diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java index d34c3fa817c..406ee0acc88 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java @@ -110,7 +110,7 @@ public class BearerTokenRequestAuthenticator { challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage()); return AuthOutcome.FAILED; } - if (token.getIssuedAt() < deployment.getNotBefore()) { + if (token.getIat() < deployment.getNotBefore()) { log.debug("Stale token"); challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token"); return AuthOutcome.FAILED; diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java index 68acc1118fb..d0735ebc32a 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java @@ -369,7 +369,7 @@ public class OAuthRequestAuthenticator { if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) { deployment.updateNotBefore(tokenResponse.getNotBeforePolicy()); } - if (token.getIssuedAt() < deployment.getNotBefore()) { + if (token.getIat() < deployment.getNotBefore()) { log.error("Stale token"); return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null); } diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java index c3b2e7155b9..03bdf68d268 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java @@ -88,11 +88,11 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext } public boolean isActive() { - return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() >= deployment.getNotBefore(); + return token != null && this.token.isActive() && deployment!=null && this.token.getIat() >= deployment.getNotBefore(); } public boolean isTokenTimeToLiveSufficient(AccessToken token) { - return token != null && (token.getExpiration() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime(); + return token != null && (token.getExp() - this.deployment.getTokenMinimumTimeToLive()) > Time.currentTime(); } public KeycloakDeployment getDeployment() { diff --git a/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java b/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java index 1a3b0101e9a..af3508522de 100644 --- a/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java +++ b/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java @@ -43,13 +43,13 @@ public class RefreshableKeycloakSecurityContextTest { TokenMetadataRepresentation token = new TokenMetadataRepresentation(); token.setActive(true); - token.issuedAt(4999); + token.iat(4999L); RefreshableKeycloakSecurityContext sut = new RefreshableKeycloakSecurityContext(keycloakDeployment,null,null,token,null, null, null); assertFalse(sut.isActive()); - token.issuedAt(5000); + token.iat(5000L); assertTrue(sut.isActive()); } diff --git a/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java b/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java index 685b55275be..6517030287d 100644 --- a/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java +++ b/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java @@ -18,12 +18,10 @@ package org.keycloak.adapters.installed; import java.awt.Desktop; -import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.PrintStream; -import java.io.PrintWriter; import java.io.Reader; import java.net.InetSocketAddress; import java.net.URI; @@ -37,16 +35,9 @@ import java.util.UUID; import java.util.concurrent.CountDownLatch; import java.util.concurrent.ForkJoinPool; import java.util.concurrent.TimeUnit; -import java.util.regex.Matcher; import java.util.regex.Pattern; -import javax.ws.rs.client.Entity; -import javax.ws.rs.core.Form; -import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.Response; - import org.jboss.resteasy.client.jaxrs.ResteasyClient; -import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; import org.keycloak.OAuth2Constants; import org.keycloak.OAuthErrorException; import org.keycloak.adapters.KeycloakDeployment; @@ -314,7 +305,7 @@ public class KeycloakInstalled { } public String getTokenString(long minValidity, TimeUnit unit) throws VerificationException, IOException, ServerRequest.HttpFailure { - long expires = ((long) token.getExpiration()) * 1000 - unit.toMillis(minValidity); + long expires = ((long) token.getExp()) * 1000 - unit.toMillis(minValidity); if (expires < System.currentTimeMillis()) { refreshToken(); } diff --git a/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java b/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java index 383db674b4a..dca3d673b73 100644 --- a/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java +++ b/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java @@ -106,7 +106,7 @@ public class TokenCallable implements Callable { } public boolean isTokenTimeToLiveSufficient(AccessToken token) { - return token != null && (token.getExpiration() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime(); + return token != null && (token.getExp() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime(); } /** diff --git a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java index d18c639c0cd..5d268be8acb 100644 --- a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java +++ b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.java @@ -182,10 +182,10 @@ public class JWTClientCredentialsProvider implements ClientCredentialsProvider { reqToken.subject(clientId); reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - reqToken.issuedAt(now); - reqToken.expiration(now + this.tokenTimeout); - reqToken.notBefore(now); + long now = Time.currentTime(); + reqToken.iat(now); + reqToken.exp(now + this.tokenTimeout); + reqToken.nbf(now); return reqToken; } diff --git a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java index 2764cb3761e..a53a6b543bf 100644 --- a/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java +++ b/core/src/main/java/org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.java @@ -131,11 +131,11 @@ public class JWTClientSecretCredentialsProvider implements ClientCredentialsProv reqToken.subject(clientId); reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - reqToken.issuedAt(now); + long now = Time.currentTime(); + reqToken.iat(now); // the same as in KEYCLOAK-2986, JWTClientCredentialsProvider's timeout field - reqToken.expiration(now + 10); - reqToken.notBefore(now); + reqToken.exp(now + 10); + reqToken.nbf(now); return reqToken; } diff --git a/core/src/main/java/org/keycloak/representations/AccessToken.java