replaced and removed deprecated token methods (#27715)

closes #19671 

Signed-off-by: Mark Banierink <mark.banierink@nedap.com>


Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Mark Banierink 2024-04-23 09:23:37 +02:00 committed by GitHub
parent 8e48bac278
commit ad32896725
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
42 changed files with 216 additions and 259 deletions

View file

@ -110,7 +110,7 @@ public class BearerTokenRequestAuthenticator {
challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage());
return AuthOutcome.FAILED;
}
if (token.getIssuedAt() < deployment.getNotBefore()) {
if (token.getIat() < deployment.getNotBefore()) {
log.debug("Stale token");
challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token");
return AuthOutcome.FAILED;

View file

@ -369,7 +369,7 @@ public class OAuthRequestAuthenticator {
if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {
deployment.updateNotBefore(tokenResponse.getNotBeforePolicy());
}
if (token.getIssuedAt() < deployment.getNotBefore()) {
if (token.getIat() < deployment.getNotBefore()) {
log.error("Stale token");
return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null);
}

View file

@ -88,11 +88,11 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext
}
public boolean isActive() {
return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() >= deployment.getNotBefore();
return token != null && this.token.isActive() && deployment!=null && this.token.getIat() >= deployment.getNotBefore();
}
public boolean isTokenTimeToLiveSufficient(AccessToken token) {
return token != null && (token.getExpiration() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime();
return token != null && (token.getExp() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime();
}
public KeycloakDeployment getDeployment() {

View file

@ -43,13 +43,13 @@ public class RefreshableKeycloakSecurityContextTest {
TokenMetadataRepresentation token = new TokenMetadataRepresentation();
token.setActive(true);
token.issuedAt(4999);
token.iat(4999L);
RefreshableKeycloakSecurityContext sut = new RefreshableKeycloakSecurityContext(keycloakDeployment,null,null,token,null, null, null);
assertFalse(sut.isActive());
token.issuedAt(5000);
token.iat(5000L);
assertTrue(sut.isActive());
}

View file

@ -18,12 +18,10 @@
package org.keycloak.adapters.installed;
import java.awt.Desktop;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.PrintStream;
import java.io.PrintWriter;
import java.io.Reader;
import java.net.InetSocketAddress;
import java.net.URI;
@ -37,16 +35,9 @@ import java.util.UUID;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.ForkJoinPool;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
import org.keycloak.adapters.KeycloakDeployment;
@ -314,7 +305,7 @@ public class KeycloakInstalled {
}
public String getTokenString(long minValidity, TimeUnit unit) throws VerificationException, IOException, ServerRequest.HttpFailure {
long expires = ((long) token.getExpiration()) * 1000 - unit.toMillis(minValidity);
long expires = ((long) token.getExp()) * 1000 - unit.toMillis(minValidity);
if (expires < System.currentTimeMillis()) {
refreshToken();
}

View file

@ -106,7 +106,7 @@ public class TokenCallable implements Callable<String> {
}
public boolean isTokenTimeToLiveSufficient(AccessToken token) {
return token != null && (token.getExpiration() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
return token != null && (token.getExp() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
}
/**

View file

@ -182,10 +182,10 @@ public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
reqToken.subject(clientId);
reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
reqToken.issuedAt(now);
reqToken.expiration(now + this.tokenTimeout);
reqToken.notBefore(now);
long now = Time.currentTime();
reqToken.iat(now);
reqToken.exp(now + this.tokenTimeout);
reqToken.nbf(now);
return reqToken;
}

View file

@ -131,11 +131,11 @@ public class JWTClientSecretCredentialsProvider implements ClientCredentialsProv
reqToken.subject(clientId);
reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
reqToken.issuedAt(now);
long now = Time.currentTime();
reqToken.iat(now);
// the same as in KEYCLOAK-2986, JWTClientCredentialsProvider's timeout field
reqToken.expiration(now + 10);
reqToken.notBefore(now);
reqToken.exp(now + 10);
reqToken.nbf(now);
return reqToken;
}

View file

@ -205,22 +205,6 @@ public class AccessToken extends IDToken {
return (AccessToken) super.id(id);
}
@Override
public AccessToken expiration(int expiration) {
return (AccessToken) super.expiration(expiration);
}
@Override
public AccessToken notBefore(int notBefore) {
return (AccessToken) super.notBefore(notBefore);
}
@Override
public AccessToken issuedAt(int issuedAt) {
return (AccessToken) super.issuedAt(issuedAt);
}
@Override
public AccessToken issuer(String issuer) {
return (AccessToken) super.issuer(issuer);

View file

@ -154,27 +154,10 @@ public class IDToken extends JsonWebToken {
return auth_time;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #getAuth_time()} instead.
*/
@Deprecated
@JsonIgnore
public int getAuthTime() {
return auth_time != null ? auth_time.intValue() : 0;
}
public void setAuth_time(Long auth_time) {
this.auth_time = auth_time;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #setAuth_time(Long)} ()} instead.
*/
public void setAuthTime(int authTime) {
this.auth_time = Long.valueOf(authTime);
}
public String getSessionId() {
return sessionId;
}

