Package com.google.api.client.auth.openidconnect

Class IdToken

  • @Beta
public class IdToken
extends com.google.api.client.json.webtoken.JsonWebSignature
    Beta
    ID token as described in ID Token.

    Use parse(JsonFactory, String) to parse an ID token from a string. Then, use the verify methods to verify the ID token as required by the specification.

    Implementation is not thread-safe.

    Since:
    1.14

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  IdToken.Payload
      Beta
      ID token payload.

      • Nested classes/interfaces inherited from class com.google.api.client.json.webtoken.JsonWebSignature

        com.google.api.client.json.webtoken.JsonWebSignature.Header, com.google.api.client.json.webtoken.JsonWebSignature.Parser

    • Constructor Summary

      Constructors 
      Constructor Description
      IdToken​(com.google.api.client.json.webtoken.JsonWebSignature.Header header, IdToken.Payload payload, byte[] signatureBytes, byte[] signedContentBytes)  

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      IdToken.Payload getPayload()  
      static IdToken parse​(com.google.api.client.json.JsonFactory jsonFactory, java.lang.String idTokenString)
      Parses the given ID token string and returns the parsed ID token.
      boolean verifyAudience​(java.util.Collection<java.lang.String> trustedClientIds)
      Returns whether the audience in the payload contains only client IDs that are trusted as specified in step 2 of ID Token Validation.
      boolean verifyExpirationTime​(long currentTimeMillis, long acceptableTimeSkewSeconds)
      Returns whether the JsonWebToken.Payload.getExpirationTimeSeconds() is valid relative to the current time, allowing for a clock skew as specified in step 5 of ID Token Validation.
      boolean verifyIssuedAtTime​(long currentTimeMillis, long acceptableTimeSkewSeconds)
      Returns whether the JsonWebToken.Payload.getIssuedAtTimeSeconds() is valid relative to the current time, allowing for a clock skew as specified in step 6 of ID Token Validation.
      boolean verifyIssuer​(java.lang.String expectedIssuer)
      Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.
      boolean verifyIssuer​(java.util.Collection<java.lang.String> expectedIssuer)
      Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.
      boolean verifyTime​(long currentTimeMillis, long acceptableTimeSkewSeconds)
      Returns whether the JsonWebToken.Payload.getExpirationTimeSeconds() and JsonWebToken.Payload.getIssuedAtTimeSeconds() are valid relative to the current time, allowing for a clock skew as specified in steps 5 and 6 of ID Token Validation.

      • Methods inherited from class com.google.api.client.json.webtoken.JsonWebSignature

        getHeader, getSignatureBytes, getSignedContentBytes, parser, signUsingRsaSha256, verifySignature, verifySignature, verifySignature

      • Methods inherited from class com.google.api.client.json.webtoken.JsonWebToken

        toString

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

    • Constructor Detail

      • IdToken

        public IdToken​(com.google.api.client.json.webtoken.JsonWebSignature.Header header,
               IdToken.Payload payload,
               byte[] signatureBytes,
               byte[] signedContentBytes)
        Parameters:
        header - header
        payload - payload
        signatureBytes - bytes of the signature
        signedContentBytes - bytes of the signature content

    • Method Detail

      • getPayload

        public IdToken.Payload getPayload()
        Overrides:
        getPayload in class com.google.api.client.json.webtoken.JsonWebToken

      • verifyIssuer

        public final boolean verifyIssuer​(java.lang.String expectedIssuer)
        Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.
        Parameters:
        expectedIssuer - expected issuer

      • verifyIssuer

        public final boolean verifyIssuer​(java.util.Collection<java.lang.String> expectedIssuer)
        Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation. When an issuer is migrating to a new issuer string the expected issuer has multiple aliases, so multiple are permitted here.
        Since:
        1.21.0

      • verifyAudience

        public final boolean verifyAudience​(java.util.Collection<java.lang.String> trustedClientIds)
        Returns whether the audience in the payload contains only client IDs that are trusted as specified in step 2 of ID Token Validation.
        Parameters:
        trustedClientIds - list of trusted client IDs

      • verifyTime

        public final boolean verifyTime​(long currentTimeMillis,
                                long acceptableTimeSkewSeconds)
        Returns whether the JsonWebToken.Payload.getExpirationTimeSeconds() and JsonWebToken.Payload.getIssuedAtTimeSeconds() are valid relative to the current time, allowing for a clock skew as specified in steps 5 and 6 of ID Token Validation.
        Parameters:
        currentTimeMillis - current time in milliseconds (typically System.currentTimeMillis())
        acceptableTimeSkewSeconds - seconds of acceptable clock skew

      • verifyExpirationTime

        public final boolean verifyExpirationTime​(long currentTimeMillis,
                                          long acceptableTimeSkewSeconds)
        Returns whether the JsonWebToken.Payload.getExpirationTimeSeconds() is valid relative to the current time, allowing for a clock skew as specified in step 5 of ID Token Validation.
        Parameters:
        currentTimeMillis - current time in milliseconds (typically System.currentTimeMillis())
        acceptableTimeSkewSeconds - seconds of acceptable clock skew

      • verifyIssuedAtTime

        public final boolean verifyIssuedAtTime​(long currentTimeMillis,
                                        long acceptableTimeSkewSeconds)
        Returns whether the JsonWebToken.Payload.getIssuedAtTimeSeconds() is valid relative to the current time, allowing for a clock skew as specified in step 6 of ID Token Validation.
        Parameters:
        currentTimeMillis - current time in milliseconds (typically System.currentTimeMillis())
        acceptableTimeSkewSeconds - seconds of acceptable clock skew

      • parse

        public static IdToken parse​(com.google.api.client.json.JsonFactory jsonFactory,
                            java.lang.String idTokenString)
                     throws java.io.IOException
        Parses the given ID token string and returns the parsed ID token.
        Parameters:
        jsonFactory - JSON factory
        idTokenString - ID token string
        Returns:
        parsed ID token
        Throws:
        java.io.IOException