Package org.keycloak
Class TokenVerifier<T extends JsonWebToken>
- java.lang.Object
-
- org.keycloak.TokenVerifier<T>
-
public class TokenVerifier<T extends JsonWebToken> extends Object
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
TokenVerifier.AudienceCheck
static class
TokenVerifier.IssuedForCheck
static interface
TokenVerifier.Predicate<T extends JsonWebToken>
Functional interface of checks that verify some part of a JWT.static class
TokenVerifier.RealmUrlCheck
static class
TokenVerifier.TokenTypeCheck
-
Field Summary
Fields Modifier and Type Field Description static TokenVerifier.Predicate<JsonWebToken>
IS_ACTIVE
Check for token being neither expired nor used before it gets valid.static TokenVerifier.Predicate<JsonWebToken>
SUBJECT_EXISTS_CHECK
-
Constructor Summary
Constructors Modifier Constructor Description protected
TokenVerifier(String tokenString, Class<T> clazz)
protected
TokenVerifier(T token)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static <T extends JsonWebToken>
TokenVerifier.Predicate<T>alternative(TokenVerifier.Predicate<? super T>... predicates)
Creates a predicate that will proceed with checks of the given predicates and will pass if and only if at least one of the given predicates passes.TokenVerifier<T>
audience(String... expectedAudiences)
Add check for verifying that token contains the expectedAudienceTokenVerifier<T>
checkActive(boolean checkActive)
Deprecated.This method is here only for backward compatibility with previous version ofTokenVerifier
.TokenVerifier<T>
checkRealmUrl(boolean checkRealmUrl)
Deprecated.This method is here only for backward compatibility with previous version ofTokenVerifier
.TokenVerifier<T>
checkTokenType(boolean checkTokenType)
Deprecated.This method is here only for backward compatibility with previous version ofTokenVerifier
.static <T extends JsonWebToken>
TokenVerifier<T>create(String tokenString, Class<T> clazz)
Creates an instance ofTokenVerifier
from the given string on a JWT of the given class.static <T extends JsonWebToken>
TokenVerifier<T>createWithoutSignature(T token)
Creates an instance ofTokenVerifier
for the given token.JWSHeader
getHeader()
T
getToken()
TokenVerifier<T>
issuedFor(String expectedIssuedFor)
Add check for verifying that token issuedFor (azp claim) is the expected valuestatic <T extends JsonWebToken>
TokenVerifier.Predicate<T>optional(TokenVerifier.Predicate<T> mandatoryPredicate)
Creates an optional predicate from a predicate that will proceed with check but always pass.TokenVerifier<T>
parse()
TokenVerifier<T>
publicKey(PublicKey publicKey)
Sets the key for verification of RSA-based signature.TokenVerifier<T>
realmUrl(String realmUrl)
Deprecated.This method is here only for backward compatibility with previous version ofTokenVerifier
.TokenVerifier<T>
secretKey(SecretKey secretKey)
Sets the key for verification of HMAC-based signature.TokenVerifier<T>
tokenType(String tokenType)
TokenVerifier<T>
verifierContext(SignatureVerifierContext verifier)
TokenVerifier<T>
verify()
void
verifySignature()
TokenVerifier<T>
withChecks(TokenVerifier.Predicate<? super T>... checks)
Will test the given checks inverify()
method in addition to already set checks.TokenVerifier<T>
withDefaultChecks()
Adds default checks to the token verification: Realm URL (JWT issuer field:iss
) has to be defined and match realm set viarealmUrl(java.lang.String)
method Subject (JWT subject field:sub
) has to be defined Token type (JWT type field:typ
) has to beBearer
.