View file

@ -77,64 +77,28 @@ public class JsonWebToken implements Serializable, Token {
return exp;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead.
*/
@Deprecated
@JsonIgnore
public int getExpiration() {
return exp != null ? exp.intValue() : 0;
}
public JsonWebToken exp(Long exp) {
this.exp = exp;
return this;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #exp(Long)} instead.
*/
public JsonWebToken expiration(int expiration) {
this.exp = Long.valueOf(expiration);
return this;
}
@JsonIgnore
public boolean isExpired() {
return exp != null && exp != 0 ? Time.currentTime() > exp : false;
return exp != null && exp != 0 && Time.currentTime() > exp;
}
public Long getNbf() {
return nbf;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #getNbf()} instead.
*/
@Deprecated
@JsonIgnore
public int getNotBefore() {
return nbf != null ? nbf.intValue() : 0;
}
public JsonWebToken nbf(Long nbf) {
this.nbf = nbf;
return this;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #nbf(Long)} instead.
*/
@Deprecated
@JsonIgnore
public JsonWebToken notBefore(int notBefore) {
this.nbf = Long.valueOf(notBefore);
return this;
}
@JsonIgnore
public boolean isNotBefore(int allowedTimeSkew) {
return nbf != null ? Time.currentTime() + allowedTimeSkew >= nbf : true;
public boolean isNotBefore(long allowedTimeSkew) {
return nbf == null || Time.currentTime() + allowedTimeSkew >= nbf;
}
/**
@ -165,21 +129,12 @@ public class JsonWebToken implements Serializable, Token {
return iat;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #getIat()} instead.
*/
@Deprecated
@JsonIgnore
public int getIssuedAt() {
return iat != null ? iat.intValue() : 0;
}
/**
* Set issuedAt to the current time
*/
@JsonIgnore
public JsonWebToken issuedNow() {
iat = Long.valueOf(Time.currentTime());
iat = (long) Time.currentTime();
return this;
}
@ -188,17 +143,6 @@ public class JsonWebToken implements Serializable, Token {
return this;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #iat(Long)} ()} instead.
*/
@Deprecated
@JsonIgnore
public JsonWebToken issuedAt(int issuedAt) {
this.iat = Long.valueOf(issuedAt);
return this;
}
public String getIssuer() {
return issuer;
}

View file

@ -42,14 +42,14 @@ public class DockerResponseToken extends JsonWebToken {
}
@Override
public DockerResponseToken expiration(final int expiration) {
super.expiration(expiration);
public DockerResponseToken exp(final Long expiration) {
super.exp(expiration);
return this;
}
@Override
public DockerResponseToken notBefore(final int notBefore) {
super.notBefore(notBefore);
public DockerResponseToken nbf(final Long notBefore) {
super.nbf(notBefore);
return this;
}
@ -60,8 +60,8 @@ public class DockerResponseToken extends JsonWebToken {
}
@Override
public DockerResponseToken issuedAt(final int issuedAt) {
super.issuedAt(issuedAt);
public DockerResponseToken iat(final Long issuedAt) {
super.iat(issuedAt);
return this;
}

View file

@ -44,9 +44,9 @@ public class PermissionTicketToken extends JsonWebToken {
if (accessToken != null) {
id(TokenIdGenerator.generateId());
subject(accessToken.getSubject());
expiration(accessToken.getExpiration());
notBefore(accessToken.getNotBefore());
issuedAt(accessToken.getIssuedAt());
this.exp(accessToken.getExp());
this.nbf(accessToken.getNbf());
iat(accessToken.getIat());
issuedFor(accessToken.getIssuedFor());
}
if (audience != null) {

View file

@ -120,7 +120,7 @@ public abstract class RSAVerifierTest {
@Test
public void testNotBeforeGood() throws Exception {
token.notBefore(Time.currentTime() - 100);
token.nbf(Time.currentTime() - 100L);
String encoded = new JWSBuilder()
.jsonContent(token)
@ -136,7 +136,7 @@ public abstract class RSAVerifierTest {
@Test
public void testNotBeforeBad() {
token.notBefore(Time.currentTime() + 100);
token.nbf(Time.currentTime() + 100L);
String encoded = new JWSBuilder()
.jsonContent(token)
@ -153,7 +153,7 @@ public abstract class RSAVerifierTest {
@Test
public void testExpirationGood() throws Exception {
token.expiration(Time.currentTime() + 100);
token.exp(Time.currentTime() + 100L);
String encoded = new JWSBuilder()
.jsonContent(token)
@ -169,7 +169,7 @@ public abstract class RSAVerifierTest {
@Test
public void testExpirationBad() {
token.expiration(Time.currentTime() - 100);
token.exp(Time.currentTime() - 100L);
String encoded = new JWSBuilder()
.jsonContent(token)

