Java Code Examples for org.keycloak.representations.AccessToken#getIssuedAt()
The following examples show how to use
org.keycloak.representations.AccessToken#getIssuedAt() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: TokenManager.java From keycloak with Apache License 2.0 | 6 votes |
private boolean isUserValid(KeycloakSession session, RealmModel realm, AccessToken token, UserSessionModel userSession) { UserModel user = userSession.getUser(); if (user == null) { return false; } if (!user.isEnabled()) { return false; } try { TokenVerifier.createWithoutSignature(token) .withChecks(NotBeforeCheck.forModel(session ,realm, user)) .verify(); } catch (VerificationException e) { return false; } if (token.getIssuedAt() + 1 < userSession.getStarted()) { return false; } return true; }
Example 2
Source File: DemoServletsAdapterTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testTokenMinTTL() { // Login tokenMinTTLPage.navigateTo(); assertTrue(testRealmLoginPage.form().isUsernamePresent()); assertCurrentUrlStartsWithLoginUrlOf(testRealmPage); testRealmLoginPage.form().login("[email protected]", "password"); assertCurrentUrlEquals(tokenMinTTLPage); // Get time of token AccessToken token = tokenMinTTLPage.getAccessToken(); int tokenIssued1 = token.getIssuedAt(); // Sets 5 minutes offset and assert access token will be still the same setAdapterAndServerTimeOffset(300, tokenMinTTLPage.toString()); tokenMinTTLPage.navigateTo(); token = tokenMinTTLPage.getAccessToken(); int tokenIssued2 = token.getIssuedAt(); Assert.assertEquals(tokenIssued1, tokenIssued2); assertFalse(token.isExpired()); // Sets 9 minutes offset and assert access token will be refreshed (accessTokenTimeout is 10 minutes, token-min-ttl is 2 minutes. Hence 8 minutes or more should be sufficient) setAdapterAndServerTimeOffset(540, tokenMinTTLPage.toString()); tokenMinTTLPage.navigateTo(); token = tokenMinTTLPage.getAccessToken(); int tokenIssued3 = token.getIssuedAt(); Assert.assertTrue(tokenIssued3 > tokenIssued1); // Revert times setAdapterAndServerTimeOffset(0, tokenMinTTLPage.toString()); }
Example 3
Source File: UserInfoEndpoint.java From keycloak with Apache License 2.0 | 4 votes |
private void checkTokenIssuedAt(AccessToken token, UserSessionModel userSession, EventBuilder event) throws ErrorResponseException { if (token.getIssuedAt() + 1 < userSession.getStarted()) { event.error(Errors.INVALID_TOKEN); throw newUnauthorizedErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Stale token"); } }
Example 4
Source File: AuthenticationManager.java From keycloak with Apache License 2.0 | 4 votes |
public static AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, boolean isCookie, String tokenString, HttpHeaders headers, Predicate<? super AccessToken>... additionalChecks) { try { TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class) .withDefaultChecks() .realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())) .checkActive(checkActive) .checkTokenType(checkTokenType) .withChecks(additionalChecks); String kid = verifier.getHeader().getKeyId(); String algorithm = verifier.getHeader().getAlgorithm().name(); SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid); verifier.verifierContext(signatureVerifier); AccessToken token = verifier.verify().getToken(); if (checkActive) { if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) { logger.debug("Identity cookie expired"); return null; } } UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState()); UserModel user = null; if (userSession != null) { user = userSession.getUser(); if (user == null || !user.isEnabled()) { logger.debug("Unknown user in identity token"); return null; } int userNotBefore = session.users().getNotBeforeOfUser(realm, user); if (token.getIssuedAt() < userNotBefore) { logger.debug("User notBefore newer than token"); return null; } } if (!isSessionValid(realm, userSession)) { // Check if accessToken was for the offline session. if (!isCookie) { UserSessionModel offlineUserSession = session.sessions().getOfflineUserSession(realm, token.getSessionState()); if (isOfflineSessionValid(realm, offlineUserSession)) { user = offlineUserSession.getUser(); return new AuthResult(user, offlineUserSession, token); } } if (userSession != null) backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true); logger.debug("User session not active"); return null; } session.setAttribute("state_checker", token.getOtherClaims().get("state_checker")); return new AuthResult(user, userSession, token); } catch (VerificationException e) { logger.debugf("Failed to verify identity token: %s", e.getMessage()); } return null; }