org.keycloak

Class TokenVerifier<T extends JsonWebToken>

java.lang.Object

org.keycloak.TokenVerifier<T>

public class TokenVerifier<T extends JsonWebToken>
extends Object

Version:

$Revision: 1 $

Author:

Bill Burke

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	TokenVerifier.AudienceCheck
static class	TokenVerifier.IssuedForCheck
static interface	TokenVerifier.Predicate<T extends JsonWebToken> Functional interface of checks that verify some part of a JWT.
static class	TokenVerifier.RealmUrlCheck
static class	TokenVerifier.TokenTypeCheck

Field Summary

Fields

Modifier and Type	Field and Description
static TokenVerifier.Predicate<JsonWebToken>	IS_ACTIVE Check for token being neither expired nor used before it gets valid.
static TokenVerifier.Predicate<JsonWebToken>	SUBJECT_EXISTS_CHECK

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	TokenVerifier(String tokenString, Class<T> clazz)
protected	TokenVerifier(T token)

Method Summary

Modifier and Type	Method and Description
static <T extends JsonWebToken> TokenVerifier.Predicate<T>	alternative(TokenVerifier.Predicate<? super T>... predicates) Creates a predicate that will proceed with checks of the given predicates and will pass if and only if at least one of the given predicates passes.
TokenVerifier<T>	audience(String expectedAudience) Add check for verifying that token contains the expectedAudience
TokenVerifier<T>	checkActive(boolean checkActive) Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.
TokenVerifier<T>	checkRealmUrl(boolean checkRealmUrl) Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.
TokenVerifier<T>	checkTokenType(boolean checkTokenType) Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.
static <T extends JsonWebToken> TokenVerifier<T>	create(String tokenString, Class<T> clazz) Creates an instance of TokenVerifier from the given string on a JWT of the given class.
static <T extends JsonWebToken> TokenVerifier<T>	createWithoutSignature(T token) Creates an instance of TokenVerifier for the given token.
JWSHeader	getHeader()
T	getToken()
TokenVerifier<T>	issuedFor(String expectedIssuedFor) Add check for verifying that token issuedFor (azp claim) is the expected value
static <T extends JsonWebToken> TokenVerifier.Predicate<T>	optional(TokenVerifier.Predicate<T> mandatoryPredicate) Creates an optional predicate from a predicate that will proceed with check but always pass.
TokenVerifier<T>	parse()
TokenVerifier<T>	publicKey(PublicKey publicKey) Sets the key for verification of RSA-based signature.
TokenVerifier<T>	realmUrl(String realmUrl) Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.
TokenVerifier<T>	secretKey(SecretKey secretKey) Sets the key for verification of HMAC-based signature.
TokenVerifier<T>	tokenType(String tokenType) Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.
TokenVerifier<T>	verifierContext(SignatureVerifierContext verifier)
TokenVerifier<T>	verify()
void	verifySignature()
TokenVerifier<T>	withChecks(TokenVerifier.Predicate<? super T>... checks) Will test the given checks in verify() method in addition to already set checks.
TokenVerifier<T>	withDefaultChecks() Adds default checks to the token verification: Realm URL (JWT issuer field: iss) has to be defined and match realm set via realmUrl(java.lang.String) method Subject (JWT subject field: sub) has to be defined Token type (JWT type field: typ) has to be Bearer.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SUBJECT_EXISTS_CHECK

public static final TokenVerifier.Predicate<JsonWebToken> SUBJECT_EXISTS_CHECK

IS_ACTIVE

public static final TokenVerifier.Predicate<JsonWebToken> IS_ACTIVE

Check for token being neither expired nor used before it gets valid.

See Also:

JsonWebToken.isActive()

Constructor Detail

TokenVerifier

protected TokenVerifier(String tokenString,
                        Class<T> clazz)

TokenVerifier

protected TokenVerifier(T token)

Method Detail

verifierContext

public TokenVerifier<T> verifierContext(SignatureVerifierContext verifier)

create

public static <T extends JsonWebToken> TokenVerifier<T> create(String tokenString,
                                                               Class<T> clazz)

Creates an instance of TokenVerifier from the given string on a JWT of the given class. The token verifier has no checks defined. Note that the checks are only tested when verify() method is invoked.