View file

@ -82,37 +82,37 @@ public class JsonWebTokenTest {
@Test
public void isActiveReturnFalseWhenBeforeTimeInFuture() {
int currentTime = Time.currentTime();
int futureTime = currentTime + 10;
long currentTime = Time.currentTime();
long futureTime = currentTime + 10;
JsonWebToken jsonWebToken = new JsonWebToken();
jsonWebToken.notBefore(futureTime);
jsonWebToken.nbf(futureTime);
assertFalse(jsonWebToken.isActive());
}
@Test
public void isActiveReturnTrueWhenBeforeTimeInPast() {
int currentTime = Time.currentTime();
int pastTime = currentTime - 10;
long currentTime = Time.currentTime();
long pastTime = currentTime - 10;
JsonWebToken jsonWebToken = new JsonWebToken();
jsonWebToken.notBefore(pastTime);
jsonWebToken.nbf(pastTime);
assertTrue(jsonWebToken.isActive());
}
@Test
public void isActiveShouldReturnTrueWhenBeforeTimeInFutureWithinTimeSkew() {
int notBeforeTime = Time.currentTime() + 5;
long notBeforeTime = Time.currentTime() + 5;
int allowedClockSkew = 10;
JsonWebToken jsonWebToken = new JsonWebToken();
jsonWebToken.notBefore(notBeforeTime);
jsonWebToken.nbf(notBeforeTime);
assertTrue(jsonWebToken.isActive(allowedClockSkew));
}
@Test
public void isActiveShouldReturnFalseWhenWhenBeforeTimeInFutureOutsideTimeSkew() {
int notBeforeTime = Time.currentTime() + 10;
long notBeforeTime = Time.currentTime() + 10;
int allowedClockSkew = 5;
JsonWebToken jsonWebToken = new JsonWebToken();
jsonWebToken.notBefore(notBeforeTime);
jsonWebToken.nbf(notBeforeTime);
assertFalse(jsonWebToken.isActive(allowedClockSkew));
}

View file

@ -130,4 +130,21 @@ For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
It is now possible to specify the `cache`, `cache-stack`, and `cache-config-file` options during runtime.
This eliminates the need to execute the build phase and rebuild your image due to them.
For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
= Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes
In this release, we are finally removing deprecated methods from the following classes:
* `AccessToken`
* `IDToken`
* `JsonWebToken`
For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
= Method `getExp` added to `SingleUseObjectKeyModel`
As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`,
the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values.
For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].

View file

@ -268,4 +268,36 @@ The new indexes are both applied to the `RESOURCE_SERVER_PERM_TICKET` table. If
{project_name} will skip the creation of the indexes by default during the automatic schema migration, and will instead log the SQL statements
on the console during migration. In this case, the statements must be run manually in the DB after {project_name}'s startup.
See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit.
See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit.
= Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes
The following methods were removed from the `AccessToken` class:
* `expiration`. Use the `exp` method instead.
* `notBefore`. Use the `nbf` method instead.
* `issuedAt`. Use the `iat` method instead.
The following methods were removed from the `IDToken` class:
* `getAuthTime` and `setAuthTime`. Use the `getAuth_time` and `setAuth_time` methods, respectively.
* `notBefore`. Use the `nbf` method instead.
* `issuedAt`. Use the `iat` method instead.
* `setSessionState`. Use the `setSessionId` method instead (See the details above in the section about `session_state` claim)
The following methods were removed from the `JsonWebToken` class:
* `expiration`. Use the `exp` method instead.
* `notBefore`. Use the `nbf` method instead.
* `issuedAt`. Use the `iat` method instead.
You should also expect both `exp` and `nbf` claims not set in tokens as they are optional. Previously, these claims were
being set with a value of `0` what does not make mush sense because their value should be a valid `NumericDate`.
= Method `getExp` added to `SingleUseObjectKeyModel`
As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`,
the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values.
The previous `getExpiration` method is now deprecated and you should prefer using new newly introduced `getExp` method
to avoid overflow after 2038.

View file

@ -200,10 +200,10 @@ public class AuthUtil {
reqToken.subject(clientId);
reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
reqToken.issuedAt(now);
reqToken.expiration(now + sigLifetime);
reqToken.notBefore(now);
long now = Time.currentTime();
reqToken.iat(now);
reqToken.exp(now + sigLifetime);
reqToken.nbf(now);
String signedRequestToken = new JWSBuilder()
.jsonContent(reqToken)

View file

@ -39,7 +39,15 @@ public interface SingleUseObjectKeyModel {
/**
* Returns absolute number of seconds since the epoch in UTC timezone when the token expires.
*/
int getExpiration();
Long getExp();
/**
* @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead.
*/
@Deprecated
default int getExpiration() {
return getExp().intValue();
}
/**
* @return Single-use random value used for verification whether the relevant action is allowed.
@ -49,6 +57,6 @@ public interface SingleUseObjectKeyModel {
default String serializeKey() {
String userId = getUserId();
String encodedUserId = userId == null ? "" : Base64.encodeBytes(userId.getBytes(StandardCharsets.UTF_8));
return String.format("%s.%d.%s.%s", encodedUserId, getExpiration(), getActionVerificationNonce(), getActionId());
return String.format("%s.%d.%s.%s", encodedUserId, getExp(), getActionVerificationNonce(), getActionId());
}
}

