Package org.keycloak

Class TokenVerifier<T extends JsonWebToken>

java.lang.Object
org.keycloak.TokenVerifier<T>

public class TokenVerifier<T extends JsonWebToken> extends Object
Version:
$Revision: 1 $
Author:
Bill Burke
  • Field Details

  • Constructor Details

    • TokenVerifier

      protected TokenVerifier(String tokenString, Class<T> clazz)
    • TokenVerifier

      protected TokenVerifier(T token)
  • Method Details

    • verifierContext

      public TokenVerifier<T> verifierContext(SignatureVerifierContext verifier)
    • create

      public static <T extends JsonWebToken> TokenVerifier<T> create(String tokenString, Class<T> clazz)
      Creates an instance of TokenVerifier from the given string on a JWT of the given class. The token verifier has no checks defined. Note that the checks are only tested when verify() method is invoked.
      Type Parameters:
      T - Type of the token
      Parameters:
      tokenString - String representation of JWT
      clazz - Class of the token
      Returns:
    • createWithoutSignature

      public static <T extends JsonWebToken> TokenVerifier<T> createWithoutSignature(T token)
      Creates an instance of TokenVerifier for the given token. The token verifier has no checks defined. Note that the checks are only tested when verify() method is invoked.

      NOTE: The returned token verifier cannot verify token signature since that is not part of the JsonWebToken object.

      Returns:
    • withDefaultChecks

      public TokenVerifier<T> withDefaultChecks()
      Adds default checks to the token verification:
      • Realm URL (JWT issuer field: iss) has to be defined and match realm set via realmUrl(java.lang.String) method
      • Subject (JWT subject field: sub) has to be defined
      • Token type (JWT type field: typ) has to be Bearer. The type can be set via tokenType(java.lang.String) method
      • Token has to be active, ie. both not expired and not used before its validity (JWT issuer fields: exp and nbf)
      Returns:
      This token verifier.
    • withChecks

      @SafeVarargs public final TokenVerifier<T> withChecks(TokenVerifier.Predicate<? super T>... checks)
      Will test the given checks in verify() method in addition to already set checks.
      Parameters:
      checks -
      Returns:
    • publicKey

      public TokenVerifier<T> publicKey(PublicKey publicKey)
      Sets the key for verification of RSA-based signature.
      Parameters:
      publicKey -
      Returns:
    • secretKey

      public TokenVerifier<T> secretKey(SecretKey secretKey)
      Sets the key for verification of HMAC-based signature.
      Parameters:
      secretKey -
      Returns:
    • realmUrl

      public TokenVerifier<T> realmUrl(String realmUrl)
      Deprecated.
      This method is here only for backward compatibility with previous version of TokenVerifier.
      Returns:
      This token verifier
    • checkTokenType

      public TokenVerifier<T> checkTokenType(boolean checkTokenType)
      Deprecated.
      This method is here only for backward compatibility with previous version of TokenVerifier.
      Returns:
      This token verifier
    • tokenType

      public TokenVerifier<T> tokenType(String tokenType)
      Returns:
      This token verifier
    • checkActive

      public TokenVerifier<T> checkActive(boolean checkActive)
      Deprecated.
      This method is here only for backward compatibility with previous version of TokenVerifier.
      Returns:
      This token verifier
    • checkRealmUrl

      public TokenVerifier<T> checkRealmUrl(boolean checkRealmUrl)
      Deprecated.
      This method is here only for backward compatibility with previous version of TokenVerifier.
      Returns:
      This token verifier
    • audience

      public TokenVerifier<T> audience(String... expectedAudiences)
      Add check for verifying that token contains the expectedAudience
      Parameters:
      expectedAudiences - Audiences, which needs to be in the target token. Can be null.
      Returns:
      This token verifier
    • issuedFor

      public TokenVerifier<T> issuedFor(String expectedIssuedFor)
      Add check for verifying that token issuedFor (azp claim) is the expected value
      Parameters:
      expectedIssuedFor - issuedFor, which needs to be in the target token. Can't be null
      Returns:
      This token verifier
    • parse

      public TokenVerifier<T> parse() throws VerificationException
      Throws:
      VerificationException
    • getToken

      public T getToken() throws VerificationException
      Throws:
      VerificationException
    • getHeader

      public JWSHeader getHeader() throws VerificationException
      Throws:
      VerificationException
    • verifySignature

      public void verifySignature() throws VerificationException
      Throws:
      VerificationException
    • verify

      public TokenVerifier<T> verify() throws VerificationException
      Throws:
      VerificationException
    • optional

      public static <T extends JsonWebToken> TokenVerifier.Predicate<T> optional(TokenVerifier.Predicate<T> mandatoryPredicate)
      Creates an optional predicate from a predicate that will proceed with check but always pass.
      Type Parameters:
      T -
      Parameters:
      mandatoryPredicate -
      Returns:
    • alternative

      @SafeVarargs public static <T extends JsonWebToken> TokenVerifier.Predicate<T> alternative(TokenVerifier.Predicate<? super T>... predicates)
      Creates a predicate that will proceed with checks of the given predicates and will pass if and only if at least one of the given predicates passes.
      Type Parameters:
      T -
      Parameters:
      predicates -
      Returns: