keycloak · mposolda · Apr 23, 2024 · Mar 8, 2024 · Apr 22, 2024 · Apr 22, 2024
@@ -110,7 +110,7 @@ protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString)
             challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage());
             return AuthOutcome.FAILED;
         }
-        if (token.getIssuedAt() < deployment.getNotBefore()) {
+        if (token.getIat() < deployment.getNotBefore()) {
             log.debug("Stale token");
             challenge = challengeResponse(exchange,  OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token");
             return AuthOutcome.FAILED;

@@ -369,7 +369,7 @@ protected AuthChallenge resolveCode(String code) {
         if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {
             deployment.updateNotBefore(tokenResponse.getNotBeforePolicy());
         }
-        if (token.getIssuedAt() < deployment.getNotBefore()) {
+        if (token.getIat() < deployment.getNotBefore()) {
             log.error("Stale token");
             return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null);
         }

@@ -88,11 +88,11 @@ public void logout(KeycloakDeployment deployment) {
     }
 
     public boolean isActive() {
-        return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() >= deployment.getNotBefore();
+        return token != null && this.token.isActive() && deployment!=null && this.token.getIat() >= deployment.getNotBefore();
     }
 
     public boolean isTokenTimeToLiveSufficient(AccessToken token) {
-        return token != null && (token.getExpiration() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime();
+        return token != null && (token.getExp() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime();
     }
 
     public KeycloakDeployment getDeployment() {

@@ -43,13 +43,13 @@ public void sameIssuedAtAsNotBeforeIsActiveKEYCLOAK10013() {
 
 		TokenMetadataRepresentation token = new TokenMetadataRepresentation();
 		token.setActive(true);
-		token.issuedAt(4999);
+		token.iat(4999L);
 
 		RefreshableKeycloakSecurityContext sut = new RefreshableKeycloakSecurityContext(keycloakDeployment,null,null,token,null, null, null);
 
 		assertFalse(sut.isActive());
 
-		token.issuedAt(5000);
+		token.iat(5000L);
 		assertTrue(sut.isActive());
 	}
 

@@ -18,12 +18,10 @@
 package org.keycloak.adapters.installed;
 
 import java.awt.Desktop;
-import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.PrintStream;
-import java.io.PrintWriter;
 import java.io.Reader;
 import java.net.InetSocketAddress;
 import java.net.URI;
@@ -37,16 +35,9 @@
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.ForkJoinPool;
 import java.util.concurrent.TimeUnit;
-import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import javax.ws.rs.client.Entity;
-import javax.ws.rs.core.Form;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Response;
-
 import org.jboss.resteasy.client.jaxrs.ResteasyClient;
-import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
 import org.keycloak.adapters.KeycloakDeployment;
@@ -314,7 +305,7 @@ public String getTokenString() {
     }
 
     public String getTokenString(long minValidity, TimeUnit unit) throws VerificationException, IOException, ServerRequest.HttpFailure {
-        long expires = ((long) token.getExpiration()) * 1000 - unit.toMillis(minValidity);
+        long expires = ((long) token.getExp()) * 1000 - unit.toMillis(minValidity);
         if (expires < System.currentTimeMillis()) {
             refreshToken();
         }

@@ -106,7 +106,7 @@ private AccessTokenResponse tryRefreshToken() {
     }
 
     public boolean isTokenTimeToLiveSufficient(AccessToken token) {
-        return token != null && (token.getExpiration() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
+        return token != null && (token.getExp() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
     }
 
     /**

@@ -182,10 +182,10 @@ protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl)
         reqToken.subject(clientId);
         reqToken.audience(realmInfoUrl);
 
-        int now = Time.currentTime();
-        reqToken.issuedAt(now);
-        reqToken.expiration(now + this.tokenTimeout);
-        reqToken.notBefore(now);
+        long now = Time.currentTime();
+        reqToken.iat(now);
+        reqToken.exp(now + this.tokenTimeout);
+        reqToken.nbf(now);
 
         return reqToken;
     }

@@ -131,11 +131,11 @@ protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl)
         reqToken.subject(clientId);
         reqToken.audience(realmInfoUrl);
 
-        int now = Time.currentTime();
-        reqToken.issuedAt(now);
+        long now = Time.currentTime();
+        reqToken.iat(now);
         // the same as in KEYCLOAK-2986, JWTClientCredentialsProvider's timeout field
-        reqToken.expiration(now + 10);
-        reqToken.notBefore(now);
+        reqToken.exp(now + 10);
+        reqToken.nbf(now);
         return reqToken;
     }
 

@@ -205,22 +205,6 @@ public AccessToken id(String id) {
         return (AccessToken) super.id(id);
     }
 
-    @Override
-    public AccessToken expiration(int expiration) {
-        return (AccessToken) super.expiration(expiration);
-    }
-
-    @Override
-    public AccessToken notBefore(int notBefore) {
-        return (AccessToken) super.notBefore(notBefore);
-    }
-
-
-    @Override
-    public AccessToken issuedAt(int issuedAt) {
-        return (AccessToken) super.issuedAt(issuedAt);
-    }
-
     @Override
     public AccessToken issuer(String issuer) {
         return (AccessToken) super.issuer(issuer);

@@ -154,27 +154,10 @@ public Long getAuth_time() {
         return auth_time;
     }
 
-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #getAuth_time()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public int getAuthTime() {
-        return auth_time != null ? auth_time.intValue() : 0;
-    }
-
     public void setAuth_time(Long auth_time) {
         this.auth_time = auth_time;
     }
 
-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #setAuth_time(Long)} ()} instead.
-     */
-    public void setAuthTime(int authTime) {
-        this.auth_time = Long.valueOf(authTime);
-    }
-
-
     public String getSessionId() {
         return sessionId;
     }