View file

@ -158,7 +158,7 @@ public class DefaultActionToken extends DefaultActionTokenKey implements SingleU
String issuerUri = getIssuer(realm, uri);
this
.issuedAt(Time.currentTime())
.issuedNow()
.id(getActionVerificationNonce().toString())
.issuer(issuerUri)
.audience(issuerUri);

View file

@ -19,6 +19,8 @@
package org.keycloak.authentication.authenticators.client;
import java.util.Optional;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
@ -166,7 +168,7 @@ public class JWTClientValidator {
}
// KEYCLOAK-2986, token-timeout or token-expiration in keycloak.json might not be used
if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < currentTime) {
if ((token.getExp() == null || token.getExp() <= 0) && token.getIat() + 10 < currentTime) {
throw new RuntimeException("Token is not active");
}
@ -180,7 +182,7 @@ public class JWTClientValidator {
if (client == null) throw new IllegalStateException("Incorrect usage. Variable 'client' is null. Need to validate client first before validateToken reuse");
SingleUseObjectProvider singleUseCache = context.getSession().singleUseObjects();
int lifespanInSecs = Math.max(token.getExpiration() - currentTime, 10);
long lifespanInSecs = Math.max(Optional.ofNullable(token.getExp()).orElse(0L) - currentTime, 10);
if (singleUseCache.putIfAbsent(token.getId(), lifespanInSecs)) {
logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", token.getId(), lifespanInSecs, client.getClientId());

View file

@ -64,10 +64,10 @@ public class RPTIntrospectionProvider extends AccessTokenIntrospectionProvider {
metadata.id(accessToken.getId());
metadata.setAcr(accessToken.getAcr());
metadata.type(accessToken.getType());
metadata.expiration(accessToken.getExpiration());
metadata.issuedAt(accessToken.getIssuedAt());
metadata.exp(accessToken.getExp());
metadata.iat(accessToken.getIat());
metadata.audience(accessToken.getAudience());
metadata.notBefore(accessToken.getNotBefore());
metadata.nbf(accessToken.getNbf());
metadata.setRealmAccess(null);
metadata.setResourceAccess(null);

View file

@ -458,8 +458,8 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
audience = getConfig().getTokenUrl();
}
jwt.audience(audience);
int expirationDelay = session.getContext().getRealm().getAccessCodeLifespan();
jwt.expiration(Time.currentTime() + expirationDelay);
long expirationDelay = session.getContext().getRealm().getAccessCodeLifespan();
jwt.exp(Time.currentTime() + expirationDelay);
jwt.issuedNow();
return jwt;
}

View file

@ -105,8 +105,8 @@ public class DockerAuthV2Protocol implements LoginProtocol {
// since realm access token is given in seconds
final int accessTokenLifespan = realm.getAccessTokenLifespan();
responseToken.notBefore(responseToken.getIssuedAt())
.expiration(responseToken.getIssuedAt() + accessTokenLifespan);
responseToken.nbf(responseToken.getIat())
.exp(responseToken.getIat() + accessTokenLifespan);
// Next, allow mappers to decorate the token to add/remove scopes as appropriate
@ -126,7 +126,7 @@ public class DockerAuthV2Protocol implements LoginProtocol {
.type("JWT")
.jsonContent(responseToken)
.rsa256(activeKey.getPrivateKey());
final String expiresInIso8601String = new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(responseToken.getIssuedAt() * 1000L));
final String expiresInIso8601String = new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(responseToken.getIat() * 1000L));
final DockerResponse responseEntity = new DockerResponse()
.setToken(encodedToken)

