diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java index d34c3fa817cc..406ee0acc88e 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java @@ -110,7 +110,7 @@ protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString) challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage()); return AuthOutcome.FAILED; } - if (token.getIssuedAt() < deployment.getNotBefore()) { + if (token.getIat() < deployment.getNotBefore()) { log.debug("Stale token"); challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token"); return AuthOutcome.FAILED; diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java index 68acc1118fb2..d0735ebc32aa 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java @@ -369,7 +369,7 @@ protected AuthChallenge resolveCode(String code) { if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) { deployment.updateNotBefore(tokenResponse.getNotBeforePolicy()); } - if (token.getIssuedAt() < deployment.getNotBefore()) { + if (token.getIat() < deployment.getNotBefore()) { log.error("Stale token"); return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null); } diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java index c3b2e7155b9d..03bdf68d2680 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java @@ -88,11 +88,11 @@ public void logout(KeycloakDeployment deployment) { } public boolean isActive() { - return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() >= deployment.getNotBefore(); + return token != null && this.token.isActive() && deployment!=null && this.token.getIat() >= deployment.getNotBefore(); } public boolean isTokenTimeToLiveSufficient(AccessToken token) { - return token != null && (token.getExpiration() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime(); + return token != null && (token.getExp() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime(); } public KeycloakDeployment getDeployment() { diff --git a/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java b/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java index 1a3b0101e9a7..af3508522de4 100644 --- a/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java +++ b/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java @@ -43,13 +43,13 @@ public void sameIssuedAtAsNotBeforeIsActiveKEYCLOAK10013() { TokenMetadataRepresentation token = new TokenMetadataRepresentation(); token.setActive(true); - token.issuedAt(4999); + token.iat(4999L); RefreshableKeycloakSecurityContext sut = new RefreshableKeycloakSecurityContext(keycloakDeployment,null,null,token,null, null, null); assertFalse(sut.isActive()); - token.issuedAt(5000); + token.iat(5000L); assertTrue(sut.isActive()); } diff --git a/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java b/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java index 685b55275be3..6517030287d5 100644 --- a/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java +++ b/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java @@ -18,12 +18,10 @@ package org.keycloak.adapters.installed; import java.awt.Desktop; -import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.PrintStream; -import java.io.PrintWriter; import java.io.Reader; import java.net.InetSocketAddress; import java.net.URI; @@ -37,16 +35,9 @@ import java.util.concurrent.CountDownLatch; import java.util.concurrent.ForkJoinPool; import java.util.concurrent.TimeUnit; -import java.util.regex.Matcher; import java.util.regex.Pattern; -import javax.ws.rs.client.Entity; -import javax.ws.rs.core.Form; -import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.Response; - import org.jboss.resteasy.client.jaxrs.ResteasyClient; -import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; import org.keycloak.OAuth2Constants; import org.keycloak.OAuthErrorException; import org.keycloak.adapters.KeycloakDeployment; @@ -314,7 +305,7 @@ public String getTokenString() { } public String getTokenString(long minValidity, TimeUnit unit) throws VerificationException, IOException, ServerRequest.HttpFailure { - long expires = ((long) token.getExpiration()) * 1000 - unit.toMillis(minValidity); + long expires = ((long) token.getExp()) * 1000 - unit.toMillis(minValidity); if (expires < System.currentTimeMillis()) { refreshToken(); } diff --git a/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java b/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java index 383db674b4a1..dca3d673b735 100644 --- a/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java +++ b/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java @@ -106,7 +106,7 @@ private AccessTokenResponse tryRefreshToken() { } public boolean isTokenTimeToLiveSufficient(AccessToken token) { - return token != null && (token.getExpiration() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime(); + return token != null && (token.getExp() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime(); } /** diff --git a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java index d18c639c0cd7..5d268be8acb7 100644 --- a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java +++ b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java @@ -182,10 +182,10 @@ protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) reqToken.subject(clientId); reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - reqToken.issuedAt(now); - reqToken.expiration(now + this.tokenTimeout); - reqToken.notBefore(now); + long now = Time.currentTime(); + reqToken.iat(now); + reqToken.exp(now + this.tokenTimeout); + reqToken.nbf(now); return reqToken; } diff --git a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java index 2764cb3761e0..a53a6b543bf8 100644 --- a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java +++ b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java @@ -131,11 +131,11 @@ protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) reqToken.subject(clientId); reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - reqToken.issuedAt(now); + long now = Time.currentTime(); + reqToken.iat(now); // the same as in KEYCLOAK-2986, JWTClientCredentialsProvider's timeout field - reqToken.expiration(now + 10); - reqToken.notBefore(now); + reqToken.exp(now + 10); + reqToken.nbf(now); return reqToken; } diff --git a/core/src/main/java/org/keycloak/representations/AccessToken.java b/core/src/main/java/org/keycloak/representations/AccessToken.java index 0983b2ae1bde..d16b72443ed3 100755 --- a/core/src/main/java/org/keycloak/representations/AccessToken.java +++ b/core/src/main/java/org/keycloak/representations/AccessToken.java @@ -205,22 +205,6 @@ public AccessToken id(String id) { return (AccessToken) super.id(id); } - @Override - public AccessToken expiration(int expiration) { - return (AccessToken) super.expiration(expiration); - } - - @Override - public AccessToken notBefore(int notBefore) { - return (AccessToken) super.notBefore(notBefore); - } - - - @Override - public AccessToken issuedAt(int issuedAt) { - return (AccessToken) super.issuedAt(issuedAt); - } - @Override public AccessToken issuer(String issuer) { return (AccessToken) super.issuer(issuer); diff --git a/core/src/main/java/org/keycloak/representations/IDToken.java b/core/src/main/java/org/keycloak/representations/IDToken.java index 858ef7a64d84..33c54b70ef37 100755 --- a/core/src/main/java/org/keycloak/representations/IDToken.java +++ b/core/src/main/java/org/keycloak/representations/IDToken.java @@ -154,27 +154,10 @@ public Long getAuth_time() { return auth_time; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #getAuth_time()} instead. - */ - @Deprecated - @JsonIgnore - public int getAuthTime() { - return auth_time != null ? auth_time.intValue() : 0; - } - public void setAuth_time(Long auth_time) { this.auth_time = auth_time; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #setAuth_time(Long)} ()} instead. - */ - public void setAuthTime(int authTime) { - this.auth_time = Long.valueOf(authTime); - } - - public String getSessionId() { return sessionId; } diff --git a/core/src/main/java/org/keycloak/representations/JsonWebToken.java b/core/src/main/java/org/keycloak/representations/JsonWebToken.java index 0ed565171fdf..a969273fde24 100755 --- a/core/src/main/java/org/keycloak/representations/JsonWebToken.java +++ b/core/src/main/java/org/keycloak/representations/JsonWebToken.java @@ -77,64 +77,28 @@ public Long getExp() { return exp; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead. - */ - @Deprecated - @JsonIgnore - public int getExpiration() { - return exp != null ? exp.intValue() : 0; - } - public JsonWebToken exp(Long exp) { this.exp = exp; return this; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #exp(Long)} instead. - */ - public JsonWebToken expiration(int expiration) { - this.exp = Long.valueOf(expiration); - return this; - } - @JsonIgnore public boolean isExpired() { - return exp != null && exp != 0 ? Time.currentTime() > exp : false; + return exp != null && exp != 0 && Time.currentTime() > exp; } public Long getNbf() { return nbf; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #getNbf()} instead. - */ - @Deprecated - @JsonIgnore - public int getNotBefore() { - return nbf != null ? nbf.intValue() : 0; - } - public JsonWebToken nbf(Long nbf) { this.nbf = nbf; return this; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #nbf(Long)} instead. - */ - @Deprecated @JsonIgnore - public JsonWebToken notBefore(int notBefore) { - this.nbf = Long.valueOf(notBefore); - return this; - } - - @JsonIgnore - public boolean isNotBefore(int allowedTimeSkew) { - return nbf != null ? Time.currentTime() + allowedTimeSkew >= nbf : true; + public boolean isNotBefore(long allowedTimeSkew) { + return nbf == null || Time.currentTime() + allowedTimeSkew >= nbf; } /** @@ -165,21 +129,12 @@ public Long getIat() { return iat; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #getIat()} instead. - */ - @Deprecated - @JsonIgnore - public int getIssuedAt() { - return iat != null ? iat.intValue() : 0; - } - /** * Set issuedAt to the current time */ @JsonIgnore public JsonWebToken issuedNow() { - iat = Long.valueOf(Time.currentTime()); + iat = (long) Time.currentTime(); return this; } @@ -188,17 +143,6 @@ public JsonWebToken iat(Long iat) { return this; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #iat(Long)} ()} instead. - */ - @Deprecated - @JsonIgnore - public JsonWebToken issuedAt(int issuedAt) { - this.iat = Long.valueOf(issuedAt); - return this; - } - - public String getIssuer() { return issuer; } diff --git a/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java b/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java index faee452c5b93..fe02a6459ce1 100644 --- a/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java +++ b/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java @@ -42,14 +42,14 @@ public DockerResponseToken id(final String id) { } @Override - public DockerResponseToken expiration(final int expiration) { - super.expiration(expiration); + public DockerResponseToken exp(final Long expiration) { + super.exp(expiration); return this; } @Override - public DockerResponseToken notBefore(final int notBefore) { - super.notBefore(notBefore); + public DockerResponseToken nbf(final Long notBefore) { + super.nbf(notBefore); return this; } @@ -60,8 +60,8 @@ public DockerResponseToken issuedNow() { } @Override - public DockerResponseToken issuedAt(final int issuedAt) { - super.issuedAt(issuedAt); + public DockerResponseToken iat(final Long issuedAt) { + super.iat(issuedAt); return this; } diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java b/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java index b1cdafa1df32..9f2fa5a81af4 100644 --- a/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java +++ b/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java @@ -44,9 +44,9 @@ public PermissionTicketToken(List permissions, String audience, Acce if (accessToken != null) { id(TokenIdGenerator.generateId()); subject(accessToken.getSubject()); - expiration(accessToken.getExpiration()); - notBefore(accessToken.getNotBefore()); - issuedAt(accessToken.getIssuedAt()); + this.exp(accessToken.getExp()); + this.nbf(accessToken.getNbf()); + iat(accessToken.getIat()); issuedFor(accessToken.getIssuedFor()); } if (audience != null) { diff --git a/core/src/test/java/org/keycloak/RSAVerifierTest.java b/core/src/test/java/org/keycloak/RSAVerifierTest.java index f930f0d2fc67..36edacbbfe94 100755 --- a/core/src/test/java/org/keycloak/RSAVerifierTest.java +++ b/core/src/test/java/org/keycloak/RSAVerifierTest.java @@ -120,7 +120,7 @@ public void testBadSignature() { @Test public void testNotBeforeGood() throws Exception { - token.notBefore(Time.currentTime() - 100); + token.nbf(Time.currentTime() - 100L); String encoded = new JWSBuilder() .jsonContent(token) @@ -136,7 +136,7 @@ public void testNotBeforeGood() throws Exception { @Test public void testNotBeforeBad() { - token.notBefore(Time.currentTime() + 100); + token.nbf(Time.currentTime() + 100L); String encoded = new JWSBuilder() .jsonContent(token) @@ -153,7 +153,7 @@ public void testNotBeforeBad() { @Test public void testExpirationGood() throws Exception { - token.expiration(Time.currentTime() + 100); + token.exp(Time.currentTime() + 100L); String encoded = new JWSBuilder() .jsonContent(token) @@ -169,7 +169,7 @@ public void testExpirationGood() throws Exception { @Test public void testExpirationBad() { - token.expiration(Time.currentTime() - 100); + token.exp(Time.currentTime() - 100L); String encoded = new