Class IdTokenVerifier
java.lang.Object
com.google.api.client.auth.openidconnect.IdTokenVerifier
Beta
Thread-safe ID token verifier based on ID Token Validation.
Call verify(IdToken)
to verify a ID token. This is a light-weight object, so you may use
a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:
IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .build(); ... if (!verifier.verify(idToken)) {...}
Note that verify(IdToken)
only implements a subset of the verification steps, mostly
just the MUST steps. Please read ID Token
Validation for the full list of verification steps.
- Since:
- 1.16
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic class
(package private) static class
(package private) static class
Custom CacheLoader for mapping certificate urls to the contained public keys.(package private) static class
Custom exception for wrapping all verification errors. -
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final long
Seconds of time skew to accept when verifying time.private final Collection
<String> Unmodifiable list of trusted audience client IDs ornull
to suppress the audience check.private final String
private final com.google.api.client.util.Clock
Clock to use for expiration checks.static final long
Default value for seconds of time skew to accept when verifying time (5 minutes).private final Environment
private static final String
(package private) static final com.google.api.client.http.HttpTransport
private static final String
private final Collection
<String> Unmodifiable collection of equivalent expected issuers ornull
to suppress the issuer check.private static final Logger
private static final String
(package private) static final String
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionfinal long
Returns the seconds of time skew to accept when verifying time.final Collection
<String> Returns the unmodifiable list of trusted audience client IDs ornull
to suppress the audience check.private String
getCertificateLocation
(com.google.api.client.json.webtoken.JsonWebSignature.Header header) final com.google.api.client.util.Clock
getClock()
Returns the clock.final String
Returns the first of equivalent expected issuers ornull
if issuer check suppressed.final Collection
<String> Returns the equivalent expected issuers ornull
if issuer check suppressed.boolean
Verifies that the given ID token is valid using the cached public keys.(package private) boolean
verifySignature
(IdToken idToken)
-
Field Details
-
LOGGER
-
IAP_CERT_URL
- See Also:
-
FEDERATED_SIGNON_CERT_URL
- See Also:
-
SUPPORTED_ALGORITHMS
-
NOT_SUPPORTED_ALGORITHM
- See Also:
-
HTTP_TRANSPORT
static final com.google.api.client.http.HttpTransport HTTP_TRANSPORT -
SKIP_SIGNATURE_ENV_VAR
- See Also:
-
DEFAULT_TIME_SKEW_SECONDS
public static final long DEFAULT_TIME_SKEW_SECONDSDefault value for seconds of time skew to accept when verifying time (5 minutes).- See Also:
-
clock
private final com.google.api.client.util.Clock clockClock to use for expiration checks. -
certificatesLocation
-
environment
-
publicKeyCache
-
acceptableTimeSkewSeconds
private final long acceptableTimeSkewSecondsSeconds of time skew to accept when verifying time. -
issuers
Unmodifiable collection of equivalent expected issuers ornull
to suppress the issuer check. -
audience
Unmodifiable list of trusted audience client IDs ornull
to suppress the audience check.
-
-
Constructor Details
-
IdTokenVerifier
public IdTokenVerifier() -
IdTokenVerifier
- Parameters:
builder
- builder
-
-
Method Details
-
getClock
public final com.google.api.client.util.Clock getClock()Returns the clock. -
getAcceptableTimeSkewSeconds
public final long getAcceptableTimeSkewSeconds()Returns the seconds of time skew to accept when verifying time. -
getIssuer
Returns the first of equivalent expected issuers ornull
if issuer check suppressed. -
getIssuers
Returns the equivalent expected issuers ornull
if issuer check suppressed.- Since:
- 1.21.0
-
getAudience
Returns the unmodifiable list of trusted audience client IDs ornull
to suppress the audience check. -
verify
Verifies that the given ID token is valid using the cached public keys. It verifies:- The issuer is one of
getIssuers()
by callingIdToken.verifyIssuer(String)
. - The audience is one of
getAudience()
by callingIdToken.verifyAudience(Collection)
. - The current time against the issued at and expiration time, using the
getClock()
and allowing for a time skew specified in {#linkgetAcceptableTimeSkewSeconds()
, by callingIdToken.verifyTime(long, long)
. - This method verifies token signature per current OpenID Connect Spec:
https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. By default,
method gets a certificate from well-known location. A request to certificate location is
performed using
NetHttpTransport
Both certificate location and transport implementation can be overridden viaIdTokenVerifier.Builder
not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true.
Overriding is allowed, but it must call the super implementation.
- Parameters:
idToken
- ID token- Returns:
true
if verified successfully orfalse
if failed
- The issuer is one of
-
verifySignature
-
getCertificateLocation
private String getCertificateLocation(com.google.api.client.json.webtoken.JsonWebSignature.Header header) throws IdTokenVerifier.VerificationException
-