View file

@ -126,7 +126,6 @@ import static org.keycloak.representations.IDToken.NONCE;
*/
public class TokenManager {
private static final Logger logger = Logger.getLogger(TokenManager.class);
private static final String JWT = "JWT";
public static class TokenValidation {
public final UserModel user;
@ -457,7 +456,7 @@ public class TokenManager {
if (clientSession.getCurrentRefreshToken() != null
&& !refreshToken.getId().equals(clientSession.getCurrentRefreshToken())
&& refreshToken.getIssuedAt() < clientSession.getTimestamp()
&& refreshToken.getIat() < clientSession.getTimestamp()
&& startupTime <= clientSession.getTimestamp()) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
}
@ -476,7 +475,6 @@ public class TokenManager {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Maximum allowed refresh token reuse exceeded",
"Maximum allowed refresh token reuse exceeded");
}
return;
}
public RefreshToken verifyRefreshToken(KeycloakSession session, RealmModel realm, ClientModel client, HttpRequest request, String encodedRefreshToken, boolean checkExpiration) throws OAuthErrorException {
@ -973,13 +971,13 @@ public class TokenManager {
token.setSessionId(session.getId());
ClientScopeModel offlineAccessScope = KeycloakModelUtils.getClientScopeByName(realm, OAuth2Constants.OFFLINE_ACCESS);
boolean offlineTokenRequested = offlineAccessScope == null ? false
: clientSessionCtx.getClientScopeIds().contains(offlineAccessScope.getId());
token.expiration(getTokenExpiration(realm, client, session, clientSession, offlineTokenRequested));
: clientSessionCtx.getClientScopeIds().contains(offlineAccessScope.getId());
token.exp(getTokenExpiration(realm, client, session, clientSession, offlineTokenRequested));
return token;
}
private int getTokenExpiration(RealmModel realm, ClientModel client, UserSessionModel userSession,
private Long getTokenExpiration(RealmModel realm, ClientModel client, UserSessionModel userSession,
AuthenticatedClientSessionModel clientSession, boolean offlineTokenRequested) {
boolean implicitFlow = false;
String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM);
@ -1016,7 +1014,7 @@ public class TokenManager {
realm, client);
expiration = sessionExpires > 0? Math.min(expiration, sessionExpires) : expiration;
return (int) TimeUnit.MILLISECONDS.toSeconds(expiration);
return TimeUnit.MILLISECONDS.toSeconds(expiration);
}
@ -1131,15 +1129,15 @@ public class TokenManager {
}
refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE);
if (realm.isOfflineSessionMaxLifespanEnabled()) {
refreshToken.expiration(getExpiration(true));
refreshToken.exp(getExpiration(true));
}
sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession);
} else {
refreshToken.expiration(getExpiration(false));
refreshToken.exp(getExpiration(false));
}
}
private int getExpiration(boolean offline) {
private Long getExpiration(boolean offline) {
long expiration = SessionExpirationUtils.calculateClientSessionIdleTimestamp(
offline, userSession.isRememberMe(),
TimeUnit.SECONDS.toMillis(clientSessionCtx.getClientSession().getTimestamp()),
@ -1151,7 +1149,7 @@ public class TokenManager {
realm, client);
expiration = lifespan > 0? Math.min(expiration, lifespan) : expiration;
return (int) TimeUnit.MILLISECONDS.toSeconds(expiration);
return TimeUnit.MILLISECONDS.toSeconds(expiration);
}
public AccessTokenResponseBuilder generateIDToken() {
@ -1172,7 +1170,7 @@ public class TokenManager {
idToken.issuer(accessToken.getIssuer());
idToken.setNonce(clientSessionCtx.getAttribute(OIDCLoginProtocol.NONCE_PARAM, String.class));
idToken.setSessionId(accessToken.getSessionId());
idToken.expiration(accessToken.getExpiration());
idToken.exp(accessToken.getExp());
// Protocol mapper is supposed to set this in case "step_up_authentication" feature enabled
if (!Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
@ -1229,8 +1227,8 @@ public class TokenManager {
res.setToken(encodedToken);
res.setTokenType(responseTokenType);
res.setSessionState(accessToken.getSessionState());
if (accessToken.getExpiration() != 0) {
res.setExpiresIn(accessToken.getExpiration() - Time.currentTime());
if (accessToken.getExp() != 0) {
res.setExpiresIn(accessToken.getExp() - Time.currentTime());
}
}
@ -1253,8 +1251,9 @@ public class TokenManager {
if (refreshToken != null) {
String encodedToken = session.tokens().encode(refreshToken);
res.setRefreshToken(encodedToken);
if (refreshToken.getExpiration() != 0) {
res.setRefreshExpiresIn(refreshToken.getExpiration() - Time.currentTime());
Long exp = refreshToken.getExp();
if (exp != null && exp > 0) {
res.setRefreshExpiresIn(exp - Time.currentTime());
}
}
@ -1309,7 +1308,7 @@ public class TokenManager {
@Override
public boolean test(JsonWebToken t) throws VerificationException {
if (t.getIssuedAt() < notBefore) {
if (t.getIat() < notBefore) {
throw new VerificationException("Stale token");
}
@ -1367,7 +1366,7 @@ public class TokenManager {
}
LogoutToken logoutToken = logoutTokenOptional.get();
List<OIDCIdentityProvider> identityProviders = getOIDCIdentityProviders(realm, session).collect(Collectors.toList());
List<OIDCIdentityProvider> identityProviders = getOIDCIdentityProviders(realm, session).toList();
if (identityProviders.isEmpty()) {
return LogoutTokenValidationCode.COULD_NOT_FIND_IDP;
}

