KEYCLOAK-5257 Clarify usage of TokenVerifier

2018-07-25 14:40:10 +02:00 · 2018-07-25 14:40:10 +02:00 · f57cc3a9c0
commit f57cc3a9c0
parent 29da7d3d90
2 changed files with 6 additions and 3 deletions
--- a/core/src/main/java/org/keycloak/TokenVerifier.java
+++ b/core/src/main/java/org/keycloak/TokenVerifier.java
@ -167,12 +167,15 @@ public class TokenVerifier<T extends JsonWebToken> {
    }

    /**
-     * Creates an instance of {@code TokenVerifier} from the given string on a JWT of the given class.
+     * Creates an instance of {@code TokenVerifier} for the given token.
     * The token verifier has no checks defined. Note that the checks are only tested when
     * {@link #verify()} method is invoked.
+     * <p>
+     * <b>NOTE:</b> The returned token verifier cannot verify token signature since
+     * that is not part of the {@link JsonWebToken} object.
     * @return
     */
-    public static <T extends JsonWebToken> TokenVerifier<T> create(T token) {
+    public static <T extends JsonWebToken> TokenVerifier<T> createWithoutSignature(T token) {
        return new TokenVerifier(token);
    }

--- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
+++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
@ -544,7 +544,7 @@ public class LoginActionsService {
            
            session.getContext().setClient(authSession.getClient());

-            TokenVerifier.create(token)
+            TokenVerifier.createWithoutSignature(token)
              .withChecks(handler.getVerifiers(tokenContext))
              .verify();