JWSBuilder() .jsonContent(token) diff --git a/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java b/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java index cae36c518de9..26c00bd0aa9c 100644 --- a/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java +++ b/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java @@ -82,37 +82,37 @@ public void testArray() throws IOException { @Test public void isActiveReturnFalseWhenBeforeTimeInFuture() { - int currentTime = Time.currentTime(); - int futureTime = currentTime + 10; + long currentTime = Time.currentTime(); + long futureTime = currentTime + 10; JsonWebToken jsonWebToken = new JsonWebToken(); - jsonWebToken.notBefore(futureTime); + jsonWebToken.nbf(futureTime); assertFalse(jsonWebToken.isActive()); } @Test public void isActiveReturnTrueWhenBeforeTimeInPast() { - int currentTime = Time.currentTime(); - int pastTime = currentTime - 10; + long currentTime = Time.currentTime(); + long pastTime = currentTime - 10; JsonWebToken jsonWebToken = new JsonWebToken(); - jsonWebToken.notBefore(pastTime); + jsonWebToken.nbf(pastTime); assertTrue(jsonWebToken.isActive()); } @Test public void isActiveShouldReturnTrueWhenBeforeTimeInFutureWithinTimeSkew() { - int notBeforeTime = Time.currentTime() + 5; + long notBeforeTime = Time.currentTime() + 5; int allowedClockSkew = 10; JsonWebToken jsonWebToken = new JsonWebToken(); - jsonWebToken.notBefore(notBeforeTime); + jsonWebToken.nbf(notBeforeTime); assertTrue(jsonWebToken.isActive(allowedClockSkew)); } @Test public void isActiveShouldReturnFalseWhenWhenBeforeTimeInFutureOutsideTimeSkew() { - int notBeforeTime = Time.currentTime() + 10; + long notBeforeTime = Time.currentTime() + 10; int allowedClockSkew = 5; JsonWebToken jsonWebToken = new JsonWebToken(); - jsonWebToken.notBefore(notBeforeTime); + jsonWebToken.nbf(notBeforeTime); assertFalse(jsonWebToken.isActive(allowedClockSkew)); } diff --git a/docs/documentation/release_notes/topics/25_0_0.adoc b/docs/documentation/release_notes/topics/25_0_0.adoc index 36632fb70253..e6d8a0150677 100644 --- a/docs/documentation/release_notes/topics/25_0_0.adoc +++ b/docs/documentation/release_notes/topics/25_0_0.adoc @@ -130,4 +130,21 @@ For more details, see the link:{upgradingguide_link}[{upgradingguide_name}]. It is now possible to specify the `cache`, `cache-stack`, and `cache-config-file` options during runtime. This eliminates the need to execute the build phase and rebuild your image due to them. +For more details, see the link:{upgradingguide_link}[{upgradingguide_name}]. + += Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes + +In this release, we are finally removing deprecated methods from the following classes: + +* `AccessToken` +* `IDToken` +* `JsonWebToken` + +For more details, see the link:{upgradingguide_link}[{upgradingguide_name}]. + += Method `getExp` added to `SingleUseObjectKeyModel` + +As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`, +the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values. + For more details, see the link:{upgradingguide_link}[{upgradingguide_name}]. \ No newline at end of file diff --git a/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc b/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc index 36bd03269eab..5503ef3ecbfd 100644 --- a/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc @@ -268,4 +268,36 @@ The new indexes are both applied to the `RESOURCE_SERVER_PERM_TICKET` table. If {project_name} will skip the creation of the indexes by default during the automatic schema migration, and will instead log the SQL statements on the console during migration. In this case, the statements must be run manually in the DB after {project_name}'s startup. -See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit. \ No newline at end of file +See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit. + += Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes + +The following methods were removed from the `AccessToken` class: + +* `expiration`. Use the `exp` method instead. +* `notBefore`. Use the `nbf` method instead. +* `issuedAt`. Use the `iat` method instead. + +The following methods were removed from the `IDToken` class: + +* `getAuthTime` and `setAuthTime`. Use the `getAuth_time` and `setAuth_time` methods, respectively. +* `notBefore`. Use the `nbf` method instead. +* `issuedAt`. Use the `iat` method instead. +* `setSessionState`. Use the `setSessionId` method instead (See the details above in the section about `session_state` claim) + +The following methods were removed from the `JsonWebToken` class: + +* `expiration`. Use the `exp` method instead. +* `notBefore`. Use the `nbf` method instead. +* `issuedAt`. Use the `iat` method instead. + +You should also expect both `exp` and `nbf` claims not set in tokens as they are optional. Previously, these claims were +being set with a value of `0` what does not make mush sense because their value should be a valid `NumericDate`. + += Method `getExp` added to `SingleUseObjectKeyModel` + +As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`, +the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values. + +The previous `getExpiration` method is now deprecated and you should prefer using new newly introduced `getExp` method +to avoid overflow after 2038. \ No newline at end of file diff --git a/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java b/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java index ea0b6eec33ce..f5a777aeb989 100644 --- a/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java +++ b/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java @@ -200,10 +200,10 @@ public static String getSignedRequestToken(String keystore, String storePass, St reqToken.subject(clientId); reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - reqToken.issuedAt(now); - reqToken.expiration(now + sigLifetime); - reqToken.notBefore(now); + long now = Time.currentTime(); + reqToken.iat(now); + reqToken.exp(now + sigLifetime); + reqToken.nbf(now); String signedRequestToken = new JWSBuilder() .jsonContent(reqToken) diff --git a/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java b/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java index c297aa7183b2..1e7d3532b176 100644 --- a/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java +++ b/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java @@ -39,7 +39,15 @@ public interface SingleUseObjectKeyModel { /** * Returns absolute number of seconds since the epoch in UTC timezone when the token expires. */ - int getExpiration(); + Long getExp(); + + /** + * @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead. + */ + @Deprecated + default int getExpiration() { + return getExp().intValue(); + } /** * @return Single-use random value used for verification whether the relevant action is allowed. @@ -49,6 +57,6 @@ public interface SingleUseObjectKeyModel { default String serializeKey() { String userId = getUserId(); String encodedUserId = userId == null ? "" : Base64.encodeBytes(userId.getBytes(StandardCharsets.UTF_8)); - return String.format("%s.