package org.keycloak.representations;

import com.fasterxml.jackson.annotation.JsonIgnore;

import com.fasterxml.jackson.annotation.JsonProperty;

import org.keycloak.TokenCategory;

protected Long auth_time;

@JsonProperty(AT_HASH)

protected String accessTokenHash;

this.auth_time = Long.valueOf(authTime);

}

public String getSessionId() {

}

}

}

public String getAccessTokenHash() {

this.issuer = token.issuer;

this.subject = token.subject;

this.issuedFor = token.issuedFor;

this.nonce = token.nonce;

this.audience = new String[] { token.issuer };

this.scope = token.scope;

Information that cannot be removed from a lightweight access token::

Protocol mappers can controls which information is put onto an access token and the lightweight access token use the protocol mappers. Therefore, the following information cannot be removed from the lightweight access. +

Using a lightweight access token in {project_name}::

By applying `use-lightweight-access-token` executor of <<_client_policies, client policies>> to a client, the client can receive a lightweight access token instead of an access token. The lightweight access token contains a claim controlled by a protocol mapper where its setting `Add to lightweight access token`(default OFF) is turned ON. Also, by turning ON its setting `Add to token introspection` of the protocol mapper, the client can obtain the claim by sending the access token to {project_name}'s token introspection endpoint.

* `auth_time`

clientDetailsPage.goToClientScopesEvaluateGeneratedUserInfoTab();

cy.get("div#generatedIdToken").contains('"preferred_username": "admin"');

});

});

if (token) {

kc.token = token;

kc.tokenParsed = jwtDecode(token);

kc.authenticated = true;

kc.subject = kc.tokenParsed.sub;

kc.realmAccess = kc.tokenParsed.realm_access;

import java.util.concurrent.atomic.AtomicBoolean;

import java.util.concurrent.atomic.AtomicInteger;

import java.util.function.BiFunction;

import java.util.stream.Collectors;

import jakarta.ws.rs.HttpMethod;

if (accessToken.getSessionState() == null) {

// Skip generating refresh token for accessToken without sessionState claim. This is "stateless" accessToken not pointing to any real persistent userSession

} else {

if (OIDCAdvancedConfigWrapper.fromClientModel(client).isUseRefreshToken()) {

responseBuilder.generateRefreshToken();

newToken.issuer(token.getIssuer());

newToken.setNonce(token.getNonce());

newToken.setScope(token.getScope());

// In the case of a refresh token, aud is a basic claim.

newToken.audience(token.getAudience());

token.setAcr(acr);

}

ClientScopeModel offlineAccessScope = KeycloakModelUtils.getClientScopeByName(realm, OAuth2Constants.OFFLINE_ACCESS);

boolean offlineTokenRequested = offlineAccessScope == null ? false

: clientSessionCtx.getClientScopeIds().contains(offlineAccessScope.getId());

idToken.issuedFor(accessToken.getIssuedFor());

idToken.issuer(accessToken.getIssuer());

idToken.setNonce(clientSessionCtx.getAttribute(OIDCLoginProtocol.NONCE_PARAM, String.class));

idToken.expiration(accessToken.getExpiration());

// Protocol mapper is supposed to set this in case "step_up_authentication" feature enabled

import org.keycloak.events.Errors;

import org.keycloak.events.EventType;

import org.keycloak.models.ClientSessionContext;

import org.keycloak.models.UserModel;

import org.keycloak.models.UserSessionModel;

import org.keycloak.protocol.oidc.OIDCLoginProtocol;

if (useRefreshToken) {

responseBuilder = responseBuilder.generateRefreshToken();

} else {

}

checkAndBindMtlsHoKToken(responseBuilder, useRefreshToken);