b/core/src/main/java/org/keycloak/representations/AccessToken.java index 0983b2ae1bd..d16b72443ed 100755 --- a/core/src/main/java/org/keycloak/representations/AccessToken.java +++ b/core/src/main/java/org/keycloak/representations/AccessToken.java @@ -205,22 +205,6 @@ public class AccessToken extends IDToken { return (AccessToken) super.id(id); } - @Override - public AccessToken expiration(int expiration) { - return (AccessToken) super.expiration(expiration); - } - - @Override - public AccessToken notBefore(int notBefore) { - return (AccessToken) super.notBefore(notBefore); - } - - - @Override - public AccessToken issuedAt(int issuedAt) { - return (AccessToken) super.issuedAt(issuedAt); - } - @Override public AccessToken issuer(String issuer) { return (AccessToken) super.issuer(issuer); diff --git a/core/src/main/java/org/keycloak/representations/IDToken.java b/core/src/main/java/org/keycloak/representations/IDToken.java index 858ef7a64d8..33c54b70ef3 100755 --- a/core/src/main/java/org/keycloak/representations/IDToken.java +++ b/core/src/main/java/org/keycloak/representations/IDToken.java @@ -154,27 +154,10 @@ public class IDToken extends JsonWebToken { return auth_time; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #getAuth_time()} instead. - */ - @Deprecated - @JsonIgnore - public int getAuthTime() { - return auth_time != null ? auth_time.intValue() : 0; - } - public void setAuth_time(Long auth_time) { this.auth_time = auth_time; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #setAuth_time(Long)} ()} instead. - */ - public void setAuthTime(int authTime) { - this.auth_time = Long.valueOf(authTime); - } - - public String getSessionId() { return sessionId; } diff --git a/core/src/main/java/org/keycloak/representations/JsonWebToken.java b/core/src/main/java/org/keycloak/representations/JsonWebToken.java index 0ed565171fd..a969273fde2 100755 --- a/core/src/main/java/org/keycloak/representations/JsonWebToken.java +++ b/core/src/main/java/org/keycloak/representations/JsonWebToken.java @@ -77,64 +77,28 @@ public class JsonWebToken implements Serializable, Token { return exp; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead. - */ - @Deprecated - @JsonIgnore - public int getExpiration() { - return exp != null ? exp.intValue() : 0; - } - public JsonWebToken exp(Long exp) { this.exp = exp; return this; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #exp(Long)} instead. - */ - public JsonWebToken expiration(int expiration) { - this.exp = Long.valueOf(expiration); - return this; - } - @JsonIgnore public boolean isExpired() { - return exp != null && exp != 0 ? Time.currentTime() > exp : false; + return exp != null && exp != 0 && Time.currentTime() > exp; } public Long getNbf() { return nbf; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #getNbf()} instead. - */ - @Deprecated - @JsonIgnore - public int getNotBefore() { - return nbf != null ? nbf.intValue() : 0; - } - public JsonWebToken nbf(Long nbf) { this.nbf = nbf; return this; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #nbf(Long)} instead. - */ - @Deprecated @JsonIgnore - public JsonWebToken notBefore(int notBefore) { - this.nbf = Long.valueOf(notBefore); - return this; - } - - @JsonIgnore - public boolean isNotBefore(int allowedTimeSkew) { - return nbf != null ? Time.currentTime() + allowedTimeSkew >= nbf : true; + public boolean isNotBefore(long allowedTimeSkew) { + return nbf == null || Time.currentTime() + allowedTimeSkew >= nbf; } /** @@ -165,21 +129,12 @@ public class JsonWebToken implements Serializable, Token { return iat; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #getIat()} instead. - */ - @Deprecated - @JsonIgnore - public int getIssuedAt() { - return iat != null ? iat.intValue() : 0; - } - /** * Set issuedAt to the current time */ @JsonIgnore public JsonWebToken issuedNow() { - iat = Long.valueOf(Time.currentTime()); + iat = (long) Time.currentTime(); return this; } @@ -188,17 +143,6 @@ public class JsonWebToken implements Serializable, Token { return this; } - /** - * @deprecated int will overflow with values after 2038. Use {@link #iat(Long)} ()} instead. - */ - @Deprecated - @JsonIgnore - public JsonWebToken issuedAt(int issuedAt) { - this.iat = Long.valueOf(issuedAt); - return this; - } - - public String getIssuer() { return issuer; } diff --git a/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java b/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java index faee452c5b9..fe02a6459ce 100644 --- a/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java +++ b/core/src/main/java/org/keycloak/representations/docker/DockerResponseToken.java @@ -42,14 +42,14 @@ public class DockerResponseToken extends JsonWebToken { } @Override - public DockerResponseToken expiration(final int expiration) { - super.expiration(expiration); + public DockerResponseToken exp(final Long expiration) { + super.exp(expiration); return this; } @Override - public DockerResponseToken notBefore(final int notBefore) { - super.notBefore(notBefore); + public DockerResponseToken nbf(final Long notBefore) { + super.nbf(notBefore); return this; } @@ -60,8 +60,8 @@ public class DockerResponseToken extends JsonWebToken { } @Override - public DockerResponseToken issuedAt(final int issuedAt) { - super.issuedAt(issuedAt); + public DockerResponseToken iat(final Long issuedAt) { + super.iat(issuedAt); return this; } diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java b/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java index b1cdafa1df3..9f2fa5a81af 100644 --- a/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java +++ b/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java @@ -44,9 +44,9 @@ public class PermissionTicketToken extends JsonWebToken { if (accessToken != null) { id(TokenIdGenerator.generateId()); subject(accessToken.getSubject()); - expiration(accessToken.getExpiration()); - notBefore(accessToken.getNotBefore()); - issuedAt(accessToken.getIssuedAt()); + this.exp(accessToken.getExp()); + this.nbf(accessToken.getNbf()); + iat(accessToken.getIat()); issuedFor(accessToken.getIssuedFor()); } if (audience != null) { diff --git a/core/src/test/java/org/keycloak/RSAVerifierTest.java b/core/src/test/java/org/keycloak/RSAVerifierTest.java index f930f0d2fc6..36edacbbfe9 100755 --- a/core/src/test/java/org/keycloak/RSAVerifierTest.java +++ b/core/src/test/java/org/keycloak/RSAVerifierTest.java @@ -120,7 +120,7 @@ public abstract class RSAVerifierTest { @Test public void testNotBeforeGood() throws Exception { - token.notBefore(Time.currentTime() - 100); + token.nbf(Time.currentTime() - 100L); String encoded = new JWSBuilder() .jsonContent(token) @@ -136,7 +136,7 @@ public abstract class RSAVerifierTest { @Test public void testNotBeforeBad() { - token.notBefore(Time.currentTime() + 100); + token.nbf(Time.currentTime() + 100L); String encoded = new JWSBuilder() .jsonContent(token) @@ -153,7 +153,7 @@ public abstract class RSAVerifierTest { @Test public void testExpirationGood() throws Exception { - token.expiration(Time.currentTime() + 100); + token.exp(Time.currentTime() + 100L); String encoded = new JWSBuilder() .jsonContent(token) @@ -169,7 +169,7 @@ public abstract class RSAVerifierTest { @Test public void testExpirationBad() { - token.expiration(Time.currentTime() - 100); + token.exp(Time.currentTime() - 100L); String encoded = new JWSBuilder() .jsonContent(token) diff --git a/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java b/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java index cae36c518de..26c00bd0aa9 100644 --- a/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java +++ b/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java @@ -82,37 +82,37 @@ public class JsonWebTokenTest { @Test public void isActiveReturnFalseWhenBeforeTimeInFuture() { - int currentTime = Time.currentTime(); - int futureTime = currentTime + 10; + long currentTime = Time.currentTime(); + long futureTime = currentTime + 10; JsonWebToken jsonWebToken = new JsonWebToken(); - jsonWebToken.notBefore(futureTime); + jsonWebToken.nbf(futureTime); assertFalse(jsonWebToken.isActive()); } @Test public void isActiveReturnTrueWhenBeforeTimeInPast() { - int currentTime = Time.currentTime(); - int pastTime = currentTime - 10; + long currentTime = Time.currentTime(); + long pastTime = currentTime - 10; JsonWebToken jsonWebToken = new JsonWebToken(); - jsonWebToken.notBefore(pastTime); + jsonWebToken.nbf(pastTime); assertTrue(jsonWebToken.isActive()); } @Test public void isActiveShouldReturnTrueWhenBeforeTimeInFutureWithinTimeSkew() { - int notBeforeTime = Time.currentTime() + 5; + long notBeforeTime = Time.currentTime() + 5; int allowedClockSkew = 10; JsonWebToken jsonWebToken = new JsonWebToken(); - jsonWebToken.notBefore(notBeforeTime); + jsonWebToken.nbf(notBeforeTime); assertTrue(jsonWebToken.isActive(allowedClockSkew)); } @Test public void isActiveShouldReturnFalseWhenWhenBeforeTimeInFutureOutsideTimeSkew() { - int notBeforeTime = Time.currentTime() + 10; + long notBeforeTime = Time.currentTime() + 10; int allowedClockSkew = 5; JsonWebToken jsonWebToken = new JsonWebToken(); - jsonWebToken.notBefore(notBeforeTime); + jsonWebToken.nbf(notBeforeTime); assertFalse(jsonWebToken.isActive(allowedClockSkew)); } diff --git a/docs/documentation/release_notes/topics/25_0_0.adoc b/docs/documentation/release_notes/topics/25_0_0.adoc index 36632fb7025..e6d8a015067 100644 --- a/docs/documentation/release_notes/topics/25_0_0.adoc +++ b/docs/documentation/release_notes/topics/25_0_0.adoc @@ -130,4 +130,21 @@ For more details, see the link:{upgradingguide_link}[{upgradingguide_name}]. It is now possible to specify the `cache`, `cache-stack`, and `cache-config-file` options during runtime. This eliminates the need to execute the build phase and rebuild your image due to them. +For more details, see the link:{upgradingguide_link}[{upgradingguide_name}]. + += Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes + +In this release, we are finally removing deprecated methods from the following classes: + +* `AccessToken` +* `IDToken` +* `JsonWebToken` + +For more details, see the link:{upgradingguide_link}[{upgradingguide_name}]. + += Method `getExp` added to `SingleUseObjectKeyModel` + +As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`, +the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values. + For more details, see the link:{upgradingguide_link}[{upgradingguide_name}]. \ No newline at end of file diff --git a/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc b/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc index 36bd03269ea..5503ef3ecbf 100644 --- a/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc @@ -268,4 +268,36 @@ The new indexes are both applied to the `RESOURCE_SERVER_PERM_TICKET` table. If {project_name} will skip the creation of the indexes by default during the automatic schema migration, and will instead log the SQL statements on the console during migration. In this case, the statements must be run manually in the DB after {project_name}'s startup. -See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit. \ No newline at end of file +See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit. + += Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes + +The following methods were removed from the `AccessToken` class: + +* `expiration`. Use the `exp` method instead. +* `notBefore`. Use the `nbf` method instead. +* `issuedAt`. Use the `iat` method instead. + +The following methods were removed from the `IDToken` class: + +* `getAuthTime` and `setAuthTime`. Use the `getAuth_time` and `setAuth_time` methods, respectively. +* `notBefore`. Use the `nbf` method instead. +* `issuedAt`. Use the `iat` method instead. +* `setSessionState`. Use the `setSessionId` method instead (See the details above in the section about `session_state` claim) + +The following methods were removed from the `JsonWebToken` class: + +* `expiration`. Use the `exp` method instead. +* `notBefore`. Use the `nbf` method instead. +* `issuedAt`. Use the `iat` method instead. + +You should also expect both `exp` and `nbf` claims not set in tokens as they are optional. Previously, these claims were +being set with a value of `0` what does not make mush sense because their value should be a valid `NumericDate`. + += Method `getExp` added to `SingleUseObjectKeyModel` + +As a consequence of the removal of deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken`, +the `SingleUseObjectKeyModel` also changed to keep consistency with the method names related to expiration values. + +The previous `getExpiration` method is now deprecated and you should