Type Parameters:

T - Type of the token

Parameters:

tokenString - String representation of JWT

clazz - Class of the token

Returns:

createWithoutSignature

public static <T extends JsonWebToken> TokenVerifier<T> createWithoutSignature(T token)

Creates an instance of TokenVerifier for the given token. The token verifier has no checks defined. Note that the checks are only tested when verify() method is invoked.

NOTE: The returned token verifier cannot verify token signature since that is not part of the JsonWebToken object.

Returns:

withDefaultChecks

public TokenVerifier<T> withDefaultChecks()

Adds default checks to the token verification:

• Realm URL (JWT issuer field: iss) has to be defined and match realm set via realmUrl(java.lang.String) method
• Subject (JWT subject field: sub) has to be defined
• Token type (JWT type field: typ) has to be Bearer. The type can be set via tokenType(java.lang.String) method
• Token has to be active, ie. both not expired and not used before its validity (JWT issuer fields: exp and nbf)

Returns:

This token verifier.

withChecks

public TokenVerifier<T> withChecks(TokenVerifier.Predicate<? super T>... checks)

Will test the given checks in verify() method in addition to already set checks.

Parameters:

checks -

Returns:

publicKey

public TokenVerifier<T> publicKey(PublicKey publicKey)

Sets the key for verification of RSA-based signature.

Parameters:

publicKey -

Returns:

secretKey

public TokenVerifier<T> secretKey(SecretKey secretKey)

Sets the key for verification of HMAC-based signature.

Parameters:

secretKey -

Returns:

realmUrl

public TokenVerifier<T> realmUrl(String realmUrl)

Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.

Returns:

This token verifier

checkTokenType

public TokenVerifier<T> checkTokenType(boolean checkTokenType)

Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.

Returns:

This token verifier

tokenType

public TokenVerifier<T> tokenType(String tokenType)

Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.

Returns:

This token verifier

checkActive

public TokenVerifier<T> checkActive(boolean checkActive)

Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.

Returns:

This token verifier

checkRealmUrl

public TokenVerifier<T> checkRealmUrl(boolean checkRealmUrl)

Deprecated. This method is here only for backward compatibility with previous version of TokenVerifier.

Returns:

This token verifier

audience

public TokenVerifier<T> audience(String expectedAudience)

Add check for verifying that token contains the expectedAudience

Parameters:

expectedAudience - Audience, which needs to be in the target token. Can't be null

Returns:

This token verifier

issuedFor

public TokenVerifier<T> issuedFor(String expectedIssuedFor)

Add check for verifying that token issuedFor (azp claim) is the expected value

Parameters:

expectedIssuedFor - issuedFor, which needs to be in the target token. Can't be null

Returns:

This token verifier

parse

public TokenVerifier<T> parse()
                       throws VerificationException

Throws:

VerificationException

getToken

public T getToken()
           throws VerificationException

Throws:

VerificationException

getHeader

public JWSHeader getHeader()
                    throws VerificationException

Throws:

VerificationException

verifySignature

public void verifySignature()
                     throws VerificationException

Throws:

VerificationException

verify

public TokenVerifier<T> verify()
                        throws VerificationException

Throws:

VerificationException

optional

public static <T extends JsonWebToken> TokenVerifier.Predicate<T> optional(TokenVerifier.Predicate<T> mandatoryPredicate)

Creates an optional predicate from a predicate that will proceed with check but always pass.

Type Parameters:

T -

Parameters:

mandatoryPredicate -

Returns:

alternative

public static <T extends JsonWebToken> TokenVerifier.Predicate<T> alternative(TokenVerifier.Predicate<? super T>... predicates)

Creates a predicate that will proceed with checks of the given predicates and will pass if and only if at least one of the given predicates passes.

Type Parameters:

T -

Parameters:

predicates -

Returns: