java
@ -755,13 +755,13 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {

        // Get time of token
        AccessToken token = tokenMinTTLPage.getAccessToken();
-        int tokenIssued1 = token.getIssuedAt();
+        long tokenIssued1 = token.getIat();

        // Sets 5 minutes offset and assert access token will be still the same
        setAdapterAndServerTimeOffset(300, tokenMinTTLPage.toString());
        tokenMinTTLPage.navigateTo();
        token = tokenMinTTLPage.getAccessToken();
-        int tokenIssued2 = token.getIssuedAt();
+        long tokenIssued2 = token.getIat();
        Assert.assertEquals(tokenIssued1, tokenIssued2);
        assertFalse(token.isExpired());

@ -769,7 +769,7 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
        setAdapterAndServerTimeOffset(540, tokenMinTTLPage.toString());
        tokenMinTTLPage.navigateTo();
        token = tokenMinTTLPage.getAccessToken();
-        int tokenIssued3 = token.getIssuedAt();
+        long tokenIssued3 = token.getIat();
        Assert.assertTrue(tokenIssued3 > tokenIssued1);

        // Revert times
@ -853,8 +853,8 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
            testRealmLoginPage.form().setPassword("password");
            testRealmLoginPage.form().login();
            AccessToken token = tokenMinTTLPage.getAccessToken();
-            int authTime = token.getAuthTime();
-            assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10)));
+            long authTime = token.getAuth_time();
+            assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10L)));
        } finally {
            setAdapterAndServerTimeOffset(0, securePortal.toString());
        }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java
@ -2381,7 +2381,7 @@ public class UserTest extends AbstractAdminTest {

        try {
            final AccessToken accessToken = TokenVerifier.create(token, AccessToken.class).getToken();
-            assertEquals(lifespan, accessToken.getExpiration() - accessToken.getIssuedAt());
+            assertEquals(lifespan, accessToken.getExp() - accessToken.getIat());
        } catch (VerificationException e) {
            throw new IOException(e);
        }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java
@ -87,6 +87,7 @@ import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME;
 import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_PROV_NAME;
@ -614,7 +615,7 @@ public final class KcOidcBrokerTransientSessionsTest extends AbstractAdvancedBro
                    .assertEvent();

            assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
-            assertEquals(0, offlineToken.getExpiration());
+            assertNull(offlineToken.getExp());

            assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java
@ -397,11 +397,11 @@ public class OIDCPairwiseClientRegistrationTest extends AbstractClientRegistrati
        Assert.assertEquals(idToken.getSubject(), refreshedRefreshToken.getSubject());

        // its iat Claim MUST represent the time that the new ID Token is issued
-        Assert.assertEquals(refreshedIdToken.getIssuedAt(), refreshedRefreshToken.getIssuedAt());
+        Assert.assertEquals(refreshedIdToken.getIat(), refreshedRefreshToken.getIat());

        // if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication
        // - not the time that the new ID token is issued
-        Assert.assertEquals(idToken.getAuthTime(), refreshedIdToken.getAuthTime());
+        Assert.assertEquals(idToken.getAuth_time(), refreshedIdToken.getAuth_time());

        // its azp Claim Value MUST be the same as in the ID Token issued when the original authentication occurred; if
        // no azp Claim was present in the original ID Token, one MUST NOT be present in the new ID Token
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java
@ -478,7 +478,7 @@ public class ClientStorageTest extends AbstractTestRealmKeycloakTest {
                .assertEvent();

        Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
-        Assert.assertEquals(0, offlineToken.getExpiration());
+        Assert.assertNull(offlineToken.getExp());

        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java
@ -856,7 +856,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
    private void assertOfflineToken(String offlineToken) {
        RefreshToken offlineTokenParsed = oauth.parseRefreshToken(offlineToken);
        assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineTokenParsed.getType());
-        assertEquals(0, offlineTokenParsed.getExpiration());
+        assertNull(offlineTokenParsed.getExp());
        assertTrue(TokenUtil.hasScope(offlineTokenParsed.getScope(), OAuth2Constants.OFFLINE_ACCESS));
    }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java
@ -86,7 +86,6 @@ import org.keycloak.common.util.KeystoreUtil.KeystoreFormat;
 import org.keycloak.constants.ServiceUrlConstants;
 import org.keycloak.crypto.Algorithm;
 import org.keycloak.crypto.ECDSAAlgorithm;
-import org.keycloak.crypto.ECDSASignatureProvider;
 import org.keycloak.crypto.KeyType;
 import org.keycloak.crypto.SignatureSignerContext;
 import org.keycloak.events.Details;
@ -806,10 +805,10 @@ public abstract class AbstractClientAuthSignedJWTTest extends AbstractKeycloakTe
            if (isClaimEnabled("subject")) reqToken.subject(clientId);
            if (isClaimEnabled("audience")) reqToken.audience(realmInfoUrl);