%d.%s.%s", encodedUserId, getExpiration(), getActionVerificationNonce(), getActionId()); + return String.format("%s.%d.%s.%s", encodedUserId, getExp(), getActionVerificationNonce(), getActionId()); } } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java index 8726a427eb57..fd37b9bca4b3 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java @@ -158,7 +158,7 @@ public String serialize(KeycloakSession session, RealmModel realm, UriInfo uri) String issuerUri = getIssuer(realm, uri); this - .issuedAt(Time.currentTime()) + .issuedNow() .id(getActionVerificationNonce().toString()) .issuer(issuerUri) .audience(issuerUri); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java index 8c4d5487f759..94542ee0ecce 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java @@ -19,6 +19,8 @@ package org.keycloak.authentication.authenticators.client; +import java.util.Optional; + import jakarta.ws.rs.core.MediaType; import jakarta.ws.rs.core.MultivaluedMap; import jakarta.ws.rs.core.Response; @@ -166,7 +168,7 @@ public void validateToken() { } // KEYCLOAK-2986, token-timeout or token-expiration in keycloak.json might not be used - if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < currentTime) { + if ((token.getExp() == null || token.getExp() <= 0) && token.getIat() + 10 < currentTime) { throw new RuntimeException("Token is not active"); } @@ -180,7 +182,7 @@ public void validateTokenReuse() { if (client == null) throw new IllegalStateException("Incorrect usage. Variable 'client' is null. Need to validate client first before validateToken reuse"); SingleUseObjectProvider singleUseCache = context.getSession().singleUseObjects(); - int lifespanInSecs = Math.max(token.getExpiration() - currentTime, 10); + long lifespanInSecs = Math.max(Optional.ofNullable(token.getExp()).orElse(0L) - currentTime, 10); if (singleUseCache.putIfAbsent(token.getId(), lifespanInSecs)) { logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", token.getId(), lifespanInSecs, client.getClientId()); diff --git a/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java b/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java index 34fafc15b3ba..e0b1cae37122 100644 --- a/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java +++ b/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java @@ -64,10 +64,10 @@ public Response introspect(String token, EventBuilder eventBuilder) { metadata.id(accessToken.getId()); metadata.setAcr(accessToken.getAcr()); metadata.type(accessToken.getType()); - metadata.expiration(accessToken.getExpiration()); - metadata.issuedAt(accessToken.getIssuedAt()); + metadata.exp(accessToken.getExp()); + metadata.iat(accessToken.getIat()); metadata.audience(accessToken.getAudience()); - metadata.notBefore(accessToken.getNotBefore()); + metadata.nbf(accessToken.getNbf()); metadata.setRealmAccess(null); metadata.setResourceAccess(null); diff --git a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java index 4efbcb4d257f..1ac07b445e88 100755 --- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java +++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java @@ -458,8 +458,8 @@ protected JsonWebToken generateToken() { audience = getConfig().getTokenUrl(); } jwt.audience(audience); - int expirationDelay = session.getContext().getRealm().getAccessCodeLifespan(); - jwt.expiration(Time.currentTime() + expirationDelay); + long expirationDelay = session.getContext().getRealm().getAccessCodeLifespan(); + jwt.exp(Time.currentTime() + expirationDelay); jwt.issuedNow(); return jwt; } diff --git a/services/src/main/java/org/keycloak/protocol/docker/DockerAuthV2Protocol.java b/services/src/main/java/org/keycloak/protocol/docker/DockerAuthV2Protocol.java index 6b06e2c345ae..0ddcc5fa606f 100644 --- a/services/src/main/java/org/keycloak/protocol/docker/DockerAuthV2Protocol.java +++ b/services/src/main/java/org/keycloak/protocol/docker/DockerAuthV2Protocol.java @@ -105,8 +105,8 @@ public Response authenticated(final AuthenticationSessionModel authSession, fina // since realm access token is given in seconds final int accessTokenLifespan = realm.getAccessTokenLifespan(); - responseToken.notBefore(responseToken.getIssuedAt()) - .expiration(responseToken.getIssuedAt() + accessTokenLifespan); + responseToken.nbf(responseToken.getIat()) + .exp(responseToken.getIat() + accessTokenLifespan); // Next, allow mappers to decorate the token to add/remove scopes as appropriate @@ -126,7 +126,7 @@ public Response authenticated(final AuthenticationSessionModel authSession, fina .type("JWT") .jsonContent(responseToken) .rsa256(activeKey.getPrivateKey()); - final String expiresInIso8601String = new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(responseToken.getIssuedAt() * 1000L)); + final String expiresInIso8601String = new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(responseToken.getIat() * 1000L)); final DockerResponse responseEntity = new DockerResponse() .setToken(encodedToken) diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index 10b3bb4ef217..a67ce2958587 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -126,7 +126,6 @@ */ public class TokenManager { private static final Logger logger = Logger.getLogger(TokenManager.class); - private static final String JWT = "JWT"; public static class TokenValidation { public final UserModel user; @@ -457,7 +456,7 @@ private void validateTokenReuse(KeycloakSession session, RealmModel realm, Acces if (clientSession.getCurrentRefreshToken() != null && !refreshToken.getId().equals(clientSession.getCurrentRefreshToken()) - && refreshToken.getIssuedAt() < clientSession.getTimestamp() + && refreshToken.getIat() < clientSession.getTimestamp() && startupTime <= clientSession.getTimestamp()) { throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token"); } @@ -476,7 +475,6 @@ private void validateTokenReuse(KeycloakSession session, RealmModel realm, Acces throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Maximum allowed refresh token reuse exceeded", "Maximum allowed refresh token reuse exceeded"); } - return; } public RefreshToken verifyRefreshToken(KeycloakSession session, RealmModel realm, ClientModel client, HttpRequest request, String encodedRefreshToken, boolean checkExpiration) throws OAuthErrorException { @@ -973,13 +971,13 @@ protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel token.setSessionId(session.getId()); ClientScopeModel