Java Code Examples for org.keycloak.representations.AccessToken#getIssuedAt()

The following examples show how to use org.keycloak.representations.AccessToken#getIssuedAt() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: TokenManager.java    From keycloak with Apache License 2.0 6 votes vote down vote up 
private boolean isUserValid(KeycloakSession session, RealmModel realm, AccessToken token, UserSessionModel userSession) {
    UserModel user = userSession.getUser();
    if (user == null) {
        return false;
    }
    if (!user.isEnabled()) {
        return false;
    }
    try {
        TokenVerifier.createWithoutSignature(token)
                .withChecks(NotBeforeCheck.forModel(session ,realm, user))
                .verify();
    } catch (VerificationException e) {
        return false;
    }

    if (token.getIssuedAt() + 1 < userSession.getStarted()) {
        return false;
    }
    return true;
}
Example 2
Source File: DemoServletsAdapterTest.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
@Test
public void testTokenMinTTL() {
    // Login
    tokenMinTTLPage.navigateTo();
    assertTrue(testRealmLoginPage.form().isUsernamePresent());
    assertCurrentUrlStartsWithLoginUrlOf(testRealmPage);
    testRealmLoginPage.form().login("[email protected]", "password");
    assertCurrentUrlEquals(tokenMinTTLPage);

    // Get time of token
    AccessToken token = tokenMinTTLPage.getAccessToken();
    int tokenIssued1 = token.getIssuedAt();

    // Sets 5 minutes offset and assert access token will be still the same
    setAdapterAndServerTimeOffset(300, tokenMinTTLPage.toString());
    tokenMinTTLPage.navigateTo();
    token = tokenMinTTLPage.getAccessToken();
    int tokenIssued2 = token.getIssuedAt();
    Assert.assertEquals(tokenIssued1, tokenIssued2);
    assertFalse(token.isExpired());

    // Sets 9 minutes offset and assert access token will be refreshed (accessTokenTimeout is 10 minutes, token-min-ttl is 2 minutes. Hence 8 minutes or more should be sufficient)
    setAdapterAndServerTimeOffset(540, tokenMinTTLPage.toString());
    tokenMinTTLPage.navigateTo();
    token = tokenMinTTLPage.getAccessToken();
    int tokenIssued3 = token.getIssuedAt();
    Assert.assertTrue(tokenIssued3 > tokenIssued1);

    // Revert times
    setAdapterAndServerTimeOffset(0, tokenMinTTLPage.toString());
}
Example 3
Source File: UserInfoEndpoint.java    From keycloak with Apache License 2.0 4 votes vote down vote up 
private void checkTokenIssuedAt(AccessToken token, UserSessionModel userSession, EventBuilder event) throws ErrorResponseException {
    if (token.getIssuedAt() + 1 < userSession.getStarted()) {
        event.error(Errors.INVALID_TOKEN);
        throw newUnauthorizedErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Stale token");
    }
}
Example 4
Source File: AuthenticationManager.java    From keycloak with Apache License 2.0 4 votes vote down vote up 
public static AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType,
                                                boolean isCookie, String tokenString, HttpHeaders headers, Predicate<? super AccessToken>... additionalChecks) {
    try {
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class)
          .withDefaultChecks()
          .realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()))
          .checkActive(checkActive)
          .checkTokenType(checkTokenType)
          .withChecks(additionalChecks);
        String kid = verifier.getHeader().getKeyId();
        String algorithm = verifier.getHeader().getAlgorithm().name();

        SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
        verifier.verifierContext(signatureVerifier);

        AccessToken token = verifier.verify().getToken();
        if (checkActive) {
            if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
                logger.debug("Identity cookie expired");
                return null;
            }
        }

        UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState());
        UserModel user = null;
        if (userSession != null) {
            user = userSession.getUser();
            if (user == null || !user.isEnabled()) {
                logger.debug("Unknown user in identity token");
                return null;
            }

            int userNotBefore = session.users().getNotBeforeOfUser(realm, user);
            if (token.getIssuedAt() < userNotBefore) {
                logger.debug("User notBefore newer than token");
                return null;
            }
        }

        if (!isSessionValid(realm, userSession)) {
            // Check if accessToken was for the offline session.
            if (!isCookie) {
                UserSessionModel offlineUserSession = session.sessions().getOfflineUserSession(realm, token.getSessionState());
                if (isOfflineSessionValid(realm, offlineUserSession)) {
                    user = offlineUserSession.getUser();
                    return new AuthResult(user, offlineUserSession, token);
                }
            }

            if (userSession != null) backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
            logger.debug("User session not active");
            return null;
        }

        session.setAttribute("state_checker", token.getOtherClaims().get("state_checker"));

        return new AuthResult(user, userSession, token);
    } catch (VerificationException e) {
        logger.debugf("Failed to verify identity token: %s", e.getMessage());
    }
    return null;
}