replaced and removed deprecated token methods (#27715)

closes #19671 

Signed-off-by: Mark Banierink <mark.banierink@nedap.com>


Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Mark Banierink 2024-04-23 09:23:37 +02:00 committed by GitHub
parent 8e48bac278
commit ad32896725
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
42 changed files with 216 additions and 259 deletions

View file

@ -110,7 +110,7 @@ public class BearerTokenRequestAuthenticator {
challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage());
return AuthOutcome.FAILED;
}
if (token.getIssuedAt() < deployment.getNotBefore()) {
if (token.getIat() < deployment.getNotBefore()) {
log.debug("Stale token");
challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token");
return AuthOutcome.FAILED;

View file

@ -369,7 +369,7 @@ public class OAuthRequestAuthenticator {
if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {
deployment.updateNotBefore(tokenResponse.getNotBeforePolicy());
}
if (token.getIssuedAt() < deployment.getNotBefore()) {
if (token.getIat() < deployment.getNotBefore()) {
log.error("Stale token");
return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null);
}

View file

@ -88,11 +88,11 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext
}
public boolean isActive() {
return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() >= deployment.getNotBefore();
return token != null && this.token.isActive() && deployment!=null && this.token.getIat() >= deployment.getNotBefore();
}
public boolean isTokenTimeToLiveSufficient(AccessToken token) {
return token != null && (token.getExpiration() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime();
return token != null && (token.getExp() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime();
}
public KeycloakDeployment getDeployment() {

View file

@ -43,13 +43,13 @@ public class RefreshableKeycloakSecurityContextTest {
TokenMetadataRepresentation token = new TokenMetadataRepresentation();
token.setActive(true);
token.issuedAt(4999);
token.iat(4999L);
RefreshableKeycloakSecurityContext sut = new RefreshableKeycloakSecurityContext(keycloakDeployment,null,null,token,null, null, null);
assertFalse(sut.isActive());
token.issuedAt(5000);
token.iat(5000L);
assertTrue(sut.isActive());
}

View file

@ -18,12 +18,10 @@
package org.keycloak.adapters.installed;
import java.awt.Desktop;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.PrintStream;
import java.io.PrintWriter;
import java.io.Reader;
import java.net.InetSocketAddress;
import java.net.URI;
@ -37,16 +35,9 @@ import java.util.UUID;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.ForkJoinPool;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
import org.keycloak.adapters.KeycloakDeployment;
@ -314,7 +305,7 @@ public class KeycloakInstalled {
}
public String getTokenString(long minValidity, TimeUnit unit) throws VerificationException, IOException, ServerRequest.HttpFailure {
long expires = ((long) token.getExpiration()) * 1000 - unit.toMillis(minValidity);
long expires = ((long) token.getExp()) * 1000 - unit.toMillis(minValidity);
if (expires < System.currentTimeMillis()) {
refreshToken();
}

View file

@ -106,7 +106,7 @@ public class TokenCallable implements Callable<String> {
}
public boolean isTokenTimeToLiveSufficient(AccessToken token) {
return token != null && (token.getExpiration() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
return token != null && (token.getExp() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
}
/**

View file

@ -182,10 +182,10 @@ public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
reqToken.subject(clientId);
reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
reqToken.issuedAt(now);
reqToken.expiration(now + this.tokenTimeout);
reqToken.notBefore(now);
long now = Time.currentTime();
reqToken.iat(now);
reqToken.exp(now + this.tokenTimeout);
reqToken.nbf(now);
return reqToken;
}

View file

@ -131,11 +131,11 @@ public class JWTClientSecretCredentialsProvider implements ClientCredentialsProv
reqToken.subject(clientId);
reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
reqToken.issuedAt(now);
long now = Time.currentTime();
reqToken.iat(now);
// the same as in KEYCLOAK-2986, JWTClientCredentialsProvider's timeout field
reqToken.expiration(now + 10);
reqToken.notBefore(now);
reqToken.exp(now + 10);
reqToken.nbf(now);
return reqToken;
}

View file

@ -205,22 +205,6 @@ public class AccessToken extends IDToken {
return (AccessToken) super.id(id);
}
@Override
public AccessToken expiration(int expiration) {
return (AccessToken) super.expiration(expiration);
}
@Override
public AccessToken notBefore(int notBefore) {
return (AccessToken) super.notBefore(notBefore);
}
@Override
public AccessToken issuedAt(int issuedAt) {
return (AccessToken) super.issuedAt(issuedAt);
}
@Override
public AccessToken issuer(String issuer) {
return (AccessToken) super.issuer(issuer);

View file

@ -154,27 +154,10 @@ public class IDToken extends JsonWebToken {
return auth_time;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #getAuth_time()} instead.
*/
@Deprecated
@JsonIgnore
public int getAuthTime() {
return auth_time != null ? auth_time.intValue() : 0;
}
public void setAuth_time(Long auth_time) {
this.auth_time = auth_time;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #setAuth_time(Long)} ()} instead.
*/
public void setAuthTime(int authTime) {
this.auth_time = Long.valueOf(authTime);
}
public String getSessionId() {
return sessionId;
}