View file

@ -524,7 +524,7 @@ public class LogoutEndpoint {
}
if (userSessionModel != null) {
checkTokenIssuedAt(token.getIssuedAt(), userSessionModel);
checkTokenIssuedAt(token.getIat(), userSessionModel);
logout(userSessionModel, offline);
}
} catch (OAuthErrorException e) {
@ -727,7 +727,7 @@ public class LogoutEndpoint {
}
}
private void checkTokenIssuedAt(int idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException {
private void checkTokenIssuedAt(long idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException {
if (idTokenIssuedAt + 1 < userSession.getStarted()) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Toked issued before the user session started");
}

View file

@ -56,8 +56,7 @@ public class ClientRegistrationTokenUtils {
regToken.type(auth.getJwt().getType());
regToken.id(auth.getJwt().getId());
regToken.issuedAt(Time.currentTime());
regToken.expiration(0);
regToken.issuedNow();
regToken.issuer(auth.getJwt().getIssuer());
regToken.audience(auth.getJwt().getIssuer());
@ -117,13 +116,13 @@ public class ClientRegistrationTokenUtils {
return TokenVerification.success(kid, jwt);
}
private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, int expiration) {
private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, long expiration) {
String issuer = getIssuer(session, realm);
jwt.type(type);
jwt.id(id);
jwt.issuedAt(Time.currentTime());
jwt.expiration(expiration);
jwt.issuedNow();
jwt.exp(expiration);
jwt.issuer(issuer);
jwt.audience(issuer);

View file

@ -759,9 +759,9 @@ public class AuthenticationManager {
}
if (session != null && session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0) {
token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe());
token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe());
} else if (realm.getSsoSessionMaxLifespan() > 0) {
token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespan());
token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespan());
}
String stateChecker = (String) keycloakSession.getAttribute("state_checker");
@ -999,7 +999,7 @@ public class AuthenticationManager {
SingleUseObjectKeyModel actionTokenKey = DefaultActionTokenKey.from(actionTokenKeyToInvalidate);
if (actionTokenKey != null) {
SingleUseObjectProvider singleUseObjectProvider = session.singleUseObjects();
singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExpiration() - Time.currentTime(), null); // Token is invalidated
singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExp() - Time.currentTime(), null); // Token is invalidated
}
}
@ -1400,8 +1400,8 @@ public class AuthenticationManager {
AccessToken token = verifier.verify().getToken();
if (checkActive) {
if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIssuedAt(), realm.getNotBefore());
if (!token.isActive() || token.getIat() < realm.getNotBefore()) {
logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIat(), realm.getNotBefore());
return null;
}
}
@ -1467,7 +1467,7 @@ public class AuthenticationManager {
return false;
}
if (token.getIssuedAt() < client.getNotBefore()) {
if (token.getIat() < client.getNotBefore()) {
logger.debug("Client notBefore newer than token");
return false;
}

View file

@ -755,13 +755,13 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
// Get time of token
AccessToken token = tokenMinTTLPage.getAccessToken();
int tokenIssued1 = token.getIssuedAt();
long tokenIssued1 = token.getIat();
// Sets 5 minutes offset and assert access token will be still the same
setAdapterAndServerTimeOffset(300, tokenMinTTLPage.toString());
tokenMinTTLPage.navigateTo();
token = tokenMinTTLPage.getAccessToken();
int tokenIssued2 = token.getIssuedAt();
long tokenIssued2 = token.getIat();
Assert.assertEquals(tokenIssued1, tokenIssued2);
assertFalse(token.isExpired());
@ -769,7 +769,7 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
setAdapterAndServerTimeOffset(540, tokenMinTTLPage.toString());
tokenMinTTLPage.navigateTo();
token = tokenMinTTLPage.getAccessToken();
int tokenIssued3 = token.getIssuedAt();
long tokenIssued3 = token.getIat();
Assert.assertTrue(tokenIssued3 > tokenIssued1);
// Revert times
@ -853,8 +853,8 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
testRealmLoginPage.form().setPassword("password");
testRealmLoginPage.form().login();
AccessToken token = tokenMinTTLPage.getAccessToken();
int authTime = token.getAuthTime();
assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10)));
long authTime = token.getAuth_time();
assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10L)));
} finally {
setAdapterAndServerTimeOffset(0, securePortal.toString());
}

View file

@ -2381,7 +2381,7 @@ public class UserTest extends AbstractAdminTest {
try {
final AccessToken accessToken = TokenVerifier.create(token, AccessToken.class).getToken();
assertEquals(lifespan, accessToken.getExpiration() - accessToken.getIssuedAt());
assertEquals(lifespan, accessToken.getExp() - accessToken.getIat());
} catch (VerificationException e) {
throw new IOException(e);
}

View file

@ -87,6 +87,7 @@ import static org.hamcrest.Matchers.not;
import static org.hamcrest.Matchers.notNullValue;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME;
import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_PROV_NAME;
@ -614,7 +615,7 @@ public final class KcOidcBrokerTransientSessionsTest extends AbstractAdvancedBro
.assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
assertEquals(0, offlineToken.getExpiration());
assertNull(offlineToken.getExp());
assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));