offlineAccessScope = KeycloakModelUtils.getClientScopeByName(realm, OAuth2Constants.OFFLINE_ACCESS); boolean offlineTokenRequested = offlineAccessScope == null ? false - : clientSessionCtx.getClientScopeIds().contains(offlineAccessScope.getId()); - token.expiration(getTokenExpiration(realm, client, session, clientSession, offlineTokenRequested)); + : clientSessionCtx.getClientScopeIds().contains(offlineAccessScope.getId()); + token.exp(getTokenExpiration(realm, client, session, clientSession, offlineTokenRequested)); return token; } - private int getTokenExpiration(RealmModel realm, ClientModel client, UserSessionModel userSession, + private Long getTokenExpiration(RealmModel realm, ClientModel client, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession, boolean offlineTokenRequested) { boolean implicitFlow = false; String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); @@ -1016,7 +1014,7 @@ private int getTokenExpiration(RealmModel realm, ClientModel client, UserSession realm, client); expiration = sessionExpires > 0? Math.min(expiration, sessionExpires) : expiration; - return (int) TimeUnit.MILLISECONDS.toSeconds(expiration); + return TimeUnit.MILLISECONDS.toSeconds(expiration); } @@ -1131,15 +1129,15 @@ private void generateRefreshToken(boolean offlineTokenRequested) { } refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE); if (realm.isOfflineSessionMaxLifespanEnabled()) { - refreshToken.expiration(getExpiration(true)); + refreshToken.exp(getExpiration(true)); } sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession); } else { - refreshToken.expiration(getExpiration(false)); + refreshToken.exp(getExpiration(false)); } } - private int getExpiration(boolean offline) { + private Long getExpiration(boolean offline) { long expiration = SessionExpirationUtils.calculateClientSessionIdleTimestamp( offline, userSession.isRememberMe(), TimeUnit.SECONDS.toMillis(clientSessionCtx.getClientSession().getTimestamp()), @@ -1151,7 +1149,7 @@ private int getExpiration(boolean offline) { realm, client); expiration = lifespan > 0? Math.min(expiration, lifespan) : expiration; - return (int) TimeUnit.MILLISECONDS.toSeconds(expiration); + return TimeUnit.MILLISECONDS.toSeconds(expiration); } public AccessTokenResponseBuilder generateIDToken() { @@ -1172,7 +1170,7 @@ public AccessTokenResponseBuilder generateIDToken(boolean isIdTokenAsDetachedSig idToken.issuer(accessToken.getIssuer()); idToken.setNonce(clientSessionCtx.getAttribute(OIDCLoginProtocol.NONCE_PARAM, String.class)); idToken.setSessionId(accessToken.getSessionId()); - idToken.expiration(accessToken.getExpiration()); + idToken.exp(accessToken.getExp()); // Protocol mapper is supposed to set this in case "step_up_authentication" feature enabled if (!Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) { @@ -1229,8 +1227,8 @@ public AccessTokenResponse build() { res.setToken(encodedToken); res.setTokenType(responseTokenType); res.setSessionState(accessToken.getSessionState()); - if (accessToken.getExpiration() != 0) { - res.setExpiresIn(accessToken.getExpiration() - Time.currentTime()); + if (accessToken.getExp() != 0) { + res.setExpiresIn(accessToken.getExp() - Time.currentTime()); } } @@ -1253,8 +1251,9 @@ public AccessTokenResponse build() { if (refreshToken != null) { String encodedToken = session.tokens().encode(refreshToken); res.setRefreshToken(encodedToken); - if (refreshToken.getExpiration() != 0) { - res.setRefreshExpiresIn(refreshToken.getExpiration() - Time.currentTime()); + Long exp = refreshToken.getExp(); + if (exp != null && exp > 0) { + res.setRefreshExpiresIn(exp - Time.currentTime()); } } @@ -1309,7 +1308,7 @@ public NotBeforeCheck(int notBefore) { @Override public boolean test(JsonWebToken t) throws VerificationException { - if (t.getIssuedAt() < notBefore) { + if (t.getIat() < notBefore) { throw new VerificationException("Stale token"); } @@ -1367,7 +1366,7 @@ public LogoutTokenValidationCode verifyLogoutToken(KeycloakSession session, Real } LogoutToken logoutToken = logoutTokenOptional.get(); - List identityProviders = getOIDCIdentityProviders(realm, session).collect(Collectors.toList()); + List identityProviders = getOIDCIdentityProviders(realm, session).toList(); if (identityProviders.isEmpty()) { return LogoutTokenValidationCode.COULD_NOT_FIND_IDP; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java index 44fd9defc5f0..88b5d06dde72 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java @@ -524,7 +524,7 @@ private Response logoutToken() { } if (userSessionModel != null) { - checkTokenIssuedAt(token.getIssuedAt(), userSessionModel); + checkTokenIssuedAt(token.getIat(), userSessionModel); logout(userSessionModel, offline); } } catch (OAuthErrorException e) { @@ -727,7 +727,7 @@ private void checkSsl() { } } - private void checkTokenIssuedAt(int idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException { + private void checkTokenIssuedAt(long idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException { if (idTokenIssuedAt + 1 < userSession.getStarted()) { throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Toked issued before the user session started"); } diff --git a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java index c10df835bf69..78e93d3d0bdf 100755 --- a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java +++ b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java @@ -56,8 +56,7 @@ public static String updateTokenSignature(KeycloakSession session, ClientRegistr regToken.type(auth.getJwt().getType()); regToken.id(auth.getJwt().getId()); - regToken.issuedAt(Time.currentTime()); - regToken.expiration(0); + regToken.issuedNow(); regToken.issuer(auth.getJwt().getIssuer()); regToken.audience(auth.getJwt().getIssuer()); @@ -117,13 +116,13 @@ public static TokenVerification verifyToken(KeycloakSession session, RealmModel return TokenVerification.success(kid, jwt); } - private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, int expiration) { + private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, long expiration) { String issuer = getIssuer(session, realm); jwt.type(type); jwt.id(id); - jwt.issuedAt(Time.currentTime()); - jwt.expiration(expiration); + jwt.issuedNow(); + jwt.exp(expiration); jwt.issuer(issuer); jwt.audience(issuer); diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 3bae5fd521a8..ee555c59882e 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -759,9 +759,9 @@ public static IdentityCookieToken createIdentityToken(KeycloakSession keycloakSe } if (session != null && session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0) { - token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe()); + token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe()); } else