View file

@ -77,64 +77,28 @@ public class JsonWebToken implements Serializable, Token {
return exp;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead.
*/
@Deprecated
@JsonIgnore
public int getExpiration() {
return exp != null ? exp.intValue() : 0;
}
public JsonWebToken exp(Long exp) {
this.exp = exp;
return this;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #exp(Long)} instead.
*/
public JsonWebToken expiration(int expiration) {
this.exp = Long.valueOf(expiration);
return this;
}
@JsonIgnore
public boolean isExpired() {
return exp != null && exp != 0 ? Time.currentTime() > exp : false;
return exp != null && exp != 0 && Time.currentTime() > exp;
}
public Long getNbf() {
return nbf;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #getNbf()} instead.
*/
@Deprecated
@JsonIgnore
public int getNotBefore() {
return nbf != null ? nbf.intValue() : 0;
}
public JsonWebToken nbf(Long nbf) {
this.nbf = nbf;
return this;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #nbf(Long)} instead.
*/
@Deprecated
@JsonIgnore
public JsonWebToken notBefore(int notBefore) {
this.nbf = Long.valueOf(notBefore);
return this;
}
@JsonIgnore
public boolean isNotBefore(int allowedTimeSkew) {
return nbf != null ? Time.currentTime() + allowedTimeSkew >= nbf : true;
public boolean isNotBefore(long allowedTimeSkew) {
return nbf == null || Time.currentTime() + allowedTimeSkew >= nbf;
}
/**
@ -165,21 +129,12 @@ public class JsonWebToken implements Serializable, Token {
return iat;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #getIat()} instead.
*/
@Deprecated
@JsonIgnore
public int getIssuedAt() {
return iat != null ? iat.intValue() : 0;
}
/**
* Set issuedAt to the current time
*/
@JsonIgnore
public JsonWebToken issuedNow() {
iat = Long.valueOf(Time.currentTime());
iat = (long) Time.currentTime();
return this;
}
@ -188,17 +143,6 @@ public class JsonWebToken implements Serializable, Token {
return this;
}
/**
* @deprecated int will overflow with values after 2038. Use {@link #iat(Long)} ()} instead.
*/
@Deprecated
@JsonIgnore
public JsonWebToken issuedAt(int issuedAt) {
this.iat = Long.valueOf(issuedAt);
return this;
}
public String getIssuer() {
return issuer;
}

View file

@ -42,14 +42,14 @@ public class DockerResponseToken extends JsonWebToken {
}
@Override
public DockerResponseToken expiration(final int expiration) {
super.expiration(expiration);
public DockerResponseToken exp(final Long expiration) {
super.exp(expiration);
return this;
}
@Override
public DockerResponseToken notBefore(final int notBefore) {
super.notBefore(notBefore);
public DockerResponseToken nbf(final Long notBefore) {
super.nbf(notBefore);
return this;
}
@ -60,8 +60,8 @@ public class DockerResponseToken extends JsonWebToken {
}
@Override
public DockerResponseToken issuedAt(final int issuedAt) {
super.issuedAt(issuedAt);
public DockerResponseToken iat(final Long issuedAt) {
super.iat(issuedAt);
return this;
}

View file

@ -44,9 +44,9 @@ public class PermissionTicketToken extends JsonWebToken {
if (accessToken != null) {
id(TokenIdGenerator.generateId());
subject(accessToken.getSubject());
expiration(accessToken.getExpiration());
notBefore(accessToken.getNotBefore());
issuedAt(accessToken.getIssuedAt());
this.exp(accessToken.getExp());
this.nbf(accessToken.getNbf());
iat(accessToken.getIat());
issuedFor(accessToken.getIssuedFor());
}
if (audience != null) {

View file

@ -120,7 +120,7 @@ public abstract class RSAVerifierTest {
@Test
public void testNotBeforeGood() throws Exception {
token.notBefore(Time.currentTime() - 100);
token.nbf(Time.currentTime() - 100L);
String encoded = new JWSBuilder()
.jsonContent(token)
@ -136,7 +136,7 @@ public abstract class RSAVerifierTest {
@Test
public void testNotBeforeBad() {
token.notBefore(Time.currentTime() + 100);
token.nbf(Time.currentTime() + 100L);
String encoded = new JWSBuilder()
.jsonContent(token)
@ -153,7 +153,7 @@ public abstract class RSAVerifierTest {
@Test
public void testExpirationGood() throws Exception {
token.expiration(Time.currentTime() + 100);
token.exp(Time.currentTime() + 100L);
String encoded = new JWSBuilder()
.jsonContent(token)
@ -169,7 +169,7 @@ public abstract class RSAVerifierTest {
@Test
public void testExpirationBad() {
token.expiration(Time.currentTime() - 100);
token.exp(Time.currentTime() - 100L);
String encoded = new JWSBuilder()
.jsonContent(token)