-            int now = Time.currentTime();
-            if (isClaimEnabled("issuedAt")) reqToken.issuedAt(now);
-            if (isClaimEnabled("expiration")) reqToken.expiration(now + getTokenTimeout());
-            if (isClaimEnabled("notBefore")) reqToken.notBefore(now);
+            long now = Time.currentTime();
+            if (isClaimEnabled("issuedAt")) reqToken.iat(now);
+            if (isClaimEnabled("expiration")) reqToken.exp(now + getTokenTimeout());
+            if (isClaimEnabled("notBefore")) reqToken.nbf(now);

            return reqToken;
        }
@ -934,10 +933,10 @@ public abstract class AbstractClientAuthSignedJWTTest extends AbstractKeycloakTe
        reqToken.subject(clientId);
        reqToken.audience(realmInfoUrl);

-        int now = Time.currentTime();
-        reqToken.issuedAt(now);
-        reqToken.expiration(now + 10);
-        reqToken.notBefore(now);
+        long now = Time.currentTime();
+        reqToken.iat(now);
+        reqToken.exp(now + 10);
+        reqToken.nbf(now);

        return reqToken;
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
@ -235,13 +235,10 @@ public class AccessTokenTest extends AbstractKeycloakTest {
        assertEquals(sessionId, sid);

        assertNull(token.getNbf());
-        assertEquals(0, token.getNotBefore());

        assertNotNull(token.getIat());
-        assertEquals(token.getIat().intValue(), token.getIssuedAt());

        assertNotNull(token.getExp());
-        assertEquals(token.getExp().intValue(), token.getExpiration());

        assertEquals(1, token.getRealmAccess().getRoles().size());
        assertTrue(token.getRealmAccess().isUserInRole("user"));
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java
@ -493,9 +493,9 @@ public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest {
        RefreshToken refreshToken = oauth.parseRefreshToken(refreshTokenString);

        Assert.assertNotNull(refreshTokenString);
-        assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
-        int actual = refreshToken.getExpiration() - getCurrentTime();
-        assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
+        assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
+        long actual = refreshToken.getExp() - getCurrentTime();
+        assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
        assertEquals(sessionId, refreshToken.getSessionState());

        setTimeOffset(2);
@ -510,10 +510,10 @@ public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest {
        assertEquals(sessionId, refreshedRefreshToken.getSessionState());

        assertThat(refreshResponse.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
-        assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
+        assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));

-        assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
-        assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
+        assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
+        assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));

        Assert.assertNotEquals(token.getId(), refreshedToken.getId());
        Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId());
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java
@ -256,7 +256,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
                .assertEvent();

        assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
-        assertEquals(0, offlineToken.getExpiration());
+        Assert.assertNull(offlineToken.getExp());

        assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));

@ -356,7 +356,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
                .assertEvent();

        Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
-        Assert.assertEquals(0, offlineToken.getExpiration());
+        Assert.assertNull(offlineToken.getExp());

        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);

@ -391,7 +391,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
                .assertEvent();

        Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
-        Assert.assertEquals(0, offlineToken.getExpiration());
+        Assert.assertNull(offlineToken.getExp());

        String offlineTokenString2 = testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);
        RefreshToken offlineToken2 = oauth.parseRefreshToken(offlineTokenString2);
@ -440,7 +440,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
                .assertEvent();

        Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
-        Assert.assertEquals(0, offlineToken.getExpiration());
+        Assert.assertNull(offlineToken.getExp());

        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId);

@ -677,7 +677,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
                .assertEvent();

        assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
-        assertEquals(0, offlineToken.getExpiration());
+        assertNull(offlineToken.getExp());

        String offlineUserSessionId = testingClient.server().fetch((KeycloakSession session) ->
                session.sessions().getOfflineUserSession(session.realms().getRealmByName("test"), offlineToken.getSessionState()).getId(), String.class);
@ -714,7 +714,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
                .assertEvent();

        assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken2.getType());
-        assertEquals(0, offlineToken2.getExpiration());
+        Assert.assertNull(offlineToken.getExp());

        // Assert session changed
        assertNotEquals(offlineToken.getSessionState(), offlineToken2.getSessionState());
@ -977,7 +977,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
                .assertEvent();

        Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
-        Assert.assertEquals(0, offlineToken.getExpiration());
+        Assert.assertNull(offlineToken.getExp());

        testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId);

@ -1049,7 +1049,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
                .assertEvent();

        Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
-        Assert.assertEquals(0, offlineToken.getExpiration());
+        Assert.assertNull(offlineToken.getExp());
    }

    @Test
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
@ -247,9 +247,9 @@ public class RefreshTokenTest extends AbstractKeycloakTest {

        assertEquals("Bearer", tokenResponse.getTokenType());

-        assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
-        int actual = refreshToken.getExpiration() - getCurrentTime();
-        assertThat(actual, allOf(greaterThanOrEqualTo(1799 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + ALLOWED_CLOCK_SKEW)));
+        assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
+        long actual = refreshToken.getExp() - getCurrentTime();
+        assertThat(actual, allOf(greaterThanOrEqualTo(1799L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + ALLOWED_CLOCK_SKEW)));

        assertEquals(sessionId, refreshToken.getSessionState());
        assertNull(refreshToken.getNonce());
@ -264,10 +264,10 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
        assertEquals(sessionId, refreshedRefreshToken.getSessionState());

        assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
-        assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + ALLOWED_CLOCK_SKEW)));
+        assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + ALLOWED_CLOCK_SKEW)));