View file

@ -397,11 +397,11 @@ public class OIDCPairwiseClientRegistrationTest extends AbstractClientRegistrati
Assert.assertEquals(idToken.getSubject(), refreshedRefreshToken.getSubject());
// its iat Claim MUST represent the time that the new ID Token is issued
Assert.assertEquals(refreshedIdToken.getIssuedAt(), refreshedRefreshToken.getIssuedAt());
Assert.assertEquals(refreshedIdToken.getIat(), refreshedRefreshToken.getIat());
// if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication
// - not the time that the new ID token is issued
Assert.assertEquals(idToken.getAuthTime(), refreshedIdToken.getAuthTime());
Assert.assertEquals(idToken.getAuth_time(), refreshedIdToken.getAuth_time());
// its azp Claim Value MUST be the same as in the ID Token issued when the original authentication occurred; if
// no azp Claim was present in the original ID Token, one MUST NOT be present in the new ID Token

View file

@ -478,7 +478,7 @@ public class ClientStorageTest extends AbstractTestRealmKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);

View file

@ -856,7 +856,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
private void assertOfflineToken(String offlineToken) {
RefreshToken offlineTokenParsed = oauth.parseRefreshToken(offlineToken);
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineTokenParsed.getType());
assertEquals(0, offlineTokenParsed.getExpiration());
assertNull(offlineTokenParsed.getExp());
assertTrue(TokenUtil.hasScope(offlineTokenParsed.getScope(), OAuth2Constants.OFFLINE_ACCESS));
}

View file

@ -86,7 +86,6 @@ import org.keycloak.common.util.KeystoreUtil.KeystoreFormat;
import org.keycloak.constants.ServiceUrlConstants;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.ECDSAAlgorithm;
import org.keycloak.crypto.ECDSASignatureProvider;
import org.keycloak.crypto.KeyType;
import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.events.Details;
@ -806,10 +805,10 @@ public abstract class AbstractClientAuthSignedJWTTest extends AbstractKeycloakTe
if (isClaimEnabled("subject")) reqToken.subject(clientId);
if (isClaimEnabled("audience")) reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
if (isClaimEnabled("issuedAt")) reqToken.issuedAt(now);
if (isClaimEnabled("expiration")) reqToken.expiration(now + getTokenTimeout());
if (isClaimEnabled("notBefore")) reqToken.notBefore(now);
long now = Time.currentTime();
if (isClaimEnabled("issuedAt")) reqToken.iat(now);
if (isClaimEnabled("expiration")) reqToken.exp(now + getTokenTimeout());
if (isClaimEnabled("notBefore")) reqToken.nbf(now);
return reqToken;
}
@ -934,10 +933,10 @@ public abstract class AbstractClientAuthSignedJWTTest extends AbstractKeycloakTe
reqToken.subject(clientId);
reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
reqToken.issuedAt(now);
reqToken.expiration(now + 10);
reqToken.notBefore(now);
long now = Time.currentTime();
reqToken.iat(now);
reqToken.exp(now + 10);
reqToken.nbf(now);
return reqToken;
}

View file

@ -235,13 +235,10 @@ public class AccessTokenTest extends AbstractKeycloakTest {
assertEquals(sessionId, sid);
assertNull(token.getNbf());
assertEquals(0, token.getNotBefore());
assertNotNull(token.getIat());
assertEquals(token.getIat().intValue(), token.getIssuedAt());
assertNotNull(token.getExp());
assertEquals(token.getExp().intValue(), token.getExpiration());
assertEquals(1, token.getRealmAccess().getRoles().size());
assertTrue(token.getRealmAccess().isUserInRole("user"));

View file

@ -493,9 +493,9 @@ public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest {
RefreshToken refreshToken = oauth.parseRefreshToken(refreshTokenString);
Assert.assertNotNull(refreshTokenString);
assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
int actual = refreshToken.getExpiration() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
long actual = refreshToken.getExp() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertEquals(sessionId, refreshToken.getSessionState());
setTimeOffset(2);
@ -510,10 +510,10 @@ public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest {
assertEquals(sessionId, refreshedRefreshToken.getSessionState());
assertThat(refreshResponse.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
Assert.assertNotEquals(token.getId(), refreshedToken.getId());
Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId());

View file

@ -256,7 +256,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));
@ -356,7 +356,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);
@ -391,7 +391,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
String offlineTokenString2 = testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);
RefreshToken offlineToken2 = oauth.parseRefreshToken(offlineTokenString2);
@ -440,7 +440,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId);
@ -677,7 +677,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
assertEquals(0, offlineToken.getExpiration());
assertNull(offlineToken.getExp());
String offlineUserSessionId = testingClient.server().fetch((KeycloakSession session) ->
session.sessions().getOfflineUserSession(session.realms().getRealmByName("test"), offlineToken.getSessionState()).getId(), String.class);
@ -714,7 +714,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken2.getType());
assertEquals(0, offlineToken2.getExpiration());
Assert.assertNull(offlineToken.getExp());
// Assert session changed
assertNotEquals(offlineToken.getSessionState(), offlineToken2.getSessionState());
@ -977,7 +977,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId);
@ -1049,7 +1049,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
}
@Test

