Class IdToken
java.lang.Object
com.google.api.client.json.webtoken.JsonWebToken
com.google.api.client.json.webtoken.JsonWebSignature
com.google.api.client.auth.openidconnect.IdToken
@Beta
public class IdToken
extends com.google.api.client.json.webtoken.JsonWebSignature
Beta
ID token as described in ID Token.
Use parse(JsonFactory, String)
to parse an ID token from a string. Then, use the
verify
methods to verify the ID token as required by the specification.
Implementation is not thread-safe.
- Since:
- 1.14
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from class com.google.api.client.json.webtoken.JsonWebSignature
com.google.api.client.json.webtoken.JsonWebSignature.Header, com.google.api.client.json.webtoken.JsonWebSignature.Parser
-
Constructor Summary
ConstructorsConstructorDescriptionIdToken
(com.google.api.client.json.webtoken.JsonWebSignature.Header header, IdToken.Payload payload, byte[] signatureBytes, byte[] signedContentBytes) -
Method Summary
Modifier and TypeMethodDescriptionstatic IdToken
Parses the given ID token string and returns the parsed ID token.final boolean
verifyAudience
(Collection<String> trustedClientIds) Returns whether the audience in the payload contains only client IDs that are trusted as specified in step 2 of ID Token Validation.final boolean
verifyExpirationTime
(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getExpirationTimeSeconds()
is valid relative to the current time, allowing for a clock skew as specified in step 5 of ID Token Validation.final boolean
verifyIssuedAtTime
(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getIssuedAtTimeSeconds()
is valid relative to the current time, allowing for a clock skew as specified in step 6 of ID Token Validation.final boolean
verifyIssuer
(String expectedIssuer) Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.final boolean
verifyIssuer
(Collection<String> expectedIssuer) Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.final boolean
verifyTime
(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getExpirationTimeSeconds()
andJsonWebToken.Payload.getIssuedAtTimeSeconds()
are valid relative to the current time, allowing for a clock skew as specified in steps 5 and 6 of ID Token Validation.Methods inherited from class com.google.api.client.json.webtoken.JsonWebSignature
getHeader, getSignatureBytes, getSignedContentBytes, parser, signUsingRsaSha256, verifySignature, verifySignature, verifySignature
Methods inherited from class com.google.api.client.json.webtoken.JsonWebToken
toString
-
Constructor Details
-
IdToken
public IdToken(com.google.api.client.json.webtoken.JsonWebSignature.Header header, IdToken.Payload payload, byte[] signatureBytes, byte[] signedContentBytes) - Parameters:
header
- headerpayload
- payloadsignatureBytes
- bytes of the signaturesignedContentBytes
- bytes of the signature content
-
-
Method Details
-
getPayload
- Overrides:
getPayload
in classcom.google.api.client.json.webtoken.JsonWebToken
-
verifyIssuer
Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.- Parameters:
expectedIssuer
- expected issuer
-
verifyIssuer
Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation. When an issuer is migrating to a new issuer string the expected issuer has multiple aliases, so multiple are permitted here.- Since:
- 1.21.0
-
verifyAudience
Returns whether the audience in the payload contains only client IDs that are trusted as specified in step 2 of ID Token Validation.- Parameters:
trustedClientIds
- list of trusted client IDs
-
verifyTime
public final boolean verifyTime(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getExpirationTimeSeconds()
andJsonWebToken.Payload.getIssuedAtTimeSeconds()
are valid relative to the current time, allowing for a clock skew as specified in steps 5 and 6 of ID Token Validation.- Parameters:
currentTimeMillis
- current time in milliseconds (typicallySystem.currentTimeMillis()
)acceptableTimeSkewSeconds
- seconds of acceptable clock skew
-
verifyExpirationTime
public final boolean verifyExpirationTime(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getExpirationTimeSeconds()
is valid relative to the current time, allowing for a clock skew as specified in step 5 of ID Token Validation.- Parameters:
currentTimeMillis
- current time in milliseconds (typicallySystem.currentTimeMillis()
)acceptableTimeSkewSeconds
- seconds of acceptable clock skew
-
verifyIssuedAtTime
public final boolean verifyIssuedAtTime(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getIssuedAtTimeSeconds()
is valid relative to the current time, allowing for a clock skew as specified in step 6 of ID Token Validation.- Parameters:
currentTimeMillis
- current time in milliseconds (typicallySystem.currentTimeMillis()
)acceptableTimeSkewSeconds
- seconds of acceptable clock skew
-
parse
public static IdToken parse(com.google.api.client.json.JsonFactory jsonFactory, String idTokenString) throws IOException Parses the given ID token string and returns the parsed ID token.- Parameters:
jsonFactory
- JSON factoryidTokenString
- ID token string- Returns:
- parsed ID token
- Throws:
IOException
-