prefer using new newly introduced `getExp` method +to avoid overflow after 2038. \ No newline at end of file diff --git a/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java b/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java index ea0b6eec33c..f5a777aeb98 100644 --- a/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java +++ b/integration/client-cli/admin-cli/src/main/java/org/keycloak/client/cli/util/AuthUtil.java @@ -200,10 +200,10 @@ public class AuthUtil { reqToken.subject(clientId); reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - reqToken.issuedAt(now); - reqToken.expiration(now + sigLifetime); - reqToken.notBefore(now); + long now = Time.currentTime(); + reqToken.iat(now); + reqToken.exp(now + sigLifetime); + reqToken.nbf(now); String signedRequestToken = new JWSBuilder() .jsonContent(reqToken) diff --git a/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java b/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java index c297aa7183b..1e7d3532b17 100644 --- a/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java +++ b/server-spi/src/main/java/org/keycloak/models/SingleUseObjectKeyModel.java @@ -39,7 +39,15 @@ public interface SingleUseObjectKeyModel { /** * Returns absolute number of seconds since the epoch in UTC timezone when the token expires. */ - int getExpiration(); + Long getExp(); + + /** + * @deprecated int will overflow with values after 2038. Use {@link #getExp()} instead. + */ + @Deprecated + default int getExpiration() { + return getExp().intValue(); + } /** * @return Single-use random value used for verification whether the relevant action is allowed. @@ -49,6 +57,6 @@ public interface SingleUseObjectKeyModel { default String serializeKey() { String userId = getUserId(); String encodedUserId = userId == null ? "" : Base64.encodeBytes(userId.getBytes(StandardCharsets.UTF_8)); - return String.format("%s.%d.%s.%s", encodedUserId, getExpiration(), getActionVerificationNonce(), getActionId()); + return String.format("%s.%d.%s.%s", encodedUserId, getExp(), getActionVerificationNonce(), getActionId()); } } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java index 8726a427eb5..fd37b9bca4b 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java @@ -158,7 +158,7 @@ public class DefaultActionToken extends DefaultActionTokenKey implements SingleU String issuerUri = getIssuer(realm, uri); this - .issuedAt(Time.currentTime()) + .issuedNow() .id(getActionVerificationNonce().toString()) .issuer(issuerUri) .audience(issuerUri); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java index 8c4d5487f75..94542ee0ecc 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java @@ -19,6 +19,8 @@ package org.keycloak.authentication.authenticators.client; +import java.util.Optional; + import jakarta.ws.rs.core.MediaType; import jakarta.ws.rs.core.MultivaluedMap; import jakarta.ws.rs.core.Response; @@ -166,7 +168,7 @@ public class JWTClientValidator { } // KEYCLOAK-2986, token-timeout or token-expiration in keycloak.json might not be used - if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < currentTime) { + if ((token.getExp() == null || token.getExp() <= 0) && token.getIat() + 10 < currentTime) { throw new RuntimeException("Token is not active"); } @@ -180,7 +182,7 @@ public class JWTClientValidator { if (client == null) throw new IllegalStateException("Incorrect usage. Variable 'client' is null. Need to validate client first before validateToken reuse"); SingleUseObjectProvider singleUseCache = context.getSession().singleUseObjects(); - int lifespanInSecs = Math.max(token.getExpiration() - currentTime, 10); + long lifespanInSecs = Math.max(Optional.ofNullable(token.getExp()).orElse(0L) - currentTime, 10); if (singleUseCache.putIfAbsent(token.getId(), lifespanInSecs)) { logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", token.getId(), lifespanInSecs, client.getClientId()); diff --git a/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java b/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java index 34fafc15b3b..e0b1cae3712 100644 --- a/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java +++ b/services/src/main/java/org/keycloak/authorization/protection/introspect/RPTIntrospectionProvider.java @@ -64,10 +64,10 @@ public class RPTIntrospectionProvider extends AccessTokenIntrospectionProvider { metadata.id(accessToken.getId()); metadata.setAcr(accessToken.getAcr()); metadata.type(accessToken.getType()); - metadata.expiration(accessToken.getExpiration()); - metadata.issuedAt(accessToken.getIssuedAt()); + metadata.exp(accessToken.getExp()); + metadata.iat(accessToken.getIat()); metadata.audience(accessToken.getAudience()); - metadata.notBefore(accessToken.getNotBefore()); + metadata.nbf(accessToken.getNbf()); metadata.setRealmAccess(null); metadata.setResourceAccess(null); diff --git a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java index 4efbcb4d257..1ac07b445e8 100755 --- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java +++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java @@ -458,8 +458,8 @@ public abstract class AbstractOAuth2IdentityProvider 0? Math.min(expiration, sessionExpires) : expiration; - return (int) TimeUnit.MILLISECONDS.toSeconds(expiration); + return TimeUnit.MILLISECONDS.toSeconds(expiration); } @@ -1131,15 +1129,15 @@ public class TokenManager { } refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE); if (realm.isOfflineSessionMaxLifespanEnabled()) { - refreshToken.expiration(getExpiration(true)); + refreshToken.exp(getExpiration(true)); } sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession); } else { - refreshToken.expiration(getExpiration(false)); + refreshToken.exp(getExpiration(false)); } } - private int getExpiration(boolean offline) { + private Long getExpiration(boolean offline) { long expiration = SessionExpirationUtils.calculateClientSessionIdleTimestamp( offline, userSession.isRememberMe(), TimeUnit.SECONDS.toMillis(clientSessionCtx.getClientSession().getTimestamp()), @@ -1151,7 +1149,7 @@ public class TokenManager { realm, client); expiration = lifespan > 0? Math.min(expiration, lifespan) : expiration; - return (int) TimeUnit.MILLISECONDS.toSeconds(expiration); + return TimeUnit.MILLISECONDS.toSeconds(expiration); } public AccessTokenResponseBuilder generateIDToken() { @@ -1172,7 +1170,7 @@ public class TokenManager { idToken.issuer(accessToken.getIssuer()); idToken.setNonce(clientSessionCtx.getAttribute(OIDCLoginProtocol.NONCE_PARAM, String.class)); idToken.setSessionId(accessToken.getSessionId()); - idToken.expiration(accessToken.getExpiration()); + idToken.exp(accessToken.getExp()); // Protocol mapper is supposed to set this in case "step_up_authentication" feature enabled if (!Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) { @@ -1229,8 +1227,8 @@ public class TokenManager { res.setToken(encodedToken); res.setTokenType(responseTokenType); res.setSessionState(accessToken.getSessionState()); - if (accessToken.getExpiration() != 0) { - res.setExpiresIn(accessToken.getExpiration() - Time.currentTime()); + if (accessToken.getExp() != 0) { + res.setExpiresIn(accessToken.getExp() - Time.currentTime()); } } @@ -1253,8 +1251,9 @@ public class TokenManager { if (refreshToken != null) { String encodedToken = session.tokens().encode(refreshToken); res.setRefreshToken(encodedToken); - if (refreshToken.getExpiration() != 0) { - res.setRefreshExpiresIn(refreshToken.getExpiration() - Time.currentTime()); + Long exp = refreshToken.getExp(); + if (exp != null && exp > 0) { + res.setRefreshExpiresIn(exp - Time.currentTime()); } } @@ -1309,7 +1308,7 @@ public class TokenManager { @Override public boolean test(JsonWebToken t) throws VerificationException { - if (t.getIssuedAt() < notBefore) { + if (t.getIat() < notBefore) { throw new VerificationException("Stale token"); } @@ -1367,7 +1366,7 @@ public class TokenManager { } LogoutToken logoutToken = logoutTokenOptional.get(); - List identityProviders = getOIDCIdentityProviders(realm, session).collect(Collectors.toList()); + List identityProviders = getOIDCIdentityProviders(realm, session).toList(); if (identityProviders.isEmpty()) { return LogoutTokenValidationCode.COULD_NOT_FIND_IDP; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java index 44fd9defc5f..88b5d06dde7 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java @@ -524,7 +524,7 @@ public class LogoutEndpoint { } if (userSessionModel != null) { - checkTokenIssuedAt(token.getIssuedAt(), userSessionModel); + checkTokenIssuedAt(token.getIat(), userSessionModel); logout(userSessionModel, offline); } } catch (OAuthErrorException e) { @@ -727,7 +727,7 @@ public class LogoutEndpoint { } } - private void checkTokenIssuedAt(int idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException { + private void checkTokenIssuedAt(long idTokenIssuedAt, UserSessionModel userSession) throws OAuthErrorException { if (idTokenIssuedAt + 1 < userSession.getStarted()) { throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Toked issued before the user session started"); } diff --git a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java index c10df835bf6..78e93d3d0bd 100755 --- a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java +++ b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java @@ -56,8 +56,7 @@ public class ClientRegistrationTokenUtils { regToken.type(auth.getJwt().getType()); regToken.id(auth.getJwt().getId()); - regToken.issuedAt(Time.currentTime()); - regToken.expiration(0); + regToken.issuedNow(); regToken.issuer(auth.getJwt().getIssuer()); regToken.audience(auth.getJwt().getIssuer()); @@ -117,13 +116,13 @@ public class ClientRegistrationTokenUtils { return TokenVerification.success(kid, jwt); } - private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, int expiration) { + private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, String id, String type, long expiration) { String issuer = getIssuer(session, realm); jwt.type(type); jwt.id(id); - jwt.issuedAt(Time.currentTime()); - jwt.expiration(expiration); + jwt.issuedNow(); + jwt.exp(expiration); jwt.issuer(issuer); jwt.audience(issuer); diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 3bae5fd521a..ee555c59882 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -759,9 +759,9 @@ public class AuthenticationManager { } if (session != null && session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0) { - token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe()); + token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe()); } else if (realm.getSsoSessionMaxLifespan() > 0) { - token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespan()); + token.exp((long) Time.currentTime() + realm.getSsoSessionMaxLifespan()); } String stateChecker = (String) keycloakSession.getAttribute("state_checker"); @@ -999,7 +999,7 @@ public class AuthenticationManager { SingleUseObjectKeyModel actionTokenKey = DefaultActionTokenKey.from(actionTokenKeyToInvalidate); if (actionTokenKey != null) { SingleUseObjectProvider singleUseObjectProvider = session.singleUseObjects(); - singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExpiration() - Time.currentTime(), null); // Token is invalidated + singleUseObjectProvider.put(actionTokenKeyToInvalidate, actionTokenKey.getExp() - Time.currentTime(), null); // Token is invalidated } } @@ -1400,8 +1400,8 @@ public class AuthenticationManager { AccessToken token = verifier.verify().getToken(); if (checkActive) { - if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) { - logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIssuedAt(), realm.getNotBefore()); + if (!token.isActive() || token.getIat() < realm.getNotBefore()) { + logger.debugf("Identity cookie expired. Token expiration: %d, Current Time: %d. token issued at: %d, realm not before: %d", token.getExp(), Time.currentTime(), token.getIat(), realm.getNotBefore()); return null; } } @@ -1467,7 +1467,7 @@ public class AuthenticationManager { return false; } - if (token.getIssuedAt() < client.getNotBefore()) { + if (token.getIat() < client.getNotBefore()) { logger.debug("Client notBefore newer than token"); return false; } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java index 806fe687eef..01d2742f2e9 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java @@ -755,13 +755,13 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest { // Get time of token AccessToken token = tokenMinTTLPage.getAccessToken(); - int tokenIssued1 = token.getIssuedAt(); + long tokenIssued1 = token.getIat(); // Sets 5 minutes offset and assert access token will be still the same