java.lang.Object
com.google.api.client.json.webtoken.JsonWebToken
com.google.api.client.json.webtoken.JsonWebSignature
com.google.api.client.auth.openidconnect.IdToken

@Beta public class IdToken extends com.google.api.client.json.webtoken.JsonWebSignature
Beta
ID token as described in ID Token.

Use parse(JsonFactory, String) to parse an ID token from a string. Then, use the verify methods to verify the ID token as required by the specification.

Implementation is not thread-safe.

Since:
1.14
  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    static class 
    Beta
    ID token payload.

    Nested classes/interfaces inherited from class com.google.api.client.json.webtoken.JsonWebSignature

    com.google.api.client.json.webtoken.JsonWebSignature.Header, com.google.api.client.json.webtoken.JsonWebSignature.Parser
  • Constructor Summary

    Constructors
    Constructor
    Description
    IdToken(com.google.api.client.json.webtoken.JsonWebSignature.Header header, IdToken.Payload payload, byte[] signatureBytes, byte[] signedContentBytes)
     
  • Method Summary

    Modifier and Type
    Method
    Description
     
    static IdToken
    parse(com.google.api.client.json.JsonFactory jsonFactory, String idTokenString)
    Parses the given ID token string and returns the parsed ID token.
    final boolean
    verifyAudience(Collection<String> trustedClientIds)
    Returns whether the audience in the payload contains only client IDs that are trusted as specified in step 2 of ID Token Validation.
    final boolean
    verifyExpirationTime(long currentTimeMillis, long acceptableTimeSkewSeconds)
    Returns whether the JsonWebToken.Payload.getExpirationTimeSeconds() is valid relative to the current time, allowing for a clock skew as specified in step 5 of ID Token Validation.
    final boolean
    verifyIssuedAtTime(long currentTimeMillis, long acceptableTimeSkewSeconds)
    Returns whether the JsonWebToken.Payload.getIssuedAtTimeSeconds() is valid relative to the current time, allowing for a clock skew as specified in step 6 of ID Token Validation.
    final boolean
    verifyIssuer(String expectedIssuer)
    Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.
    final boolean
    verifyIssuer(Collection<String> expectedIssuer)
    Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.
    final boolean
    verifyTime(long currentTimeMillis, long acceptableTimeSkewSeconds)
    Returns whether the JsonWebToken.Payload.getExpirationTimeSeconds() and JsonWebToken.Payload.getIssuedAtTimeSeconds() are valid relative to the current time, allowing for a clock skew as specified in steps 5 and 6 of ID Token Validation.

    Methods inherited from class com.google.api.client.json.webtoken.JsonWebSignature

    getHeader, getSignatureBytes, getSignedContentBytes, parser, signUsingRsaSha256, verifySignature, verifySignature, verifySignature

    Methods inherited from class com.google.api.client.json.webtoken.JsonWebToken

    toString

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
  • Constructor Details

    • IdToken

      public IdToken(com.google.api.client.json.webtoken.JsonWebSignature.Header header, IdToken.Payload payload, byte[] signatureBytes, byte[] signedContentBytes)
      Parameters:
      header - header
      payload - payload
      signatureBytes - bytes of the signature
      signedContentBytes - bytes of the signature content
  • Method Details

    • getPayload

      public IdToken.Payload getPayload()
      Overrides:
      getPayload in class com.google.api.client.json.webtoken.JsonWebToken
    • verifyIssuer

      public final boolean verifyIssuer(String expectedIssuer)
      Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.
      Parameters:
      expectedIssuer - expected issuer
    • verifyIssuer

      public final boolean verifyIssuer(Collection<String> expectedIssuer)
      Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation. When an issuer is migrating to a new issuer string the expected issuer has multiple aliases, so multiple are permitted here.
      Since:
      1.21.0
    • verifyAudience

      public final boolean verifyAudience(Collection<String> trustedClientIds)
      Returns whether the audience in the payload contains only client IDs that are trusted as specified in step 2 of ID Token Validation.
      Parameters:
      trustedClientIds - list of trusted client IDs
    • verifyTime

      public final boolean verifyTime(long currentTimeMillis, long acceptableTimeSkewSeconds)
      Returns whether the JsonWebToken.Payload.getExpirationTimeSeconds() and JsonWebToken.Payload.getIssuedAtTimeSeconds() are valid relative to the current time, allowing for a clock skew as specified in steps 5 and 6 of ID Token Validation.
      Parameters:
      currentTimeMillis - current time in milliseconds (typically System.currentTimeMillis())
      acceptableTimeSkewSeconds - seconds of acceptable clock skew
    • verifyExpirationTime

      public final boolean verifyExpirationTime(long currentTimeMillis, long acceptableTimeSkewSeconds)
      Returns whether the JsonWebToken.Payload.getExpirationTimeSeconds() is valid relative to the current time, allowing for a clock skew as specified in step 5 of ID Token Validation.
      Parameters:
      currentTimeMillis - current time in milliseconds (typically System.currentTimeMillis())
      acceptableTimeSkewSeconds - seconds of acceptable clock skew
    • verifyIssuedAtTime

      public final boolean verifyIssuedAtTime(long currentTimeMillis, long acceptableTimeSkewSeconds)
      Returns whether the JsonWebToken.Payload.getIssuedAtTimeSeconds() is valid relative to the current time, allowing for a clock skew as specified in step 6 of ID Token Validation.
      Parameters:
      currentTimeMillis - current time in milliseconds (typically System.currentTimeMillis())
      acceptableTimeSkewSeconds - seconds of acceptable clock skew
    • parse

      public static IdToken parse(com.google.api.client.json.JsonFactory jsonFactory, String idTokenString) throws IOException
      Parses the given ID token string and returns the parsed ID token.
      Parameters:
      jsonFactory - JSON factory
      idTokenString - ID token string
      Returns:
      parsed ID token
      Throws:
      IOException