View file

@ -82,37 +82,37 @@ public class JsonWebTokenTest {
@Test
public void isActiveReturnFalseWhenBeforeTimeInFuture() {
int currentTime = Time.currentTime();
int futureTime = currentTime + 10;
long currentTime = Time.currentTime();
long futureTime = currentTime + 10;
JsonWebToken jsonWebToken = new JsonWebToken();
jsonWebToken.notBefore(futureTime);
jsonWebToken.nbf(futureTime);
assertFalse(jsonWebToken.isActive());
}
@Test
public void isActiveReturnTrueWhenBeforeTimeInPast() {
int currentTime = Time.currentTime();
int pastTime = currentTime - 10;
long currentTime = Time.currentTime();
long pastTime = currentTime - 10;
JsonWebToken jsonWebToken = new JsonWebToken();
jsonWebToken.notBefore(pastTime);
jsonWebToken.nbf(pastTime);
assertTrue(jsonWebToken.isActive());
}
@Test
public void isActiveShouldReturnTrueWhenBeforeTimeInFutureWithinTimeSkew() {
int notBeforeTime = Time.currentTime() + 5;
long notBeforeTime = Time.currentTime() + 5;
int allowedClockSkew = 10;
JsonWebToken jsonWebToken = new JsonWebToken();
jsonWebToken.notBefore(notBeforeTime);
jsonWebToken.nbf(notBeforeTime);
assertTrue(jsonWebToken.isActive(allowedClockSkew));
}
@Test
public void isActiveShouldReturnFalseWhenWhenBeforeTimeInFutureOutsideTimeSkew() {
int notBeforeTime = Time.currentTime() + 10;
long notBeforeTime = Time.currentTime() + 10;
int allowedClockSkew = 5;
JsonWebToken jsonWebToken = new JsonWebToken();
jsonWebToken.notBefore(notBeforeTime);
jsonWebToken.nbf(notBeforeTime);
assertFalse(jsonWebToken.isActive(allowedClockSkew));
}

View file

@ -131,3 +131,20 @@ It is now possible to specify the `cache`, `cache-stack`, and `cache-config-file
This eliminates the need to execute the build phase and rebuild your image due to them.
For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
= Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes
In this release, we are finally removing deprecated methods from the following classes:
* `AccessToken`
* `IDToken`
* `JsonWebToken`
For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
= Method `getExp` added to `SingleUseObjectKeyModel`
As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`,
the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values.
For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].

View file

@ -269,3 +269,35 @@ The new indexes are both applied to the `RESOURCE_SERVER_PERM_TICKET` table. If
on the console during migration. In this case, the statements must be run manually in the DB after {project_name}'s startup.
See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit.
= Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes
The following methods were removed from the `AccessToken` class:
* `expiration`. Use the `exp` method instead.
* `notBefore`. Use the `nbf` method instead.
* `issuedAt`. Use the `iat` method instead.
The following methods were removed from the `IDToken` class:
* `getAuthTime` and `setAuthTime`. Use the `getAuth_time` and `setAuth_time` methods, respectively.
* `notBefore`. Use the `nbf` method instead.
* `issuedAt`. Use the `iat` method instead.
* `setSessionState`. Use the `setSessionId` method instead (See the details above in the section about `session_state` claim)
The following methods were removed from the `JsonWebToken` class:
* `expiration`. Use the `exp` method instead.
* `notBefore`. Use the `nbf` method instead.
* `issuedAt`. Use the `iat` method instead.
You should also expect both `exp` and `nbf` claims not set in tokens as they are optional. Previously, these claims were
being set with a value of `0` what does not make mush sense because their value should be a valid `NumericDate`.
= Method `getExp` added to `SingleUseObjectKeyModel`
As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`,
the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values.
The previous `getExpiration` method is now deprecated and you should prefer using new newly introduced `getExp` method
to avoid overflow after 2038.

View file

@ -200,10 +200,10 @@ public class AuthUtil {
reqToken.subject(clientId);
reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
reqToken.issuedAt(now);
reqToken.expiration(now + sigLifetime);
reqToken.notBefore(now);
long now = Time.currentTime();
reqToken.iat(now);
reqToken.exp(now + sigLifetime);
reqToken.nbf(now);
String signedRequestToken = new JWSBuilder()
.jsonContent(reqToken)

View file

@ -39,7 +39,15 @@ public interface SingleUseObjectKeyModel {
/**
* Returns absolute number of seconds since the epoch in UTC timezone when the token expires.
*/
int getExpiration();
Long getExp();
/**
* @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead.
*/
@Deprecated
default int getExpiration() {
return getExp().intValue();
}
/**
* @return Single-use random value used for verification whether the relevant action is allowed.
@ -49,6 +57,6 @@ public interface SingleUseObjectKeyModel {
default String serializeKey() {
String userId = getUserId();
String encodedUserId = userId == null ? "" : Base64.encodeBytes(userId.getBytes(StandardCharsets.UTF_8));
return String.format("%s.%d.%s.%s", encodedUserId, getExpiration(), getActionVerificationNonce(), getActionId());
return String.format("%s.%d.%s.%s", encodedUserId, getExp(), getActionVerificationNonce(), getActionId());
}
}

