Class IdTokenVerifier
- java.lang.Object
-
- com.google.api.client.auth.openidconnect.IdTokenVerifier
-
@Beta public class IdTokenVerifier extends java.lang.Object
Beta
Thread-safe ID token verifier based on ID Token Validation.Call
verify(IdToken)
to verify a ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .build(); ... if (!verifier.verify(idToken)) {...}
Note that
verify(IdToken)
only implements a subset of the verification steps, mostly just the MUST steps. Please read ID Token Validation for the full list of verification steps.- Since:
- 1.16
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
IdTokenVerifier.Builder
(package private) static class
IdTokenVerifier.DefaultHttpTransportFactory
(package private) static class
IdTokenVerifier.PublicKeyLoader
Custom CacheLoader for mapping certificate urls to the contained public keys.(package private) static class
IdTokenVerifier.VerificationException
Custom exception for wrapping all verification errors.
-
Field Summary
Fields Modifier and Type Field Description private long
acceptableTimeSkewSeconds
Seconds of time skew to accept when verifying time.private java.util.Collection<java.lang.String>
audience
Unmodifiable list of trusted audience client IDs ornull
to suppress the audience check.private java.lang.String
certificatesLocation
private com.google.api.client.util.Clock
clock
Clock to use for expiration checks.static long
DEFAULT_TIME_SKEW_SECONDS
Default value for seconds of time skew to accept when verifying time (5 minutes).private Environment
environment
private static java.lang.String
FEDERATED_SIGNON_CERT_URL
(package private) static com.google.api.client.http.HttpTransport
HTTP_TRANSPORT
private static java.lang.String
IAP_CERT_URL
private java.util.Collection<java.lang.String>
issuers
Unmodifiable collection of equivalent expected issuers ornull
to suppress the issuer check.private static java.util.logging.Logger
LOGGER
private static java.lang.String
NOT_SUPPORTED_ALGORITHM
private com.google.common.cache.LoadingCache<java.lang.String,java.util.Map<java.lang.String,java.security.PublicKey>>
publicKeyCache
(package private) static java.lang.String
SKIP_SIGNATURE_ENV_VAR
private static java.util.Set<java.lang.String>
SUPPORTED_ALGORITHMS
-
Constructor Summary
Constructors Modifier Constructor Description IdTokenVerifier()
protected
IdTokenVerifier(IdTokenVerifier.Builder builder)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description long
getAcceptableTimeSkewSeconds()
Returns the seconds of time skew to accept when verifying time.java.util.Collection<java.lang.String>
getAudience()
Returns the unmodifiable list of trusted audience client IDs ornull
to suppress the audience check.private java.lang.String
getCertificateLocation(com.google.api.client.json.webtoken.JsonWebSignature.Header header)
com.google.api.client.util.Clock
getClock()
Returns the clock.java.lang.String
getIssuer()
Returns the first of equivalent expected issuers ornull
if issuer check suppressed.java.util.Collection<java.lang.String>
getIssuers()
Returns the equivalent expected issuers ornull
if issuer check suppressed.boolean
verify(IdToken idToken)
Verifies that the given ID token is valid using the cached public keys.(package private) boolean
verifySignature(IdToken idToken)
-
-
-
Field Detail
-
LOGGER
private static final java.util.logging.Logger LOGGER
-
IAP_CERT_URL
private static final java.lang.String IAP_CERT_URL
- See Also:
- Constant Field Values
-
FEDERATED_SIGNON_CERT_URL
private static final java.lang.String FEDERATED_SIGNON_CERT_URL
- See Also:
- Constant Field Values
-
SUPPORTED_ALGORITHMS
private static final java.util.Set<java.lang.String> SUPPORTED_ALGORITHMS
-
NOT_SUPPORTED_ALGORITHM
private static final java.lang.String NOT_SUPPORTED_ALGORITHM
- See Also:
- Constant Field Values
-
HTTP_TRANSPORT
static final com.google.api.client.http.HttpTransport HTTP_TRANSPORT
-
SKIP_SIGNATURE_ENV_VAR
static final java.lang.String SKIP_SIGNATURE_ENV_VAR
- See Also:
- Constant Field Values
-
DEFAULT_TIME_SKEW_SECONDS
public static final long DEFAULT_TIME_SKEW_SECONDS
Default value for seconds of time skew to accept when verifying time (5 minutes).- See Also:
- Constant Field Values
-
clock
private final com.google.api.client.util.Clock clock
Clock to use for expiration checks.
-
certificatesLocation
private final java.lang.String certificatesLocation
-
environment
private final Environment environment
-
publicKeyCache
private final com.google.common.cache.LoadingCache<java.lang.String,java.util.Map<java.lang.String,java.security.PublicKey>> publicKeyCache
-
acceptableTimeSkewSeconds
private final long acceptableTimeSkewSeconds
Seconds of time skew to accept when verifying time.
-
issuers
private final java.util.Collection<java.lang.String> issuers
Unmodifiable collection of equivalent expected issuers ornull
to suppress the issuer check.
-
audience
private final java.util.Collection<java.lang.String> audience
Unmodifiable list of trusted audience client IDs ornull
to suppress the audience check.
-
-
Constructor Detail
-
IdTokenVerifier
public IdTokenVerifier()
-
IdTokenVerifier
protected IdTokenVerifier(IdTokenVerifier.Builder builder)
- Parameters:
builder
- builder
-
-
Method Detail
-
getClock
public final com.google.api.client.util.Clock getClock()
Returns the clock.
-
getAcceptableTimeSkewSeconds
public final long getAcceptableTimeSkewSeconds()
Returns the seconds of time skew to accept when verifying time.
-
getIssuer
public final java.lang.String getIssuer()
Returns the first of equivalent expected issuers ornull
if issuer check suppressed.
-
getIssuers
public final java.util.Collection<java.lang.String> getIssuers()
Returns the equivalent expected issuers ornull
if issuer check suppressed.- Since:
- 1.21.0
-
getAudience
public final java.util.Collection<java.lang.String> getAudience()
Returns the unmodifiable list of trusted audience client IDs ornull
to suppress the audience check.
-
verify
public boolean verify(IdToken idToken)
Verifies that the given ID token is valid using the cached public keys. It verifies:- The issuer is one of
getIssuers()
by callingIdToken.verifyIssuer(String)
. - The audience is one of
getAudience()
by callingIdToken.verifyAudience(Collection)
. - The current time against the issued at and expiration time, using the
getClock()
and allowing for a time skew specified in {#linkgetAcceptableTimeSkewSeconds()
, by callingIdToken.verifyTime(long, long)
. - This method verifies token signature per current OpenID Connect Spec:
https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. By default,
method gets a certificate from well-known location. A request to certificate location is
performed using
NetHttpTransport
Both certificate location and transport implementation can be overridden viaIdTokenVerifier.Builder
not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true.
Overriding is allowed, but it must call the super implementation.
- Parameters:
idToken
- ID token- Returns:
true
if verified successfully orfalse
if failed
- The issuer is one of
-
verifySignature
boolean verifySignature(IdToken idToken) throws IdTokenVerifier.VerificationException
-
getCertificateLocation
private java.lang.String getCertificateLocation(com.google.api.client.json.webtoken.JsonWebSignature.Header header) throws IdTokenVerifier.VerificationException
-
-