-        assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10)));
-        assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10)));
+        assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L)));
+        assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L)));

        // "test-app" should not be an audience in the refresh token
        assertEquals("test-app", refreshedRefreshToken.getIssuedFor());
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
@ -69,6 +69,7 @@ import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;

 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@ -170,9 +171,9 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest {
        assertTrue(rep.isActive());
        assertEquals("test-user@localhost", rep.getUserName());
        assertEquals("test-app", rep.getClientId());
-        assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration());
-        assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt());
-        assertEquals(jsonNode.get("nbf"), rep.getNbf());
+        assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp());
+        assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat());
+        assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf());
        assertEquals(jsonNode.get("sub").asText(), rep.getSubject());

        List<String> audiences = new ArrayList<>();
@ -226,9 +227,9 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest {
        assertTrue(rep.isActive());
        assertEquals("test-app", rep.getClientId());
        assertEquals(jsonNode.get("sid").asText(), rep.getSessionState());
-        assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration());
-        assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt());
-        assertEquals(jsonNode.get("nbf"), rep.getNbf());
+        assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp());
+        assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat());
+        assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf());
        assertEquals(jsonNode.get("iss").asText(), rep.getIssuer());
        assertEquals(jsonNode.get("jti").asText(), rep.getId());
        assertEquals(jsonNode.get("typ").asText(), "Refresh");
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java
@ -335,9 +335,9 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {

        Assert.assertNotNull(refreshTokenString);
        assertEquals("Bearer", tokenResponse.getTokenType());
-        assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
-        int actual = refreshToken.getExpiration() - getCurrentTime();
-        assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
+        assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
+        long actual = refreshToken.getExp() - getCurrentTime();
+        assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
        assertEquals(sessionId, refreshToken.getSessionState());

        setTimeOffset(2);
@ -372,9 +372,9 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {

        Assert.assertNotNull(refreshTokenString);
        assertEquals("Bearer", tokenResponse.getTokenType());
-        assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
-        int actual = refreshToken.getExpiration() - getCurrentTime();
-        assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
+        assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
+        long actual = refreshToken.getExp() - getCurrentTime();
+        assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
        assertEquals(sessionId, refreshToken.getSessionState());

        setTimeOffset(2);
@ -410,10 +410,10 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {
        assertEquals(sessionId, refreshedRefreshToken.getSessionState());

        assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
-        assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
+        assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));

-        assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
-        assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
+        assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
+        assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));

        Assert.assertNotEquals(token.getId(), refreshedToken.getId());
        Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId());
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
@ -205,8 +205,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
        IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);

        // Check that authTime is available and set to current time
-        int authTime = idToken.getAuthTime();
-        int currentTime = Time.currentTime();
+        long authTime = idToken.getAuth_time();
+        long currentTime = Time.currentTime();
        Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime);

        // Set time offset
@ -225,7 +225,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
        idToken = sendTokenRequestAndGetIDToken(loginEvent);

        // Assert that authTime was updated
-        int authTimeUpdated = idToken.getAuthTime();
+        long authTimeUpdated = idToken.getAuth_time();
        Assert.assertTrue(authTime + 10 <= authTimeUpdated);
    }

@ -238,8 +238,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
        IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);

        // Check that authTime is available and set to current time
-        int authTime = idToken.getAuthTime();
-        int currentTime = Time.currentTime();
+        long authTime = idToken.getAuth_time();
+        long currentTime = Time.currentTime();
        Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime);

        // Set time offset
@ -255,7 +255,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
        idToken = sendTokenRequestAndGetIDToken(loginEvent);

        // Assert that authTime is still the same
-        int authTimeUpdated = idToken.getAuthTime();
+        long authTimeUpdated = idToken.getAuth_time();
        Assert.assertEquals(authTime, authTimeUpdated);
    }

@ -293,7 +293,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest

        EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
        IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
-        int authTime = idToken.getAuthTime();
+        long authTime = idToken.getAuth_time();

        // Set time offset
        setTimeOffset(10);
@ -304,7 +304,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest

        loginEvent = events.expectLogin().removeDetail(Details.USERNAME).assertEvent();
        idToken = sendTokenRequestAndGetIDToken(loginEvent);
-        int authTime2 = idToken.getAuthTime();
+        long authTime2 = idToken.getAuth_time();

        Assert.assertEquals(authTime, authTime2);
    }
@ -383,7 +383,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
        IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);

        // Assert that authTime wasn't updated
-        Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
+        Assert.assertEquals(oldIdToken.getAuth_time(), newIdToken.getAuth_time());

        // Set time offset
        setTimeOffset(20);
@ -399,8 +399,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
        newIdToken = sendTokenRequestAndGetIDToken(loginEvent);

        // Assert that authTime was updated
-        Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
-                oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
+        Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuth_time() + " , new auth time: " + newIdToken.getAuth_time(),
+                oldIdToken.getAuth_time() + 20 <= newIdToken.getAuth_time());

        // Assert userSession didn't change
        Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());