Class IdTokenVerifier

java.lang.Object
com.google.api.client.auth.openidconnect.IdTokenVerifier

@Beta public class IdTokenVerifier extends Object
Beta
Thread-safe ID token verifier based on ID Token Validation.

Call verify(IdToken) to verify a ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:

    IdTokenVerifier verifier = new IdTokenVerifier.Builder()
        .setIssuer("issuer.example.com")
        .setAudience(Arrays.asList("myClientId"))
        .build();
    ...
    if (!verifier.verify(idToken)) {...}
 

Note that verify(IdToken) only implements a subset of the verification steps, mostly just the MUST steps. Please read ID Token Validation for the full list of verification steps.

Since:
1.16
  • Field Details

    • LOGGER

      private static final Logger LOGGER
    • IAP_CERT_URL

      private static final String IAP_CERT_URL
      See Also:
    • FEDERATED_SIGNON_CERT_URL

      private static final String FEDERATED_SIGNON_CERT_URL
      See Also:
    • SUPPORTED_ALGORITHMS

      private static final Set<String> SUPPORTED_ALGORITHMS
    • NOT_SUPPORTED_ALGORITHM

      private static final String NOT_SUPPORTED_ALGORITHM
      See Also:
    • HTTP_TRANSPORT

      static final com.google.api.client.http.HttpTransport HTTP_TRANSPORT
    • SKIP_SIGNATURE_ENV_VAR

      static final String SKIP_SIGNATURE_ENV_VAR
      See Also:
    • DEFAULT_TIME_SKEW_SECONDS

      public static final long DEFAULT_TIME_SKEW_SECONDS
      Default value for seconds of time skew to accept when verifying time (5 minutes).
      See Also:
    • clock

      private final com.google.api.client.util.Clock clock
      Clock to use for expiration checks.
    • certificatesLocation

      private final String certificatesLocation
    • environment

      private final Environment environment
    • publicKeyCache

      private final com.google.common.cache.LoadingCache<String,Map<String,PublicKey>> publicKeyCache
    • acceptableTimeSkewSeconds

      private final long acceptableTimeSkewSeconds
      Seconds of time skew to accept when verifying time.
    • issuers

      private final Collection<String> issuers
      Unmodifiable collection of equivalent expected issuers or null to suppress the issuer check.
    • audience

      private final Collection<String> audience
      Unmodifiable list of trusted audience client IDs or null to suppress the audience check.
  • Constructor Details

    • IdTokenVerifier

      public IdTokenVerifier()
    • IdTokenVerifier

      protected IdTokenVerifier(IdTokenVerifier.Builder builder)
      Parameters:
      builder - builder
  • Method Details

    • getClock

      public final com.google.api.client.util.Clock getClock()
      Returns the clock.
    • getAcceptableTimeSkewSeconds

      public final long getAcceptableTimeSkewSeconds()
      Returns the seconds of time skew to accept when verifying time.
    • getIssuer

      public final String getIssuer()
      Returns the first of equivalent expected issuers or null if issuer check suppressed.
    • getIssuers

      public final Collection<String> getIssuers()
      Returns the equivalent expected issuers or null if issuer check suppressed.
      Since:
      1.21.0
    • getAudience

      public final Collection<String> getAudience()
      Returns the unmodifiable list of trusted audience client IDs or null to suppress the audience check.
    • verify

      public boolean verify(IdToken idToken)
      Verifies that the given ID token is valid using the cached public keys. It verifies:

      Overriding is allowed, but it must call the super implementation.

      Parameters:
      idToken - ID token
      Returns:
      true if verified successfully or false if failed
    • verifySignature

      boolean verifySignature(IdToken idToken) throws IdTokenVerifier.VerificationException
      Throws:
      IdTokenVerifier.VerificationException
    • getCertificateLocation

      private String getCertificateLocation(com.google.api.client.json.webtoken.JsonWebSignature.Header header) throws IdTokenVerifier.VerificationException
      Throws:
      IdTokenVerifier.VerificationException