Class IdTokenVerifier


  • @Beta
    public class IdTokenVerifier
    extends java.lang.Object
    Beta
    Thread-safe ID token verifier based on ID Token Validation.

    Call verify(IdToken) to verify a ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:

        IdTokenVerifier verifier = new IdTokenVerifier.Builder()
            .setIssuer("issuer.example.com")
            .setAudience(Arrays.asList("myClientId"))
            .build();
        ...
        if (!verifier.verify(idToken)) {...}
     

    Note that verify(IdToken) only implements a subset of the verification steps, mostly just the MUST steps. Please read ID Token Validation for the full list of verification steps.

    Since:
    1.16
    • Field Summary

      Fields 
      Modifier and Type Field Description
      private long acceptableTimeSkewSeconds
      Seconds of time skew to accept when verifying time.
      private java.util.Collection<java.lang.String> audience
      Unmodifiable list of trusted audience client IDs or null to suppress the audience check.
      private java.lang.String certificatesLocation  
      private com.google.api.client.util.Clock clock
      Clock to use for expiration checks.
      static long DEFAULT_TIME_SKEW_SECONDS
      Default value for seconds of time skew to accept when verifying time (5 minutes).
      private Environment environment  
      private static java.lang.String FEDERATED_SIGNON_CERT_URL  
      (package private) static com.google.api.client.http.HttpTransport HTTP_TRANSPORT  
      private static java.lang.String IAP_CERT_URL  
      private java.util.Collection<java.lang.String> issuers
      Unmodifiable collection of equivalent expected issuers or null to suppress the issuer check.
      private static java.util.logging.Logger LOGGER  
      private static java.lang.String NOT_SUPPORTED_ALGORITHM  
      private com.google.common.cache.LoadingCache<java.lang.String,​java.util.Map<java.lang.String,​java.security.PublicKey>> publicKeyCache  
      (package private) static java.lang.String SKIP_SIGNATURE_ENV_VAR  
      private static java.util.Set<java.lang.String> SUPPORTED_ALGORITHMS  
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      long getAcceptableTimeSkewSeconds()
      Returns the seconds of time skew to accept when verifying time.
      java.util.Collection<java.lang.String> getAudience()
      Returns the unmodifiable list of trusted audience client IDs or null to suppress the audience check.
      private java.lang.String getCertificateLocation​(com.google.api.client.json.webtoken.JsonWebSignature.Header header)  
      com.google.api.client.util.Clock getClock()
      Returns the clock.
      java.lang.String getIssuer()
      Returns the first of equivalent expected issuers or null if issuer check suppressed.
      java.util.Collection<java.lang.String> getIssuers()
      Returns the equivalent expected issuers or null if issuer check suppressed.
      boolean verify​(IdToken idToken)
      Verifies that the given ID token is valid using the cached public keys.
      (package private) boolean verifySignature​(IdToken idToken)  
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • LOGGER

        private static final java.util.logging.Logger LOGGER
      • FEDERATED_SIGNON_CERT_URL

        private static final java.lang.String FEDERATED_SIGNON_CERT_URL
        See Also:
        Constant Field Values
      • SUPPORTED_ALGORITHMS

        private static final java.util.Set<java.lang.String> SUPPORTED_ALGORITHMS
      • NOT_SUPPORTED_ALGORITHM

        private static final java.lang.String NOT_SUPPORTED_ALGORITHM
        See Also:
        Constant Field Values
      • HTTP_TRANSPORT

        static final com.google.api.client.http.HttpTransport HTTP_TRANSPORT
      • SKIP_SIGNATURE_ENV_VAR

        static final java.lang.String SKIP_SIGNATURE_ENV_VAR
        See Also:
        Constant Field Values
      • DEFAULT_TIME_SKEW_SECONDS

        public static final long DEFAULT_TIME_SKEW_SECONDS
        Default value for seconds of time skew to accept when verifying time (5 minutes).
        See Also:
        Constant Field Values
      • clock

        private final com.google.api.client.util.Clock clock
        Clock to use for expiration checks.
      • certificatesLocation

        private final java.lang.String certificatesLocation
      • publicKeyCache

        private final com.google.common.cache.LoadingCache<java.lang.String,​java.util.Map<java.lang.String,​java.security.PublicKey>> publicKeyCache
      • acceptableTimeSkewSeconds

        private final long acceptableTimeSkewSeconds
        Seconds of time skew to accept when verifying time.
      • issuers

        private final java.util.Collection<java.lang.String> issuers
        Unmodifiable collection of equivalent expected issuers or null to suppress the issuer check.
      • audience

        private final java.util.Collection<java.lang.String> audience
        Unmodifiable list of trusted audience client IDs or null to suppress the audience check.
    • Constructor Detail

      • IdTokenVerifier

        public IdTokenVerifier()
    • Method Detail

      • getClock

        public final com.google.api.client.util.Clock getClock()
        Returns the clock.
      • getAcceptableTimeSkewSeconds

        public final long getAcceptableTimeSkewSeconds()
        Returns the seconds of time skew to accept when verifying time.
      • getIssuer

        public final java.lang.String getIssuer()
        Returns the first of equivalent expected issuers or null if issuer check suppressed.
      • getIssuers

        public final java.util.Collection<java.lang.String> getIssuers()
        Returns the equivalent expected issuers or null if issuer check suppressed.
        Since:
        1.21.0
      • getAudience

        public final java.util.Collection<java.lang.String> getAudience()
        Returns the unmodifiable list of trusted audience client IDs or null to suppress the audience check.
      • verify

        public boolean verify​(IdToken idToken)
        Verifies that the given ID token is valid using the cached public keys. It verifies:

        Overriding is allowed, but it must call the super implementation.

        Parameters:
        idToken - ID token
        Returns:
        true if verified successfully or false if failed