if (realm.getSsoSessionMaxLifespan() > 0) { - token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespan()); + token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespan()); } String stateChecker = (String) keycloakSession.getAttribute("state_checker"); @@ -999,7 +999,7 @@ public static Response finishedRequiredActions(KeycloakSession session, Authenti SingleUseObjectKeyModel actionTokenKey = DefaultActionTokenKey.from(actionTokenKeyToInvalidate); if (actionTokenKey != null) { SingleUseObjectProvider singleUseObjectProvider = session.singleUseObjects(); - singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExpiration() - Time.currentTime(), null); // Token is invalidated + singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExp() - Time.currentTime(), null); // Token is invalidated } } @@ -1400,8 +1400,8 @@ public static AuthResult verifyIdentityToken(KeycloakSession session, RealmModel AccessToken token = verifier.verify().getToken(); if (checkActive) { - if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) { - logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIssuedAt(), realm.getNotBefore()); + if (!token.isActive() || token.getIat() < realm.getNotBefore()) { + logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIat(), realm.getNotBefore()); return null; } } @@ -1467,7 +1467,7 @@ private static boolean isClientValid(UserSessionModel userSession, ClientModel c return false; } - if (token.getIssuedAt() < client.getNotBefore()) { + if (token.getIat() < client.getNotBefore()) { logger.debug("Client notBefore newer than token"); return false; } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java index 806fe687eef6..01d2742f2e97 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java @@ -755,13 +755,13 @@ public void testTokenMinTTL() { // Get time of token AccessToken token = tokenMinTTLPage.getAccessToken(); - int tokenIssued1 = token.getIssuedAt(); + long tokenIssued1 = token.getIat(); // Sets 5 minutes offset and assert access token will be still the same setAdapterAndServerTimeOffset(300, tokenMinTTLPage.toString()); tokenMinTTLPage.navigateTo(); token = tokenMinTTLPage.getAccessToken(); - int tokenIssued2 = token.getIssuedAt(); + long tokenIssued2 = token.getIat(); Assert.assertEquals(tokenIssued1, tokenIssued2); assertFalse(token.isExpired()); @@ -769,7 +769,7 @@ public void testTokenMinTTL() { setAdapterAndServerTimeOffset(540, tokenMinTTLPage.toString()); tokenMinTTLPage.navigateTo(); token = tokenMinTTLPage.getAccessToken(); - int tokenIssued3 = token.getIssuedAt(); + long tokenIssued3 = token.getIat(); Assert.assertTrue(tokenIssued3 > tokenIssued1); // Revert times @@ -853,8 +853,8 @@ public void testOIDCParamsForwarding() { testRealmLoginPage.form().setPassword("password"); testRealmLoginPage.form().login(); AccessToken token = tokenMinTTLPage.getAccessToken(); - int authTime = token.getAuthTime(); - assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10))); + long authTime = token.getAuth_time(); + assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10L))); } finally { setAdapterAndServerTimeOffset(0, securePortal.toString()); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java index 0f1d33fd1099..9070c62ae169 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java @@ -2381,7 +2381,7 @@ public void sendResetPasswordEmailWithRedirectAndCustomLifespan() throws IOExcep try { final AccessToken accessToken = TokenVerifier.create(token, AccessToken.class).getToken(); - assertEquals(lifespan, accessToken.getExpiration() - accessToken.getIssuedAt()); + assertEquals(lifespan, accessToken.getExp() - accessToken.getIat()); } catch (VerificationException e) { throw new IOException(e); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java index bf18c73ac326..2159ba2157dc 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java @@ -87,6 +87,7 @@ import static org.hamcrest.Matchers.notNullValue; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME; import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_PROV_NAME; @@ -614,7 +615,7 @@ public void offlineTokenBrowserFlow() throws Exception { .assertEvent(); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - assertEquals(0, offlineToken.getExpiration()); + assertNull(offlineToken.getExp()); assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS)); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java index f12ca3813f73..59fd747fd017 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java @@ -397,11 +397,11 @@ public void refreshPairwiseToken() throws Exception { Assert.assertEquals(idToken.getSubject(), refreshedRefreshToken.getSubject()); // its iat Claim MUST represent the time that the new ID Token is issued - Assert.assertEquals(refreshedIdToken.getIssuedAt(), refreshedRefreshToken.getIssuedAt()); + Assert.assertEquals(refreshedIdToken.getIat(), refreshedRefreshToken.getIat()); // if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication // - not the time that the new ID token is issued - Assert.assertEquals(idToken.getAuthTime(), refreshedIdToken.getAuthTime()); + Assert.assertEquals(idToken.getAuth_time(), refreshedIdToken.getAuth_time()); // its azp Claim Value MUST be the same as in the ID Token issued when the original authentication occurred; if // no azp Claim was present in the original ID Token, one MUST NOT be present in the new ID Token diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java index 775342caf9f5..82bdc51f53f3 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java @@ -478,7 +478,7 @@ public void offlineTokenDirectGrantFlow() throws Exception { .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java index 2c6376ba4435..b5eda3ec1405 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java @@ -856,7 +856,7 @@ protected void testOfflineTokenLogin() throws Exception { private void assertOfflineToken(String offlineToken) { RefreshToken offlineTokenParsed = oauth.parseRefreshToken(offlineToken); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineTokenParsed.getType()); - assertEquals(0, offlineTokenParsed.getExpiration()); + assertNull(offlineTokenParsed.getExp()); assertTrue(TokenUtil.hasScope(offlineTokenParsed.getScope(), OAuth2Constants.OFFLINE_ACCESS)); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java index 00fbeb7a0208..8d21eaa075f2 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java @@ -86,7 +86,6 @@ import org.keycloak.constants.ServiceUrlConstants; import org.keycloak.crypto.Algorithm; import org.keycloak.crypto.ECDSAAlgorithm; -import org.keycloak.crypto.ECDSASignatureProvider; import org.keycloak.crypto.KeyType; import org.keycloak.crypto.SignatureSignerContext; import org.keycloak.events.Details; @@ -806,10 +805,10 @@ protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) if (isClaimEnabled("subject")) reqToken.subject(clientId); if (isClaimEnabled("audience")) reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - if (isClaimEnabled("issuedAt")) reqToken.issuedAt(now); - if (isClaimEnabled("expiration")) reqToken.expiration(now + getTokenTimeout()); - if (isClaimEnabled("notBefore")) reqToken.notBefore(now); + long now = Time.currentTime(); + if (isClaimEnabled("issuedAt")) reqToken.iat(now); + if (isClaimEnabled("expiration")) reqToken.exp(now + getTokenTimeout()); + if (isClaimEnabled("notBefore")) reqToken.nbf(now); return reqToken; } @@ -934,10 +933,10 @@ protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) reqToken.subject(clientId); reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - reqToken.issuedAt(now); - reqToken.expiration(now + 10); - reqToken.notBefore(now); + long now = Time.currentTime(); + reqToken.iat(now); + reqToken.exp(now + 10); + reqToken.nbf(now); return reqToken; } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java index 3e30a3aa2a06..d163bf9517c3 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java @@ -235,13 +235,10 @@ public void accessTokenRequest() throws Exception { assertEquals(sessionId, sid); assertNull(token.getNbf()); - assertEquals(0, token.getNotBefore()); assertNotNull(token.getIat()); - assertEquals(token.getIat().intValue(), token.getIssuedAt()); assertNotNull(token.getExp()); - assertEquals(token.getExp().intValue(), token.getExpiration()); assertEquals(1, token.getRealmAccess().getRoles().size()); assertTrue(token.getRealmAccess().isUserInRole("user")); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java index 5a94dcddd21c..5ca3e2a6017f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java @@ -493,9 +493,9 @@ private void expectSuccessfulResponseFromTokenEndpoint(String codeId, String ses RefreshToken refreshToken = oauth.parseRefreshToken(refreshTokenString); Assert.assertNotNull(refreshTokenString); - assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350))); - int actual = refreshToken.getExpiration() - getCurrentTime(); - assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L))); + long actual = refreshToken.getExp() - getCurrentTime(); + assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); assertEquals(sessionId, refreshToken.getSessionState()); setTimeOffset(2); @@ -510,10 +510,10 @@ private void expectSuccessfulResponseFromTokenEndpoint(String codeId, String ses assertEquals(sessionId, refreshedRefreshToken.getSessionState()); assertThat(refreshResponse.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300))); - assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); - assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10))); - assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10))); + assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L))); + assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L))); Assert.assertNotEquals(token.getId(), refreshedToken.getId()); Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java index a58af41d0fcd..42ace9c1c51e 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java @@ -256,7 +256,7 @@ public void offlineTokenBrowserFlow() throws Exception { .assertEvent(); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS)); @@ -356,7 +356,7 @@ public void offlineTokenDirectGrantFlow() throws Exception { .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId); @@ -391,7 +391,7 @@ public void offlineTokenDirectGrantFlowWithRefreshTokensRevoked() throws Excepti .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); String offlineTokenString2 = testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId); RefreshToken offlineToken2 = oauth.parseRefreshToken(offlineTokenString2); @@ -440,7 +440,7 @@ public void offlineTokenServiceAccountFlow() throws Exception { .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId); @@ -677,7 +677,7 @@ public void browserOfflineTokenLogoutFollowedByLoginSameSession() throws Excepti .assertEvent(); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - assertEquals(0, offlineToken.getExpiration()); + assertNull(offlineToken.getExp()); String offlineUserSessionId = testingClient.server().fetch((KeycloakSession session) -> session.sessions().getOfflineUserSession(session.realms().getRealmByName("test"), offlineToken.getSessionState()).getId(), String.class); @@ -714,7 +714,7 @@ public void browserOfflineTokenLogoutFollowedByLoginSameSession() throws Excepti .assertEvent(); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken2.getType()); - assertEquals(0, offlineToken2.getExpiration()); + Assert.assertNull(offlineToken.getExp()); // Assert session changed assertNotEquals(offlineToken.getSessionState(), offlineToken2.getSessionState()); @@ -977,7 +977,7 @@ private void offlineTokenRequest(String expectedRefreshAlg, String expectedAcces .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId); @@ -1049,7 +1049,7 @@ private void offlineTokenRequestWithScopeParameter(String expectedRefreshAlg, St .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); } @Test diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java index d9c2f3895362..10b1863c22de 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java @@ -247,9 +247,9 @@ public void refreshTokenRequest() throws Exception { assertEquals("Bearer", tokenResponse.getTokenType()); - assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350))); - int actual = refreshToken.getExpiration() - getCurrentTime(); - assertThat(actual, allOf(greaterThanOrEqualTo(1799 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + ALLOWED_CLOCK_SKEW))); + assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L))); + long actual = refreshToken.getExp() - getCurrentTime(); + assertThat(actual, allOf(greaterThanOrEqualTo(1799L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + ALLOWED_CLOCK_SKEW))); assertEquals(sessionId, refreshToken.getSessionState()); assertNull(refreshToken.getNonce()); @@ -264,10 +264,10 @@ public void refreshTokenRequest() throws Exception { assertEquals(sessionId, refreshedRefreshToken.getSessionState()); assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300))); - assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + ALLOWED_CLOCK_SKEW))); + assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + ALLOWED_CLOCK_SKEW))); - assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10))); - assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10))); + assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L))); + assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L))); // "test-app" should not be an audience in the refresh token