try { AdapterTokenVerifier.VerifiedTokens tokens = AdapterTokenVerifier.verifyTokens(tokenString, response.getIdToken(), deployment); token = tokens.getAccessToken(); log.debug("Token Verification succeeded!"); } catch (VerificationException e) {
token = tokens.getAccessToken(); idToken = tokens.getIdToken(); log.debug("Token Verification succeeded!"); } catch (VerificationException e) {
return postTokenVerification(tokenResponse.getToken(), tokens.getAccessToken());
/** * Verify access token and ID token. Typically called after successful tokenResponse is received from Keycloak * * @param accessTokenString * @param idTokenString * @param deployment * @return verified and parsed accessToken and idToken * @throws VerificationException */ public static VerifiedTokens verifyTokens(String accessTokenString, String idTokenString, KeycloakDeployment deployment) throws VerificationException { // Adapters currently do most of the checks including signature etc on the access token TokenVerifier<AccessToken> tokenVerifier = createVerifier(accessTokenString, deployment, true, AccessToken.class); AccessToken accessToken = tokenVerifier.verify().getToken(); if (idTokenString != null) { // Don't verify signature again on IDToken IDToken idToken = TokenVerifier.create(idTokenString, IDToken.class).getToken(); TokenVerifier<IDToken> idTokenVerifier = TokenVerifier.createWithoutSignature(idToken); // Always verify audience and azp on IDToken idTokenVerifier.audience(deployment.getResourceName()); idTokenVerifier.issuedFor(deployment.getResourceName()); idTokenVerifier.verify(); return new VerifiedTokens(accessToken, idToken); } else { return new VerifiedTokens(accessToken, null); } }