Package org.keycloak.representations
Class JsonWebToken
java.lang.Object
org.keycloak.representations.JsonWebToken
- All Implemented Interfaces:
Serializable,Token
- Direct Known Subclasses:
AuthorizationResponseToken,CIBAAuthenticationRequest,DefaultActionTokenKey,DockerResponseToken,DPoP,IDToken,InitialAccessToken,JwtCNonce,LogoutToken,PermissionTicketToken,RegistrationAccessToken,TokenIntrospectionResponse
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
- See Also:
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionaddAudience(String audience) final booleanString[]getExp()getIat()getId()OAuth client the token was issued for.getNbf()This is a map of any other claims and data that might be in the IDToken.getType()booleanhasAnyAudience(List<String> audiences) booleanhasAudience(String audience) inthashCode()booleanisActive()Tests that the token is not expired and is not-before.booleanisActive(int allowedTimeSkew) booleanbooleanisIssuedBeforeSessionStart(long sessionStarted) booleanisNotBefore(long allowedTimeSkew) Set issuedAt to the current timevoidsetOtherClaims(String name, Object value) voidsetSubject(String subject) toString()
-
Field Details
-
AZP
- See Also:
-
AUD
- See Also:
-
SUBJECT
- See Also:
-
id
-
exp
-
nbf
-
iat
-
issuer
-
audience
-
subject
-
type
-
issuedFor
-
otherClaims
-
-
Constructor Details
-
JsonWebToken
public JsonWebToken()
-
-
Method Details
-
getId
-
id
-
getExp
-
exp
-
isExpired
public boolean isExpired() -
getNbf
-
nbf
-
isNotBefore
public boolean isNotBefore(long allowedTimeSkew) -
isActive
public boolean isActive()Tests that the token is not expired and is not-before. This assumes a default clock-skew for the "is not before" of 10 seconds which is in line FAPI 2.0. See FAPI 2.0 Security Profile:Clock skew is a cause of many interoperability issues. Even a few hundred milliseconds of clock skew can cause JWTs to be rejected for being "issued in the future". The DPoP specification [RFC9449] suggests that JWTs are accepted in the reasonably near future (on the order of seconds or minutes). This document goes further by requiring authorization servers to accept JWTs that have timestamps up to 10 seconds in the future. 10 seconds was chosen as a value that does not affect security while greatly increasing interoperability. Implementers are free to accept JWTs with a timestamp of up to 60 seconds in the future. Some ecosystems have found that the value of 30 seconds is needed to fully eliminate clock skew issues. To prevent implementations switching off iat and nbf checks completely this document imposes a maximum timestamp in the future of 60 seconds.
-
isActive
public boolean isActive(int allowedTimeSkew) -
isIssuedBeforeSessionStart
public boolean isIssuedBeforeSessionStart(long sessionStarted) - Parameters:
sessionStarted- Time in seconds- Returns:
- true if the particular token was issued before the given session start time. Which means that token cannot be issued by the particular session
-
getIat
-
issuedNow
Set issuedAt to the current time -
iat
-
getIssuer
-
issuer
-
getAudience
-
hasAudience
-
hasAnyAudience
-
audience
-
addAudience
-
getSubject
-
subject
-
setSubject
-
getType
-
type
-
getIssuedFor
OAuth client the token was issued for.- Returns:
-
issuedFor
-
getOtherClaims
This is a map of any other claims and data that might be in the IDToken. Could be custom claims set up by the auth server- Returns:
-
setOtherClaims
-
getCategory
- Specified by:
getCategoryin interfaceToken
-
equals
-
hashCode
public int hashCode() -
toString
-