assertEquals("test-app", refreshedRefreshToken.getIssuedFor()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java index 45c6117aa9ba..060371f93ba3 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java @@ -69,6 +69,7 @@ import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.Optional; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -170,9 +171,9 @@ public void testConfidentialClientCredentialsBasicAuthentication() throws Except assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); assertEquals("test-app", rep.getClientId()); - assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration()); - assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt()); - assertEquals(jsonNode.get("nbf"), rep.getNbf()); + assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp()); + assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat()); + assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf()); assertEquals(jsonNode.get("sub").asText(), rep.getSubject()); List audiences = new ArrayList<>(); @@ -226,9 +227,9 @@ public void testIntrospectRefreshToken() throws Exception { assertTrue(rep.isActive()); assertEquals("test-app", rep.getClientId()); assertEquals(jsonNode.get("sid").asText(), rep.getSessionState()); - assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration()); - assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt()); - assertEquals(jsonNode.get("nbf"), rep.getNbf()); + assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp()); + assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat()); + assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf()); assertEquals(jsonNode.get("iss").asText(), rep.getIssuer()); assertEquals(jsonNode.get("jti").asText(), rep.getId()); assertEquals(jsonNode.get("typ").asText(), "Refresh"); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java index 6b3e85725aaf..eaad49ec710e 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java @@ -335,9 +335,9 @@ public void refreshTokenRequestByHoKRefreshTokenWithClientCertificate() throws E Assert.assertNotNull(refreshTokenString); assertEquals("Bearer", tokenResponse.getTokenType()); - assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350))); - int actual = refreshToken.getExpiration() - getCurrentTime(); - assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L))); + long actual = refreshToken.getExp() - getCurrentTime(); + assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); assertEquals(sessionId, refreshToken.getSessionState()); setTimeOffset(2); @@ -372,9 +372,9 @@ public void refreshTokenRequestByRefreshTokenWithoutClientCertificate() throws E Assert.assertNotNull(refreshTokenString); assertEquals("Bearer", tokenResponse.getTokenType()); - assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350))); - int actual = refreshToken.getExpiration() - getCurrentTime(); - assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L))); + long actual = refreshToken.getExp() - getCurrentTime(); + assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); assertEquals(sessionId, refreshToken.getSessionState()); setTimeOffset(2); @@ -410,10 +410,10 @@ private void expectSuccessfulResponseFromTokenEndpoint(OAuthClient oauth, String assertEquals(sessionId, refreshedRefreshToken.getSessionState()); assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300))); - assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); - assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10))); - assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10))); + assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L))); + assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L))); Assert.assertNotEquals(token.getId(), refreshedToken.getId()); Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java index 2371d8c2901e..91d424dfb1ff 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java @@ -205,8 +205,8 @@ public void testMaxAge1() { IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent); // Check that authTime is available and set to current time - int authTime = idToken.getAuthTime(); - int currentTime = Time.currentTime(); + long authTime = idToken.getAuth_time(); + long currentTime = Time.currentTime(); Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime); // Set time offset @@ -225,7 +225,7 @@ public void testMaxAge1() { idToken = sendTokenRequestAndGetIDToken(loginEvent); // Assert that authTime was updated - int authTimeUpdated = idToken.getAuthTime(); + long authTimeUpdated = idToken.getAuth_time(); Assert.assertTrue(authTime + 10 <= authTimeUpdated); } @@ -238,8 +238,8 @@ public void testMaxAge10000() { IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent); // Check that authTime is available and set to current time - int authTime = idToken.getAuthTime(); - int currentTime = Time.currentTime(); + long authTime = idToken.getAuth_time(); + long currentTime = Time.currentTime(); Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime); // Set time offset @@ -255,7 +255,7 @@ public void testMaxAge10000() { idToken = sendTokenRequestAndGetIDToken(loginEvent); // Assert that authTime is still the same - int authTimeUpdated = idToken.getAuthTime(); + long authTimeUpdated = idToken.getAuth_time(); Assert.assertEquals(authTime, authTimeUpdated); } @@ -293,7 +293,7 @@ public void promptNoneSuccess() { EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent(); IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent); - int authTime = idToken.getAuthTime(); + long authTime = idToken.getAuth_time(); // Set time offset setTimeOffset(10); @@ -304,7 +304,7 @@ public void promptNoneSuccess() { loginEvent = events.expectLogin().removeDetail(Details.USERNAME).assertEvent(); idToken = sendTokenRequestAndGetIDToken(loginEvent); - int authTime2 = idToken.getAuthTime(); + long authTime2 = idToken.getAuth_time(); Assert.assertEquals(authTime, authTime2); } @@ -383,7 +383,7 @@ public void promptLogin() { IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent); // Assert that authTime wasn't updated - Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime()); + Assert.assertEquals(oldIdToken.getAuth_time(), newIdToken.getAuth_time()); // Set time offset setTimeOffset(20); @@ -399,8 +399,8 @@ public void promptLogin() { newIdToken = sendTokenRequestAndGetIDToken(loginEvent); // Assert that authTime was updated - Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(), - oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime()); + Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuth_time() + " , new auth time: " + newIdToken.getAuth_time(), + oldIdToken.getAuth_time() + 20 <= newIdToken.getAuth_time()); // Assert userSession didn't change Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());