View file

@ -158,7 +158,7 @@ public class DefaultActionToken extends DefaultActionTokenKey implements SingleU
String issuerUri = getIssuer(realm, uri);
this
.issuedAt(Time.currentTime())
.issuedNow()
.id(getActionVerificationNonce().toString())
.issuer(issuerUri)
.audience(issuerUri);

View file

@ -19,6 +19,8 @@
package org.keycloak.authentication.authenticators.client;
import java.util.Optional;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
@ -166,7 +168,7 @@ public class JWTClientValidator {
}
// KEYCLOAK-2986, token-timeout or token-expiration in keycloak.json might not be used
if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < currentTime) {
if ((token.getExp() == null || token.getExp() <= 0) && token.getIat() + 10 < currentTime) {
throw new RuntimeException("Token is not active");
}
@ -180,7 +182,7 @@ public class JWTClientValidator {
if (client == null) throw new IllegalStateException("Incorrect usage. Variable 'client' is null. Need to validate client first before validateToken reuse");
SingleUseObjectProvider singleUseCache = context.getSession().singleUseObjects();
int lifespanInSecs = Math.max(token.getExpiration() - currentTime, 10);
long lifespanInSecs = Math.max(Optional.ofNullable(token.getExp()).orElse(0L) - currentTime, 10);
if (singleUseCache.putIfAbsent(token.getId(), lifespanInSecs)) {
logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", token.getId(), lifespanInSecs, client.getClientId());

View file

@ -64,10 +64,10 @@ public class RPTIntrospectionProvider extends AccessTokenIntrospectionProvider {
metadata.id(accessToken.getId());
metadata.setAcr(accessToken.getAcr());
metadata.type(accessToken.getType());
metadata.expiration(accessToken.getExpiration());
metadata.issuedAt(accessToken.getIssuedAt());
metadata.exp(accessToken.getExp());
metadata.iat(accessToken.getIat());
metadata.audience(accessToken.getAudience());
metadata.notBefore(accessToken.getNotBefore());
metadata.nbf(accessToken.getNbf());
metadata.setRealmAccess(null);
metadata.setResourceAccess(null);

View file

@ -458,8 +458,8 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
audience = getConfig().getTokenUrl();
}
jwt.audience(audience);
int expirationDelay = session.getContext().getRealm().getAccessCodeLifespan();
jwt.expiration(Time.currentTime() + expirationDelay);
long expirationDelay = session.getContext().getRealm().getAccessCodeLifespan();
jwt.exp(Time.currentTime() + expirationDelay);
jwt.issuedNow();
return jwt;
}

View file

@ -105,8 +105,8 @@ public class DockerAuthV2Protocol implements LoginProtocol {
// since realm access token is given in seconds
final int accessTokenLifespan = realm.getAccessTokenLifespan();
responseToken.notBefore(responseToken.getIssuedAt())
.expiration(responseToken.getIssuedAt() + accessTokenLifespan);
responseToken.nbf(responseToken.getIat())
.exp(responseToken.getIat() + accessTokenLifespan);
// Next, allow mappers to decorate the token to add/remove scopes as appropriate
@ -126,7 +126,7 @@ public class DockerAuthV2Protocol implements LoginProtocol {
.type("JWT")
.jsonContent(responseToken)
.rsa256(activeKey.getPrivateKey());
final String expiresInIso8601String = new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(responseToken.getIssuedAt() * 1000L));
final String expiresInIso8601String = new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(responseToken.getIat() * 1000L));
final DockerResponse responseEntity = new DockerResponse()
.setToken(encodedToken)