setAdapterAndServerTimeOffset(300, tokenMinTTLPage.toString()); tokenMinTTLPage.navigateTo(); token = tokenMinTTLPage.getAccessToken(); - int tokenIssued2 = token.getIssuedAt(); + long tokenIssued2 = token.getIat(); Assert.assertEquals(tokenIssued1, tokenIssued2); assertFalse(token.isExpired()); @@ -769,7 +769,7 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest { setAdapterAndServerTimeOffset(540, tokenMinTTLPage.toString()); tokenMinTTLPage.navigateTo(); token = tokenMinTTLPage.getAccessToken(); - int tokenIssued3 = token.getIssuedAt(); + long tokenIssued3 = token.getIat(); Assert.assertTrue(tokenIssued3 > tokenIssued1); // Revert times @@ -853,8 +853,8 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest { testRealmLoginPage.form().setPassword("password"); testRealmLoginPage.form().login(); AccessToken token = tokenMinTTLPage.getAccessToken(); - int authTime = token.getAuthTime(); - assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10))); + long authTime = token.getAuth_time(); + assertThat(authTime, is(greaterThanOrEqualTo(currentTime + 10L))); } finally { setAdapterAndServerTimeOffset(0, securePortal.toString()); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java index 0f1d33fd109..9070c62ae16 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java @@ -2381,7 +2381,7 @@ public class UserTest extends AbstractAdminTest { try { final AccessToken accessToken = TokenVerifier.create(token, AccessToken.class).getToken(); - assertEquals(lifespan, accessToken.getExpiration() - accessToken.getIssuedAt()); + assertEquals(lifespan, accessToken.getExp() - accessToken.getIat()); } catch (VerificationException e) { throw new IOException(e); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java index bf18c73ac32..2159ba2157d 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java @@ -87,6 +87,7 @@ import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.notNullValue; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME; import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_PROV_NAME; @@ -614,7 +615,7 @@ public final class KcOidcBrokerTransientSessionsTest extends AbstractAdvancedBro .assertEvent(); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - assertEquals(0, offlineToken.getExpiration()); + assertNull(offlineToken.getExp()); assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS)); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java index f12ca3813f7..59fd747fd01 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java @@ -397,11 +397,11 @@ public class OIDCPairwiseClientRegistrationTest extends AbstractClientRegistrati Assert.assertEquals(idToken.getSubject(), refreshedRefreshToken.getSubject()); // its iat Claim MUST represent the time that the new ID Token is issued - Assert.assertEquals(refreshedIdToken.getIssuedAt(), refreshedRefreshToken.getIssuedAt()); + Assert.assertEquals(refreshedIdToken.getIat(), refreshedRefreshToken.getIat()); // if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication // - not the time that the new ID token is issued - Assert.assertEquals(idToken.getAuthTime(), refreshedIdToken.getAuthTime()); + Assert.assertEquals(idToken.getAuth_time(), refreshedIdToken.getAuth_time()); // its azp Claim Value MUST be the same as in the ID Token issued when the original authentication occurred; if // no azp Claim was present in the original ID Token, one MUST NOT be present in the new ID Token diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java index 775342caf9f..82bdc51f53f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ClientStorageTest.java @@ -478,7 +478,7 @@ public class ClientStorageTest extends AbstractTestRealmKeycloakTest { .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java index 2c6376ba443..b5eda3ec140 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java @@ -856,7 +856,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest { private void assertOfflineToken(String offlineToken) { RefreshToken offlineTokenParsed = oauth.parseRefreshToken(offlineToken); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineTokenParsed.getType()); - assertEquals(0, offlineTokenParsed.getExpiration()); + assertNull(offlineTokenParsed.getExp()); assertTrue(TokenUtil.hasScope(offlineTokenParsed.getScope(), OAuth2Constants.OFFLINE_ACCESS)); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java index 00fbeb7a020..8d21eaa075f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AbstractClientAuthSignedJWTTest.java @@ -86,7 +86,6 @@ import org.keycloak.common.util.KeystoreUtil.KeystoreFormat; import org.keycloak.constants.ServiceUrlConstants; import org.keycloak.crypto.Algorithm; import org.keycloak.crypto.ECDSAAlgorithm; -import org.keycloak.crypto.ECDSASignatureProvider; import org.keycloak.crypto.KeyType; import org.keycloak.crypto.SignatureSignerContext; import org.keycloak.events.Details; @@ -806,10 +805,10 @@ public abstract class AbstractClientAuthSignedJWTTest extends AbstractKeycloakTe if (isClaimEnabled("subject")) reqToken.subject(clientId); if (isClaimEnabled("audience")) reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - if (isClaimEnabled("issuedAt")) reqToken.issuedAt(now); - if (isClaimEnabled("expiration")) reqToken.expiration(now + getTokenTimeout()); - if (isClaimEnabled("notBefore")) reqToken.notBefore(now); + long now = Time.currentTime(); + if (isClaimEnabled("issuedAt")) reqToken.iat(now); + if (isClaimEnabled("expiration")) reqToken.exp(now + getTokenTimeout()); + if (isClaimEnabled("notBefore")) reqToken.nbf(now); return reqToken; } @@ -934,10 +933,10 @@ public abstract class AbstractClientAuthSignedJWTTest extends AbstractKeycloakTe reqToken.subject(clientId); reqToken.audience(realmInfoUrl); - int now = Time.currentTime(); - reqToken.issuedAt(now); - reqToken.expiration(now + 10); - reqToken.notBefore(now); + long now = Time.currentTime(); + reqToken.iat(now); + reqToken.exp(now + 10); + reqToken.nbf(now); return reqToken; } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java index 3e30a3aa2a0..d163bf9517c 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java @@ -235,13 +235,10 @@ public class AccessTokenTest extends AbstractKeycloakTest { assertEquals(sessionId, sid); assertNull(token.getNbf()); - assertEquals(0, token.getNotBefore()); assertNotNull(token.getIat()); - assertEquals(token.getIat().intValue(), token.getIssuedAt()); assertNotNull(token.getExp()); - assertEquals(token.getExp().intValue(), token.getExpiration()); assertEquals(1, token.getRealmAccess().getRoles().size()); assertTrue(token.getRealmAccess().isUserInRole("user")); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java index 5a94dcddd21..5ca3e2a6017 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.java @@ -493,9 +493,9 @@ public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest { RefreshToken refreshToken = oauth.parseRefreshToken(refreshTokenString); Assert.assertNotNull(refreshTokenString); - assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350))); - int actual = refreshToken.getExpiration() - getCurrentTime(); - assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L))); + long actual = refreshToken.getExp() - getCurrentTime(); + assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); assertEquals(sessionId, refreshToken.getSessionState()); setTimeOffset(2); @@ -510,10 +510,10 @@ public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest { assertEquals(sessionId, refreshedRefreshToken.getSessionState()); assertThat(refreshResponse.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300))); - assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); - assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10))); - assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10))); + assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L))); + assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L))); Assert.assertNotEquals(token.getId(), refreshedToken.getId()); Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java index a58af41d0fc..42ace9c1c51 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java @@ -256,7 +256,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest { .assertEvent(); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS)); @@ -356,7 +356,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest { .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId); @@ -391,7 +391,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest { .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); String offlineTokenString2 = testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), userId); RefreshToken offlineToken2 = oauth.parseRefreshToken(offlineTokenString2); @@ -440,7 +440,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest { .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId); @@ -677,7 +677,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest { .assertEvent(); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - assertEquals(0, offlineToken.getExpiration()); + assertNull(offlineToken.getExp()); String offlineUserSessionId = testingClient.server().fetch((KeycloakSession session) -> session.sessions().getOfflineUserSession(session.realms().getRealmByName("test"), offlineToken.getSessionState()).getId(), String.class); @@ -714,7 +714,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest { .assertEvent(); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken2.getType()); - assertEquals(0, offlineToken2.getExpiration()); + Assert.assertNull(offlineToken.getExp()); // Assert session changed assertNotEquals(offlineToken.getSessionState(), offlineToken2.getSessionState()); @@ -977,7 +977,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest { .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, token.getSessionState(), serviceAccountUserId); @@ -1049,7 +1049,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest { .assertEvent(); Assert.assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - Assert.assertEquals(0, offlineToken.getExpiration()); + Assert.assertNull(offlineToken.getExp()); } @Test diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java index d9c2f389536..10b1863c22d 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java @@ -247,9 +247,9 @@ public class RefreshTokenTest extends AbstractKeycloakTest { assertEquals("Bearer", tokenResponse.getTokenType()); - assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350))); - int actual = refreshToken.getExpiration() - getCurrentTime(); - assertThat(actual, allOf(greaterThanOrEqualTo(1799 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + ALLOWED_CLOCK_SKEW))); + assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L))); + long actual = refreshToken.getExp() - getCurrentTime(); + assertThat(actual, allOf(greaterThanOrEqualTo(1799L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + ALLOWED_CLOCK_SKEW))); assertEquals(sessionId, refreshToken.getSessionState()); assertNull(refreshToken.getNonce()); @@ -264,10 +264,10 @@ public class RefreshTokenTest extends AbstractKeycloakTest { assertEquals(sessionId, refreshedRefreshToken.getSessionState()); assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300))); - assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + ALLOWED_CLOCK_SKEW))); + assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + ALLOWED_CLOCK_SKEW))); - assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10))); - assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(0), lessThanOrEqualTo(10))); + assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L))); + assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(0L), lessThanOrEqualTo(10L))); // "test-app" should not be an audience in the refresh token assertEquals("test-app", refreshedRefreshToken.getIssuedFor()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java index 45c6117aa9b..060371f93ba 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java @@ -69,6 +69,7 @@ import java.util.ArrayList; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.Optional; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -170,9 +171,9 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); assertEquals("test-app", rep.getClientId()); - assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration()); - assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt()); - assertEquals(jsonNode.get("nbf"), rep.getNbf()); + assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp()); + assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat()); + assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf()); assertEquals(jsonNode.get("sub").asText(), rep.getSubject()); List audiences = new ArrayList<>(); @@ -226,9 +227,9 