diff --git a/core/src/main/java/org/keycloak/TokenVerifier.java b/core/src/main/java/org/keycloak/TokenVerifier.java
index 0b2047b..1f1d54c 100755
--- a/core/src/main/java/org/keycloak/TokenVerifier.java
+++ b/core/src/main/java/org/keycloak/TokenVerifier.java
@@ -167,12 +167,15 @@ public class TokenVerifier<T extends JsonWebToken> {
}
/**
- * Creates an instance of {@code TokenVerifier} from the given string on a JWT of the given class.
+ * Creates an instance of {@code TokenVerifier} for the given token.
* The token verifier has no checks defined. Note that the checks are only tested when
* {@link #verify()} method is invoked.
+ * <p>
+ * <b>NOTE:</b> The returned token verifier cannot verify token signature since
+ * that is not part of the {@link JsonWebToken} object.
* @return
*/
- public static <T extends JsonWebToken> TokenVerifier<T> create(T token) {
+ public static <T extends JsonWebToken> TokenVerifier<T> createWithoutSignature(T token) {
return new TokenVerifier(token);
}
diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
index 9723eb3..a7abd4e 100755
--- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
+++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
@@ -544,7 +544,7 @@ public class LoginActionsService {
session.getContext().setClient(authSession.getClient());
- TokenVerifier.create(token)
+ TokenVerifier.createWithoutSignature(token)
.withChecks(handler.getVerifiers(tokenContext))
.verify();