-
-
-
Field Detail
-
SUBJECT_EXISTS_CHECK
public static final TokenVerifier.Predicate<JsonWebToken> SUBJECT_EXISTS_CHECK
-
IS_ACTIVE
public static final TokenVerifier.Predicate<JsonWebToken> IS_ACTIVE
Check for token being neither expired nor used before it gets valid.- See Also:
JsonWebToken.isActive()
-
-
Method Detail
-
verifierContext
public TokenVerifier<T> verifierContext(SignatureVerifierContext verifier)
-
create
public static <T extends JsonWebToken> TokenVerifier<T> create(String tokenString, Class<T> clazz)
Creates an instance ofTokenVerifier
from the given string on a JWT of the given class. The token verifier has no checks defined. Note that the checks are only tested whenverify()
method is invoked.- Type Parameters:
T
- Type of the token- Parameters:
tokenString
- String representation of JWTclazz
- Class of the token- Returns:
-
createWithoutSignature
public static <T extends JsonWebToken> TokenVerifier<T> createWithoutSignature(T token)
Creates an instance ofTokenVerifier
for the given token. The token verifier has no checks defined. Note that the checks are only tested whenverify()
method is invoked.NOTE: The returned token verifier cannot verify token signature since that is not part of the
JsonWebToken
object.- Returns:
-
withDefaultChecks
public TokenVerifier<T> withDefaultChecks()
Adds default checks to the token verification:- Realm URL (JWT issuer field:
iss
) has to be defined and match realm set viarealmUrl(java.lang.String)
method - Subject (JWT subject field:
sub
) has to be defined - Token type (JWT type field:
typ
) has to beBearer
. The type can be set viatokenType(java.lang.String)
method - Token has to be active, ie. both not expired and not used before its validity (JWT issuer fields:
exp
andnbf
)
- Returns:
- This token verifier.
- Realm URL (JWT issuer field:
-
withChecks
@SafeVarargs public final TokenVerifier<T> withChecks(TokenVerifier.Predicate<? super T>... checks)
Will test the given checks inverify()
method in addition to already set checks.- Parameters:
checks
-- Returns:
-
publicKey
public TokenVerifier<T> publicKey(PublicKey publicKey)
Sets the key for verification of RSA-based signature.- Parameters:
publicKey
-- Returns:
-
secretKey
public TokenVerifier<T> secretKey(SecretKey secretKey)
Sets the key for verification of HMAC-based signature.- Parameters:
secretKey
-- Returns:
-
realmUrl
public TokenVerifier<T> realmUrl(String realmUrl)
Deprecated.This method is here only for backward compatibility with previous version ofTokenVerifier
.- Returns:
- This token verifier
-
checkTokenType
public TokenVerifier<T> checkTokenType(boolean checkTokenType)
Deprecated.This method is here only for backward compatibility with previous version ofTokenVerifier
.- Returns:
- This token verifier
-
tokenType
public TokenVerifier<T> tokenType(String tokenType)
- Returns:
- This token verifier
-
checkActive
public TokenVerifier<T> checkActive(boolean checkActive)
Deprecated.This method is here only for backward compatibility with previous version ofTokenVerifier
.- Returns:
- This token verifier
-
checkRealmUrl
public TokenVerifier<T> checkRealmUrl(boolean checkRealmUrl)
Deprecated.This method is here only for backward compatibility with previous version ofTokenVerifier
.- Returns:
- This token verifier
-
audience
public TokenVerifier<T> audience(String... expectedAudiences)
Add check for verifying that token contains the expectedAudience- Parameters:
expectedAudiences
- Audiences, which needs to be in the target token. Can benull
.- Returns:
- This token verifier
-
issuedFor
public TokenVerifier<T> issuedFor(String expectedIssuedFor)
Add check for verifying that token issuedFor (azp claim) is the expected value- Parameters:
expectedIssuedFor
- issuedFor, which needs to be in the target token. Can't be null- Returns:
- This token verifier
-
parse
public TokenVerifier<T> parse() throws VerificationException
- Throws:
VerificationException
-
getToken
public T getToken() throws VerificationException
- Throws:
VerificationException
-
getHeader
public JWSHeader getHeader() throws VerificationException
- Throws:
VerificationException
-
verifySignature
public void verifySignature() throws VerificationException
- Throws:
VerificationException
-
verify
public TokenVerifier<T> verify() throws VerificationException
- Throws:
VerificationException
-
optional
public static <T extends JsonWebToken> TokenVerifier.Predicate<T> optional(TokenVerifier.Predicate<T> mandatoryPredicate)
Creates an optional predicate from a predicate that will proceed with check but always pass.- Type Parameters:
T
-- Parameters:
mandatoryPredicate
-- Returns:
-
alternative
@SafeVarargs public static <T extends JsonWebToken> TokenVerifier.Predicate<T> alternative(TokenVerifier.Predicate<? super T>... predicates)
Creates a predicate that will proceed with checks of the given predicates and will pass if and only if at least one of the given predicates passes.- Type Parameters:
T
-- Parameters:
predicates
-- Returns:
-
-