public void verifyAccess(AccessToken token, AccessToken newToken) throws OAuthErrorException { if (token.getRealmAccess() != null) { if (newToken.getRealmAccess() == null) throw new OAuthErrorException( OAuthErrorException.INVALID_SCOPE, "User no long has permission for realm roles"); for (String roleName : token.getRealmAccess().getRoles()) { if (!newToken.getRealmAccess().getRoles().contains(roleName)) { throw new OAuthErrorException( OAuthErrorException.INVALID_SCOPE, "User no long has permission for realm role: " + roleName); } } } if (token.getResourceAccess() != null) { for (Map.Entry<String, AccessToken.Access> entry : token.getResourceAccess().entrySet()) { AccessToken.Access appAccess = newToken.getResourceAccess(entry.getKey()); if (appAccess == null && !entry.getValue().getRoles().isEmpty()) { throw new OAuthErrorException( OAuthErrorException.INVALID_SCOPE, "User or client no longer has role permissions for client key: " + entry.getKey()); } for (String roleName : entry.getValue().getRoles()) { if (!appAccess.getRoles().contains(roleName)) { throw new OAuthErrorException( OAuthErrorException.INVALID_SCOPE, "User no long has permission for client role " + roleName); } } } } }