private int invokeRESTEndpoint(String accessTokenString) {

    HttpClient client = new DefaultHttpClient();
    try {
      String restUrl = customerDb.toString();
      HttpGet get = new HttpGet(restUrl);
      get.addHeader("Authorization", "Bearer " + accessTokenString);
      try {
        HttpResponse response = client.execute(get);
        int status = response.getStatusLine().getStatusCode();
        if (status != 200) {
          return status;
        }

        HttpEntity entity = response.getEntity();
        InputStream is = entity.getContent();
        try {
          String body = StreamUtil.readString(is);
          Assert.assertTrue(body.contains("Stian Thorgersen") && body.contains("Bill Burke"));
          return status;
        } finally {
          is.close();
        }
      } catch (IOException e) {
        throw new RuntimeException(e);
      }
    } finally {
      client.getConnectionManager().shutdown();
    }
  }
  // KEYCLOAK-3823: Test that sending notBefore policy invalidates JWKPublicKeyLocator cache
  @Test
  public void testPublicKeyCacheInvalidatedWhenPushedNotBefore() {
    driver.manage().timeouts().pageLoadTimeout(1000, TimeUnit.SECONDS);

    // increase accessTokenLifespan to 1200
    RealmRepresentation demoRealm = adminClient.realm(DEMO).toRepresentation();
    demoRealm.setAccessTokenLifespan(1200);
    adminClient.realm(DEMO).update(demoRealm);

    // authenticate in tokenMinTTL app
    loginToTokenMinTtlApp();
    String accessTokenString = tokenMinTTLPage.getAccessTokenString();

    // Generate new realm public key
    String oldActiveKeyProviderId = getActiveKeyProvider();

    generateNewRealmKey();

    // Send REST request to customer-db app. It should be successfully authenticated even that token
    // is signed by the old key
    int status = invokeRESTEndpoint(accessTokenString);
    Assert.assertEquals(200, status);

    // Remove the old realm key now
    adminClient.realm(DEMO).components().component(oldActiveKeyProviderId).remove();

    // Set some offset to ensure pushing notBefore will pass
    setAdapterAndServerTimeOffset(
        130,
        customerDb.toString() + "/unsecured/foo",
        tokenMinTTLPage.toString() + "/unsecured/foo");

    // Send notBefore policy from the realm
    demoRealm.setNotBefore(Time.currentTime() - 1);
    adminClient.realm(DEMO).update(demoRealm);
    GlobalRequestResult result = adminClient.realm(DEMO).pushRevocation();
    Assert.assertTrue(result.getSuccessRequests().contains(customerDb.toString()));

    // Send REST request. New request to the publicKey cache should be sent, and key is no longer
    // returned as token contains the old kid
    status = invokeRESTEndpoint(accessTokenString);
    Assert.assertEquals(401, status);

    // Revert public keys change and time offset
    resetKeycloakDeploymentForAdapter(customerDb.toString() + "/unsecured/foo");
    resetKeycloakDeploymentForAdapter(tokenMinTTLPage.toString() + "/unsecured/foo");
  }
  // KEYCLOAK-3824: Test for public-key-cache-ttl
  @Test
  public void testPublicKeyCacheTtl() {
    // increase accessTokenLifespan to 1200
    RealmRepresentation demoRealm = adminClient.realm(DEMO).toRepresentation();
    demoRealm.setAccessTokenLifespan(1200);
    adminClient.realm(DEMO).update(demoRealm);

    // authenticate in tokenMinTTL app
    loginToTokenMinTtlApp();
    String accessTokenString = tokenMinTTLPage.getAccessTokenString();

    // Send REST request to customer-db app. I should be successfully authenticated
    int status = invokeRESTEndpoint(accessTokenString);
    Assert.assertEquals(200, status);

    // Re-generate realm public key and remove the old key
    String oldActiveKeyProviderId = getActiveKeyProvider();
    generateNewRealmKey();
    adminClient.realm(DEMO).components().component(oldActiveKeyProviderId).remove();

    // Send REST request to the customer-db app. Should be still succcessfully authenticated as the
    // JWKPublicKeyLocator cache is still valid
    status = invokeRESTEndpoint(accessTokenString);
    Assert.assertEquals(200, status);

    // TimeOffset to 900 on the REST app side. Token is still valid (1200) but JWKPublicKeyLocator
    // should try to download new key (public-key-cache-ttl=600)
    setAdapterAndServerTimeOffset(900, customerDb.toString() + "/unsecured/foo");

    // Send REST request. New request to the publicKey cache should be sent, and key is no longer
    // returned as token contains the old kid
    status = invokeRESTEndpoint(accessTokenString);
    Assert.assertEquals(401, status);

    // Revert public keys change and time offset
    resetKeycloakDeploymentForAdapter(customerDb.toString() + "/unsecured/foo");
    resetKeycloakDeploymentForAdapter(tokenMinTTLPage.toString() + "/unsecured/foo");
  }