View file

@ -126,7 +126,6 @@ import static org.keycloak.representations.IDToken.NONCE;
*/
public class TokenManager {
private static final Logger logger = Logger.getLogger(TokenManager.class);
private static final String JWT = "JWT";
public static class TokenValidation {
public final UserModel user;
@ -457,7 +456,7 @@ public class TokenManager {
if (clientSession.getCurrentRefreshToken() != null
&& !refreshToken.getId().equals(clientSession.getCurrentRefreshToken())
&& refreshToken.getIssuedAt() < clientSession.getTimestamp()
&& refreshToken.getIat() < clientSession.getTimestamp()
&& startupTime <= clientSession.getTimestamp()) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
}
@ -476,7 +475,6 @@ public class TokenManager {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Maximum allowed refresh token reuse exceeded",
"Maximum allowed refresh token reuse exceeded");
}
return;
}
public RefreshToken verifyRefreshToken(KeycloakSession session, RealmModel realm, ClientModel client, HttpRequest request, String encodedRefreshToken, boolean checkExpiration) throws OAuthErrorException {
@ -974,12 +972,12 @@ public class TokenManager {
ClientScopeModel offlineAccessScope = KeycloakModelUtils.getClientScopeByName(realm, OAuth2Constants.OFFLINE_ACCESS);
boolean offlineTokenRequested = offlineAccessScope == null ? false
: clientSessionCtx.getClientScopeIds().contains(offlineAccessScope.getId());
token.expiration(getTokenExpiration(realm, client, session, clientSession, offlineTokenRequested));
token.exp(getTokenExpiration(realm, client, session, clientSession, offlineTokenRequested));
return token;
}
private int getTokenExpiration(RealmModel realm, ClientModel client, UserSessionModel userSession,
private Long getTokenExpiration(RealmModel realm, ClientModel client, UserSessionModel userSession,
AuthenticatedClientSessionModel clientSession, boolean offlineTokenRequested) {
boolean implicitFlow = false;
String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM);
@ -1016,7 +1014,7 @@ public class TokenManager {
realm, client);
expiration = sessionExpires > 0? Math.min(expiration, sessionExpires) : expiration;
return (int) TimeUnit.MILLISECONDS.toSeconds(expiration);
return TimeUnit.MILLISECONDS.toSeconds(expiration);
}
@ -1131,15 +1129,15 @@ public class TokenManager {
}
refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE);
if (realm.isOfflineSessionMaxLifespanEnabled()) {
refreshToken.expiration(getExpiration(true));
refreshToken.exp(getExpiration(true));
}
sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession);
} else {
refreshToken.expiration(getExpiration(false));
refreshToken.exp(getExpiration(false));
}
}
private int getExpiration(boolean offline) {
private Long getExpiration(boolean offline) {
long expiration = SessionExpirationUtils.calculateClientSessionIdleTimestamp(
offline, userSession.isRememberMe(),
TimeUnit.SECONDS.toMillis(clientSessionCtx.getClientSession().getTimestamp()),
@ -1151,7 +1149,7 @@ public class TokenManager {
realm, client);
expiration = lifespan > 0? Math.min(expiration, lifespan) : expiration;
return (int) TimeUnit.MILLISECONDS.toSeconds(expiration);
return TimeUnit.MILLISECONDS.toSeconds(expiration);
}
public AccessTokenResponseBuilder generateIDToken() {
@ -1172,7 +1170,7 @@ public class TokenManager {
idToken.issuer(accessToken.getIssuer());
idToken.setNonce(clientSessionCtx.getAttribute(OIDCLoginProtocol.NONCE_PARAM, String.class));
idToken.setSessionId(accessToken.getSessionId());
idToken.expiration(accessToken.getExpiration());
idToken.exp(accessToken.getExp());
// Protocol mapper is supposed to set this in case "step_up_authentication" feature enabled
if (!Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
@ -1229,8 +1227,8 @@ public class TokenManager {
res.setToken(encodedToken);
res.setTokenType(responseTokenType);
res.setSessionState(accessToken.getSessionState());
if (accessToken.getExpiration() != 0) {
res.setExpiresIn(accessToken.getExpiration() - Time.currentTime());
if (accessToken.getExp() != 0) {
res.setExpiresIn(accessToken.getExp() - Time.currentTime());
}
}
@ -1253,8 +1251,9 @@ public class TokenManager {
if (refreshToken != null) {
String encodedToken = session.tokens().encode(refreshToken);
res.setRefreshToken(encodedToken);
if (refreshToken.getExpiration() != 0) {
res.setRefreshExpiresIn(refreshToken.getExpiration() - Time.currentTime());
Long exp = refreshToken.getExp();
if (exp != null && exp > 0) {
res.setRefreshExpiresIn(exp - Time.currentTime());
}
}
@ -1309,7 +1308,7 @@ public class TokenManager {
@Override
public boolean test(JsonWebToken t) throws VerificationException {
if (t.getIssuedAt() < notBefore) {
if (t.getIat() < notBefore) {
throw new VerificationException("Stale token");
}
@ -1367,7 +1366,7 @@ public class TokenManager {
}
LogoutToken logoutToken = logoutTokenOptional.get();
List<OIDCIdentityProvider> identityProviders = getOIDCIdentityProviders(realm, session).collect(Collectors.toList());
List<OIDCIdentityProvider> identityProviders = getOIDCIdentityProviders(realm, session).toList();
if (identityProviders.isEmpty()) {
return LogoutTokenValidationCode.COULD_NOT_FIND_IDP;
}

View file

@ -524,7 +524,7 @@ public class LogoutEndpoint {
}
if (userSessionModel != null) {
checkTokenIssuedAt(token.getIssuedAt(), userSessionModel);
checkTokenIssuedAt(token.getIat(), userSessionModel);
logout(userSessionModel, offline);
}
} catch (OAuthErrorException e) {
@ -727,7 +727,7 @@ public class LogoutEndpoint {
}
}
private void checkTokenIssuedAt(int idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException {
private void checkTokenIssuedAt(long idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException {
if (idTokenIssuedAt + 1 < userSession.getStarted()) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Toked issued before the user session started");
}