View file

@ -247,9 +247,9 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
assertEquals("Bearer", tokenResponse.getTokenType());
assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
int actual = refreshToken.getExpiration() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + ALLOWED_CLOCK_SKEW)));
assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
long actual = refreshToken.getExp() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + ALLOWED_CLOCK_SKEW)));
assertEquals(sessionId, refreshToken.getSessionState());
assertNull(refreshToken.getNonce());
@ -264,10 +264,10 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
assertEquals(sessionId, refreshedRefreshToken.getSessionState());
assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10)));
assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10)));
assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L)));
assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L)));
// "test-app" should not be an audience in the refresh token
assertEquals("test-app", refreshedRefreshToken.getIssuedFor());

View file

@ -69,6 +69,7 @@ import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
@ -170,9 +171,9 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest {
assertTrue(rep.isActive());
assertEquals("test-user@localhost", rep.getUserName());
assertEquals("test-app", rep.getClientId());
assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration());
assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt());
assertEquals(jsonNode.get("nbf"), rep.getNbf());
assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp());
assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat());
assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf());
assertEquals(jsonNode.get("sub").asText(), rep.getSubject());
List<String> audiences = new ArrayList<>();
@ -226,9 +227,9 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest {
assertTrue(rep.isActive());
assertEquals("test-app", rep.getClientId());
assertEquals(jsonNode.get("sid").asText(), rep.getSessionState());
assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration());
assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt());
assertEquals(jsonNode.get("nbf"), rep.getNbf());
assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp());
assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat());
assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf());
assertEquals(jsonNode.get("iss").asText(), rep.getIssuer());
assertEquals(jsonNode.get("jti").asText(), rep.getId());
assertEquals(jsonNode.get("typ").asText(), "Refresh");

View file

@ -335,9 +335,9 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {
Assert.assertNotNull(refreshTokenString);
assertEquals("Bearer", tokenResponse.getTokenType());
assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
int actual = refreshToken.getExpiration() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
long actual = refreshToken.getExp() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertEquals(sessionId, refreshToken.getSessionState());
setTimeOffset(2);
@ -372,9 +372,9 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {
Assert.assertNotNull(refreshTokenString);
assertEquals("Bearer", tokenResponse.getTokenType());
assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
int actual = refreshToken.getExpiration() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
long actual = refreshToken.getExp() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertEquals(sessionId, refreshToken.getSessionState());
setTimeOffset(2);
@ -410,10 +410,10 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {
assertEquals(sessionId, refreshedRefreshToken.getSessionState());
assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
Assert.assertNotEquals(token.getId(), refreshedToken.getId());
Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId());

View file

@ -205,8 +205,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
// Check that authTime is available and set to current time
int authTime = idToken.getAuthTime();
int currentTime = Time.currentTime();
long authTime = idToken.getAuth_time();
long currentTime = Time.currentTime();
Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime);
// Set time offset
@ -225,7 +225,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
idToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime was updated
int authTimeUpdated = idToken.getAuthTime();
long authTimeUpdated = idToken.getAuth_time();
Assert.assertTrue(authTime + 10 <= authTimeUpdated);
}
@ -238,8 +238,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
// Check that authTime is available and set to current time
int authTime = idToken.getAuthTime();
int currentTime = Time.currentTime();
long authTime = idToken.getAuth_time();
long currentTime = Time.currentTime();
Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime);
// Set time offset
@ -255,7 +255,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
idToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime is still the same
int authTimeUpdated = idToken.getAuthTime();
long authTimeUpdated = idToken.getAuth_time();
Assert.assertEquals(authTime, authTimeUpdated);
}
@ -293,7 +293,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
int authTime = idToken.getAuthTime();
long authTime = idToken.getAuth_time();
// Set time offset
setTimeOffset(10);
@ -304,7 +304,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
loginEvent = events.expectLogin().removeDetail(Details.USERNAME).assertEvent();
idToken = sendTokenRequestAndGetIDToken(loginEvent);
int authTime2 = idToken.getAuthTime();
long authTime2 = idToken.getAuth_time();
Assert.assertEquals(authTime, authTime2);
}
@ -383,7 +383,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime wasn't updated
Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
Assert.assertEquals(oldIdToken.getAuth_time(), newIdToken.getAuth_time());
// Set time offset
setTimeOffset(20);
@ -399,8 +399,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime was updated
Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuth_time() + " , new auth time: " + newIdToken.getAuth_time(),
oldIdToken.getAuth_time() + 20 <= newIdToken.getAuth_time());
// Assert userSession didn't change
Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());