@@ -77,64 +77,28 @@ public Long getExp() {
         return exp;
     }
 
-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public int getExpiration() {
-        return exp != null ? exp.intValue() : 0;
-    }
-
     public JsonWebToken exp(Long exp) {
         this.exp = exp;
         return this;
     }
 
-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #exp(Long)} instead.
-     */
-    public JsonWebToken expiration(int expiration) {
-        this.exp = Long.valueOf(expiration);
-        return this;
-    }
-
     @JsonIgnore
     public boolean isExpired() {
-        return exp != null && exp != 0 ? Time.currentTime() > exp : false;
+        return exp != null && exp != 0 && Time.currentTime() > exp;
     }
 
     public Long getNbf() {
         return nbf;
     }
 
-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #getNbf()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public int getNotBefore() {
-        return nbf != null ? nbf.intValue() : 0;
-    }
-
     public JsonWebToken nbf(Long nbf) {
         this.nbf = nbf;
         return this;
     }
 
-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #nbf(Long)} instead.
-     */
-    @Deprecated
     @JsonIgnore
-    public JsonWebToken notBefore(int notBefore) {
-        this.nbf = Long.valueOf(notBefore);
-        return this;
-    }
-
-    @JsonIgnore
-    public boolean isNotBefore(int allowedTimeSkew) {
-        return nbf != null ? Time.currentTime() + allowedTimeSkew >= nbf : true;
+    public boolean isNotBefore(long allowedTimeSkew) {
+        return nbf == null || Time.currentTime() + allowedTimeSkew >= nbf;
     }
 
     /**
@@ -165,21 +129,12 @@ public Long getIat() {
         return iat;
     }
 
-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #getIat()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public int getIssuedAt() {
-        return iat != null ? iat.intValue() : 0;
-    }
-
     /**
      * Set issuedAt to the current time
      */
     @JsonIgnore
     public JsonWebToken issuedNow() {
-        iat = Long.valueOf(Time.currentTime());
+        iat = (long) Time.currentTime();
         return this;
     }
 
@@ -188,17 +143,6 @@ public JsonWebToken iat(Long iat) {
         return this;
     }
 
-    /**
-     * @deprecated int will overflow with values after 2038. Use {@link #iat(Long)} ()} instead.
-     */
-    @Deprecated
-    @JsonIgnore
-    public JsonWebToken issuedAt(int issuedAt) {
-        this.iat = Long.valueOf(issuedAt);
-        return this;
-    }
-
-
     public String getIssuer() {
         return issuer;
     }

@@ -42,14 +42,14 @@ public DockerResponseToken id(final String id) {
     }
 
     @Override
-    public DockerResponseToken expiration(final int expiration) {
-        super.expiration(expiration);
+    public DockerResponseToken exp(final Long expiration) {
+        super.exp(expiration);
         return this;
     }
 
     @Override
-    public DockerResponseToken notBefore(final int notBefore) {
-        super.notBefore(notBefore);
+    public DockerResponseToken nbf(final Long notBefore) {
+        super.nbf(notBefore);
         return this;
     }
 
@@ -60,8 +60,8 @@ public DockerResponseToken issuedNow() {
     }
 
     @Override
-    public DockerResponseToken issuedAt(final int issuedAt) {
-        super.issuedAt(issuedAt);
+    public DockerResponseToken iat(final Long issuedAt) {
+        super.iat(issuedAt);
         return this;
     }
 

@@ -44,9 +44,9 @@ public PermissionTicketToken(List<Permission> permissions, String audience, Acce
         if (accessToken != null) {
             id(TokenIdGenerator.generateId());
             subject(accessToken.getSubject());
-            expiration(accessToken.getExpiration());
-            notBefore(accessToken.getNotBefore());
-            issuedAt(accessToken.getIssuedAt());
+            this.exp(accessToken.getExp());
+            this.nbf(accessToken.getNbf());
+            iat(accessToken.getIat());
             issuedFor(accessToken.getIssuedFor());
         }
         if (audience != null) {

@@ -120,7 +120,7 @@ public void testBadSignature() {
 
     @Test
     public void testNotBeforeGood() throws Exception {
-        token.notBefore(Time.currentTime() - 100);
+        token.nbf(Time.currentTime() - 100L);
 
         String encoded = new JWSBuilder()
                 .jsonContent(token)
@@ -136,7 +136,7 @@ public void testNotBeforeGood() throws Exception {
 
     @Test
     public void testNotBeforeBad() {
-        token.notBefore(Time.currentTime() + 100);
+        token.nbf(Time.currentTime() + 100L);
 
         String encoded = new JWSBuilder()
                 .jsonContent(token)
@@ -153,7 +153,7 @@ public void testNotBeforeBad() {
 
     @Test
     public void testExpirationGood() throws Exception {
-        token.expiration(Time.currentTime() + 100);
+        token.exp(Time.currentTime() + 100L);
 
         String encoded = new JWSBuilder()
                 .jsonContent(token)
@@ -169,7 +169,7 @@ public void testExpirationGood() throws Exception {
 
     @Test
     public void testExpirationBad() {
-        token.expiration(Time.currentTime() - 100);
+        token.exp(Time.currentTime() - 100L);
 
         String encoded = new JWSBuilder()
                 .jsonContent(token)
-Original file line number
+Diff line change
@@ Expand Up / @@ -106,7 +106,7 @@ private AccessTokenResponse tryRefreshToken() { @@
         }
         public boolean isTokenTimeToLiveSufficient(AccessToken token) {
-            return token != null && (token.getExpiration() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
+            return token != null && (token.getExp() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
         }
         /**
@@ Expand Down @@