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { assertTrue(rep.isActive()); assertEquals("test-app", rep.getClientId()); assertEquals(jsonNode.get("sid").asText(), rep.getSessionState()); - assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration()); - assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt()); - assertEquals(jsonNode.get("nbf"), rep.getNbf()); + assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp()); + assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat()); + assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf()); assertEquals(jsonNode.get("iss").asText(), rep.getIssuer()); assertEquals(jsonNode.get("jti").asText(), rep.getId()); assertEquals(jsonNode.get("typ").asText(), "Refresh"); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java index 6b3e85725aa..eaad49ec710 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java @@ -335,9 +335,9 @@ public class HoKTest extends AbstractTestRealmKeycloakTest { Assert.assertNotNull(refreshTokenString); assertEquals("Bearer", tokenResponse.getTokenType()); - assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350))); - int actual = refreshToken.getExpiration() - getCurrentTime(); - assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L))); + long actual = refreshToken.getExp() - getCurrentTime(); + assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); assertEquals(sessionId, refreshToken.getSessionState()); setTimeOffset(2); @@ -372,9 +372,9 @@ public class HoKTest extends AbstractTestRealmKeycloakTest { Assert.assertNotNull(refreshTokenString); assertEquals("Bearer", tokenResponse.getTokenType()); - assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350))); - int actual = refreshToken.getExpiration() - getCurrentTime(); - assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(token.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(200L), lessThanOrEqualTo(350L))); + long actual = refreshToken.getExp() - getCurrentTime(); + assertThat(actual, allOf(greaterThanOrEqualTo(1799L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); assertEquals(sessionId, refreshToken.getSessionState()); setTimeOffset(2); @@ -410,10 +410,10 @@ public class HoKTest extends AbstractTestRealmKeycloakTest { assertEquals(sessionId, refreshedRefreshToken.getSessionState()); assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300))); - assertThat(refreshedToken.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(250 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300 + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); + assertThat(refreshedToken.getExp() - getCurrentTime(), allOf(greaterThanOrEqualTo(250L - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(300L + RefreshTokenTest.ALLOWED_CLOCK_SKEW))); - assertThat(refreshedToken.getExpiration() - token.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10))); - assertThat(refreshedRefreshToken.getExpiration() - refreshToken.getExpiration(), allOf(greaterThanOrEqualTo(1), lessThanOrEqualTo(10))); + assertThat(refreshedToken.getExp() - token.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L))); + assertThat(refreshedRefreshToken.getExp() - refreshToken.getExp(), allOf(greaterThanOrEqualTo(1L), lessThanOrEqualTo(10L))); Assert.assertNotEquals(token.getId(), refreshedToken.getId()); Assert.assertNotEquals(refreshToken.getId(), refreshedRefreshToken.getId()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java index 2371d8c2901..91d424dfb1f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java @@ -205,8 +205,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent); // Check that authTime is available and set to current time - int authTime = idToken.getAuthTime(); - int currentTime = Time.currentTime(); + long authTime = idToken.getAuth_time(); + long currentTime = Time.currentTime(); Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime); // Set time offset @@ -225,7 +225,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest idToken = sendTokenRequestAndGetIDToken(loginEvent); // Assert that authTime was updated - int authTimeUpdated = idToken.getAuthTime(); + long authTimeUpdated = idToken.getAuth_time(); Assert.assertTrue(authTime + 10 <= authTimeUpdated); } @@ -238,8 +238,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent); // Check that authTime is available and set to current time - int authTime = idToken.getAuthTime(); - int currentTime = Time.currentTime(); + long authTime = idToken.getAuth_time(); + long currentTime = Time.currentTime(); Assert.assertTrue(authTime <= currentTime && authTime + 3 >= currentTime); // Set time offset @@ -255,7 +255,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest idToken = sendTokenRequestAndGetIDToken(loginEvent); // Assert that authTime is still the same - int authTimeUpdated = idToken.getAuthTime(); + long authTimeUpdated = idToken.getAuth_time(); Assert.assertEquals(authTime, authTimeUpdated); } @@ -293,7 +293,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent(); IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent); - int authTime = idToken.getAuthTime(); + long authTime = idToken.getAuth_time(); // Set time offset setTimeOffset(10); @@ -304,7 +304,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest loginEvent = events.expectLogin().removeDetail(Details.USERNAME).assertEvent(); idToken = sendTokenRequestAndGetIDToken(loginEvent); - int authTime2 = idToken.getAuthTime(); + long authTime2 = idToken.getAuth_time(); Assert.assertEquals(authTime, authTime2); } @@ -383,7 +383,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent); // Assert that authTime wasn't updated - Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime()); + Assert.assertEquals(oldIdToken.getAuth_time(), newIdToken.getAuth_time()); // Set time offset setTimeOffset(20); @@ -399,8 +399,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest newIdToken = sendTokenRequestAndGetIDToken(loginEvent); // Assert that authTime was updated - Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(), - oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime()); + Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuth_time() + " , new auth time: " + newIdToken.getAuth_time(), + oldIdToken.getAuth_time() + 20 <= newIdToken.getAuth_time()); // Assert userSession didn't change Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());