View file

@ -56,8 +56,7 @@ public class ClientRegistrationTokenUtils {
regToken.type(auth.getJwt().getType());
regToken.id(auth.getJwt().getId());
regToken.issuedAt(Time.currentTime());
regToken.expiration(0);
regToken.issuedNow();
regToken.issuer(auth.getJwt().getIssuer());
regToken.audience(auth.getJwt().getIssuer());
@ -117,13 +116,13 @@ public class ClientRegistrationTokenUtils {
return TokenVerification.success(kid, jwt);
}
private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, int expiration) {
private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, long expiration) {
String issuer = getIssuer(session, realm);
jwt.type(type);
jwt.id(id);
jwt.issuedAt(Time.currentTime());
jwt.expiration(expiration);
jwt.issuedNow();
jwt.exp(expiration);
jwt.issuer(issuer);
jwt.audience(issuer);

View file

@ -759,9 +759,9 @@ public class AuthenticationManager {
}
if (session != null && session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0) {
token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe());
token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe());
} else if (realm.getSsoSessionMaxLifespan() > 0) {
token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespan());
token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespan());
}
String stateChecker = (String) keycloakSession.getAttribute("state_checker");
@ -999,7 +999,7 @@ public class AuthenticationManager {
SingleUseObjectKeyModel actionTokenKey = DefaultActionTokenKey.from(actionTokenKeyToInvalidate);
if (actionTokenKey != null) {
SingleUseObjectProvider singleUseObjectProvider = session.singleUseObjects();
singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExpiration() - Time.currentTime(), null); // Token is invalidated
singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExp() - Time.currentTime(), null); // Token is invalidated
}
}
@ -1400,8 +1400,8 @@ public class AuthenticationManager {
AccessToken token = verifier.verify().getToken();
if (checkActive) {
if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIssuedAt(), realm.getNotBefore());
if (!token.isActive() || token.getIat() < realm.getNotBefore()) {
logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIat(), realm.getNotBefore());
return null;
}
}
@ -1467,7 +1467,7 @@ public class AuthenticationManager {
return false;
}
if (token.getIssuedAt() < client.getNotBefore()) {
if (token.getIat() < client.getNotBefore()) {
logger.debug("Client notBefore newer than token");
return false;
}

View file

@ -755,13 +755,13 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
// Get time of token
AccessToken token = tokenMinTTLPage.getAccessToken();
int tokenIssued1 = token.getIssuedAt();
long tokenIssued1 = token.getIat();
// Sets 5 minutes offset and assert access token will be still the same
setAdapterAndServerTimeOffset(300, tokenMinTTLPage.toString());
tokenMinTTLPage.navigateTo();
token = tokenMinTTLPage.getAccessToken();
int tokenIssued2 = token.getIssuedAt();
long tokenIssued2 = token.getIat();
Assert.assertEquals(tokenIssued1, tokenIssued2);
assertFalse(token.isExpired());
@ -769,7 +769,7 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
setAdapterAndServerTimeOffset(540, tokenMinTTLPage.toString());
tokenMinTTLPage.navigateTo();
token = tokenMinTTLPage.getAccessToken();
int tokenIssued3 = token.getIssuedAt();
long tokenIssued3 = token.getIat();
Assert.assertTrue(tokenIssued3 > tokenIssued1);
// Revert times
@ -853,8 +853,8 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
testRealmLoginPage.form().setPassword("password");
testRealmLoginPage.form().login();
AccessToken token = tokenMinTTLPage.getAccessToken();
int authTime = token.getAuthTime();
assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10)));
long authTime = token.getAuth_time();
assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10L)));
} finally {
setAdapterAndServerTimeOffset(0, securePortal.toString());
}

View file

@ -2381,7 +2381,7 @@ public class UserTest extends AbstractAdminTest {
try {
final AccessToken accessToken = TokenVerifier.create(token, AccessToken.class).getToken();
assertEquals(lifespan, accessToken.getExpiration() - accessToken.getIssuedAt());
assertEquals(lifespan, accessToken.getExp() - accessToken.getIat());
} catch (VerificationException e) {
throw new IOException(e);
}

View file

@ -87,6 +87,7 @@ import static org.hamcrest.Matchers.not;
import static org.hamcrest.Matchers.notNullValue;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME;
import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_PROV_NAME;
@ -614,7 +615,7 @@ public final class KcOidcBrokerTransientSessionsTest extends AbstractAdvancedBro
.assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
assertEquals(0, offlineToken.getExpiration());
assertNull(offlineToken.getExp());
assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));

View file

@ -397,11 +397,11 @@ public class OIDCPairwiseClientRegistrationTest extends AbstractClientRegistrati
Assert.assertEquals(idToken.getSubject(), refreshedRefreshToken.getSubject());
// its iat Claim MUST represent the time that the new ID Token is issued
Assert.assertEquals(refreshedIdToken.getIssuedAt(), refreshedRefreshToken.getIssuedAt());
Assert.assertEquals(refreshedIdToken.getIat(), refreshedRefreshToken.getIat());
// if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication
// - not the time that the new ID token is issued
Assert.assertEquals(idToken.getAuthTime(), refreshedIdToken.getAuthTime());
Assert.assertEquals(idToken.getAuth_time(), refreshedIdToken.getAuth_time());
// its azp Claim Value MUST be the same as in the ID Token issued when the original authentication occurred; if
// no azp Claim was present in the original ID Token, one MUST NOT be present in the new ID Token

View file

@ -478,7 +478,7 @@ public class ClientStorageTest extends AbstractTestRealmKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);

View file

@ -856,7 +856,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
private void assertOfflineToken(String offlineToken) {
RefreshToken offlineTokenParsed = oauth.parseRefreshToken(offlineToken);
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineTokenParsed.getType());
assertEquals(0, offlineTokenParsed.getExpiration());
assertNull(offlineTokenParsed.getExp());
assertTrue(TokenUtil.hasScope(offlineTokenParsed.getScope(), OAuth2Constants.OFFLINE_ACCESS));
}

View file

@ -86,7 +86,6 @@ import org.keycloak.common.util.KeystoreUtil.KeystoreFormat;
import org.keycloak.constants.ServiceUrlConstants;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.ECDSAAlgorithm;
import org.keycloak.crypto.ECDSASignatureProvider;
import org.keycloak.crypto.KeyType;
import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.events.Details;
@ -806,10 +805,10 @@ public abstract class AbstractClientAuthSignedJWTTest extends AbstractKeycloakTe
if (isClaimEnabled("subject")) reqToken.subject(clientId);
if (isClaimEnabled("audience")) reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
if (isClaimEnabled("issuedAt")) reqToken.issuedAt(now);
if (isClaimEnabled("expiration")) reqToken.expiration(now + getTokenTimeout());
if (isClaimEnabled("notBefore")) reqToken.notBefore(now);
long now = Time.currentTime();
if (isClaimEnabled("issuedAt")) reqToken.iat(now);
if (isClaimEnabled("expiration")) reqToken.exp(now + getTokenTimeout());
if (isClaimEnabled("notBefore")) reqToken.nbf(now);
return reqToken;
}
@ -934,10 +933,10 @@ public abstract class AbstractClientAuthSignedJWTTest extends AbstractKeycloakTe
reqToken.subject(clientId);
reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
reqToken.issuedAt(now);
reqToken.expiration(now + 10);
reqToken.notBefore(now);
long now = Time.currentTime();
reqToken.iat(now);
reqToken.exp(now + 10);
reqToken.nbf(now);
return reqToken;
}

View file

@ -235,13 +235,10 @@ public class AccessTokenTest extends AbstractKeycloakTest {
assertEquals(sessionId, sid);
assertNull(token.getNbf());
assertEquals(0, token.getNotBefore());
assertNotNull(token.getIat());
assertEquals(token.getIat().intValue(), token.getIssuedAt());
assertNotNull(token.getExp());
assertEquals(token.getExp().intValue(), token.getExpiration());
assertEquals(1, token.getRealmAccess().getRoles().size());
assertTrue(token.getRealmAccess().isUserInRole("user"));

View file

@ -493,9 +493,9 @@ public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest {
RefreshToken refreshToken = oauth.parseRefreshToken(refreshTokenString);
Assert.assertNotNull(refreshTokenString);
assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
int actual = refreshToken.getExpiration() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
long actual = refreshToken.getExp() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertEquals(sessionId, refreshToken.getSessionState());
setTimeOffset(2);
@ -510,10 +510,10 @@ public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest {
assertEquals(sessionId, refreshedRefreshToken.getSessionState());
assertThat(refreshResponse.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
Assert.assertNotEquals(token.getId(), refreshedToken.getId());
Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId());

View file

@ -256,7 +256,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));
@ -356,7 +356,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);
@ -391,7 +391,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
String offlineTokenString2 = testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId);
RefreshToken offlineToken2 = oauth.parseRefreshToken(offlineTokenString2);
@ -440,7 +440,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId);
@ -677,7 +677,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
assertEquals(0, offlineToken.getExpiration());
assertNull(offlineToken.getExp());
String offlineUserSessionId = testingClient.server().fetch((KeycloakSession session) ->
session.sessions().getOfflineUserSession(session.realms().getRealmByName("test"), offlineToken.getSessionState()).getId(), String.class);
@ -714,7 +714,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken2.getType());
assertEquals(0, offlineToken2.getExpiration());
Assert.assertNull(offlineToken.getExp());
// Assert session changed
assertNotEquals(offlineToken.getSessionState(), offlineToken2.getSessionState());
@ -977,7 +977,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId);
@ -1049,7 +1049,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
.assertEvent();
Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
Assert.assertEquals(0, offlineToken.getExpiration());
Assert.assertNull(offlineToken.getExp());
}
@Test

