private RSATokenVerifier(String tokenString) { this.tokenVerifier = TokenVerifier.create(tokenString, AccessToken.class).withDefaultChecks(); }
/** * Verify access token and ID token. Typically called after successful tokenResponse is received from Keycloak * * @param accessTokenString * @param idTokenString * @param deployment * @return verified and parsed accessToken and idToken * @throws VerificationException */ public static VerifiedTokens verifyTokens(String accessTokenString, String idTokenString, KeycloakDeployment deployment) throws VerificationException { // Adapters currently do most of the checks including signature etc on the access token TokenVerifier<AccessToken> tokenVerifier = createVerifier(accessTokenString, deployment, true, AccessToken.class); AccessToken accessToken = tokenVerifier.verify().getToken(); if (idTokenString != null) { // Don't verify signature again on IDToken IDToken idToken = TokenVerifier.create(idTokenString, IDToken.class).getToken(); TokenVerifier<IDToken> idTokenVerifier = TokenVerifier.createWithoutSignature(idToken); // Always verify audience and azp on IDToken idTokenVerifier.audience(deployment.getResourceName()); idTokenVerifier.issuedFor(deployment.getResourceName()); idTokenVerifier.verify(); return new VerifiedTokens(accessToken, idToken); } else { return new VerifiedTokens(accessToken, null); } }
/** * Creates verifier, initializes it from the KeycloakDeployment and adds the publicKey and some default basic checks (activeness and tokenType). Useful if caller wants to add/remove/update * some checks * * @param tokenString * @param deployment * @param withDefaultChecks * @param tokenClass * @param <T> * @return tokenVerifier * @throws VerificationException */ public static <T extends JsonWebToken> TokenVerifier<T> createVerifier(String tokenString, KeycloakDeployment deployment, boolean withDefaultChecks, Class<T> tokenClass) throws VerificationException { TokenVerifier<T> tokenVerifier = TokenVerifier.create(tokenString, tokenClass); if (withDefaultChecks) { tokenVerifier .withDefaultChecks() .realmUrl(deployment.getRealmInfoUrl()); } String kid = tokenVerifier.getHeader().getKeyId(); PublicKey publicKey = getPublicKey(kid, deployment); tokenVerifier.publicKey(publicKey); return tokenVerifier; }