From f57cc3a9c088636bb0ebd8f8a8e53ff1ea2c3338 Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Wed, 25 Jul 2018 14:40:10 +0200 Subject: [PATCH] KEYCLOAK-5257 Clarify usage of TokenVerifier --- core/src/main/java/org/keycloak/TokenVerifier.java | 7 +++++-- .../keycloak/services/resources/LoginActionsService.java | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/core/src/main/java/org/keycloak/TokenVerifier.java b/core/src/main/java/org/keycloak/TokenVerifier.java index 0b2047bcfa..1f1d54c301 100755 --- a/core/src/main/java/org/keycloak/TokenVerifier.java +++ b/core/src/main/java/org/keycloak/TokenVerifier.java @@ -167,12 +167,15 @@ public class TokenVerifier { } /** - * Creates an instance of {@code TokenVerifier} from the given string on a JWT of the given class. + * Creates an instance of {@code TokenVerifier} for the given token. * The token verifier has no checks defined. Note that the checks are only tested when * {@link #verify()} method is invoked. + *

+ * NOTE: The returned token verifier cannot verify token signature since + * that is not part of the {@link JsonWebToken} object. * @return */ - public static TokenVerifier create(T token) { + public static TokenVerifier createWithoutSignature(T token) { return new TokenVerifier(token); } diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 9723eb3b1d..a7abd4e3a0 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -544,7 +544,7 @@ public class LoginActionsService { session.getContext().setClient(authSession.getClient()); - TokenVerifier.create(token) + TokenVerifier.createWithoutSignature(token) .withChecks(handler.getVerifiers(tokenContext)) .verify();