View file

@ -247,9 +247,9 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
assertEquals("Bearer", tokenResponse.getTokenType());
assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
int actual = refreshToken.getExpiration() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + ALLOWED_CLOCK_SKEW)));
assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
long actual = refreshToken.getExp() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + ALLOWED_CLOCK_SKEW)));
assertEquals(sessionId, refreshToken.getSessionState());
assertNull(refreshToken.getNonce());
@ -264,10 +264,10 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
assertEquals(sessionId, refreshedRefreshToken.getSessionState());
assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10)));
assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10)));
assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L)));
assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L)));
// "test-app" should not be an audience in the refresh token
assertEquals("test-app", refreshedRefreshToken.getIssuedFor());

View file

@ -69,6 +69,7 @@ import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
@ -170,9 +171,9 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest {
assertTrue(rep.isActive());
assertEquals("test-user@localhost", rep.getUserName());
assertEquals("test-app", rep.getClientId());
assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration());
assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt());
assertEquals(jsonNode.get("nbf"), rep.getNbf());
assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp());
assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat());
assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf());
assertEquals(jsonNode.get("sub").asText(), rep.getSubject());
List<String> audiences = new ArrayList<>();
@ -226,9 +227,9 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest {
assertTrue(rep.isActive());
assertEquals("test-app", rep.getClientId());
assertEquals(jsonNode.get("sid").asText(), rep.getSessionState());
assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration());
assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt());
assertEquals(jsonNode.get("nbf"), rep.getNbf());
assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp());
assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat());
assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf());
assertEquals(jsonNode.get("iss").asText(), rep.getIssuer());
assertEquals(jsonNode.get("jti").asText(), rep.getId());
assertEquals(jsonNode.get("typ").asText(), "Refresh");

View file

@ -335,9 +335,9 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {
Assert.assertNotNull(refreshTokenString);
assertEquals("Bearer", tokenResponse.getTokenType());
assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
int actual = refreshToken.getExpiration() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
long actual = refreshToken.getExp() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertEquals(sessionId, refreshToken.getSessionState());
setTimeOffset(2);
@ -372,9 +372,9 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {
Assert.assertNotNull(refreshTokenString);
assertEquals("Bearer", tokenResponse.getTokenType());
assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
int actual = refreshToken.getExpiration() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L)));
long actual = refreshToken.getExp() - getCurrentTime();
assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertEquals(sessionId, refreshToken.getSessionState());
setTimeOffset(2);
@ -410,10 +410,10 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {
assertEquals(sessionId, refreshedRefreshToken.getSessionState());
assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10)));
assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L)));
Assert.assertNotEquals(token.getId(), refreshedToken.getId());
Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId());

View file

@ -205,8 +205,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
// Check that authTime is available and set to current time
int authTime = idToken.getAuthTime();
int currentTime = Time.currentTime();
long authTime = idToken.getAuth_time();
long currentTime = Time.currentTime();
Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime);
// Set time offset
@ -225,7 +225,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
idToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime was updated
int authTimeUpdated = idToken.getAuthTime();
long authTimeUpdated = idToken.getAuth_time();
Assert.assertTrue(authTime + 10 <= authTimeUpdated);
}
@ -238,8 +238,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
// Check that authTime is available and set to current time
int authTime = idToken.getAuthTime();
int currentTime = Time.currentTime();
long authTime = idToken.getAuth_time();
long currentTime = Time.currentTime();
Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime);
// Set time offset
@ -255,7 +255,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
idToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime is still the same
int authTimeUpdated = idToken.getAuthTime();
long authTimeUpdated = idToken.getAuth_time();
Assert.assertEquals(authTime, authTimeUpdated);
}
@ -293,7 +293,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
int authTime = idToken.getAuthTime();
long authTime = idToken.getAuth_time();
// Set time offset
setTimeOffset(10);
@ -304,7 +304,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
loginEvent = events.expectLogin().removeDetail(Details.USERNAME).assertEvent();
idToken = sendTokenRequestAndGetIDToken(loginEvent);
int authTime2 = idToken.getAuthTime();
long authTime2 = idToken.getAuth_time();
Assert.assertEquals(authTime, authTime2);
}
@ -383,7 +383,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime wasn't updated
Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
Assert.assertEquals(oldIdToken.getAuth_time(), newIdToken.getAuth_time());
// Set time offset
setTimeOffset(20);
@ -399,8 +399,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime was updated
Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuth_time() + " , new auth time: " + newIdToken.getAuth_time(),
oldIdToken.getAuth_time() + 20 <= newIdToken.getAuth_time());
// Assert userSession didn't change
Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());