Class IdTokenVerifier
- java.lang.Object
-
- com.google.api.client.auth.openidconnect.IdTokenVerifier
-
@Beta public class IdTokenVerifier extends java.lang.ObjectBeta
Thread-safe ID token verifier based on ID Token Validation.Call
verify(IdToken)to verify a ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .build(); ... if (!verifier.verify(idToken)) {...}Note that
verify(IdToken)only implements a subset of the verification steps, mostly just the MUST steps. Please read ID Token Validation for the full list of verification steps.- Since:
- 1.16
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classIdTokenVerifier.Builder(package private) static classIdTokenVerifier.DefaultHttpTransportFactory(package private) static classIdTokenVerifier.PublicKeyLoaderCustom CacheLoader for mapping certificate urls to the contained public keys.(package private) static classIdTokenVerifier.VerificationExceptionCustom exception for wrapping all verification errors.
-
Field Summary
Fields Modifier and Type Field Description private longacceptableTimeSkewSecondsSeconds of time skew to accept when verifying time.private java.util.Collection<java.lang.String>audienceUnmodifiable list of trusted audience client IDs ornullto suppress the audience check.private java.lang.StringcertificatesLocationprivate com.google.api.client.util.ClockclockClock to use for expiration checks.static longDEFAULT_TIME_SKEW_SECONDSDefault value for seconds of time skew to accept when verifying time (5 minutes).private Environmentenvironmentprivate static java.lang.StringFEDERATED_SIGNON_CERT_URL(package private) static com.google.api.client.http.HttpTransportHTTP_TRANSPORTprivate static java.lang.StringIAP_CERT_URLprivate java.util.Collection<java.lang.String>issuersUnmodifiable collection of equivalent expected issuers ornullto suppress the issuer check.private static java.util.logging.LoggerLOGGERprivate static java.lang.StringNOT_SUPPORTED_ALGORITHMprivate com.google.common.cache.LoadingCache<java.lang.String,java.util.Map<java.lang.String,java.security.PublicKey>>publicKeyCache(package private) static java.lang.StringSKIP_SIGNATURE_ENV_VARprivate static java.util.Set<java.lang.String>SUPPORTED_ALGORITHMS
-
Constructor Summary
Constructors Modifier Constructor Description IdTokenVerifier()protectedIdTokenVerifier(IdTokenVerifier.Builder builder)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description longgetAcceptableTimeSkewSeconds()Returns the seconds of time skew to accept when verifying time.java.util.Collection<java.lang.String>getAudience()Returns the unmodifiable list of trusted audience client IDs ornullto suppress the audience check.private java.lang.StringgetCertificateLocation(com.google.api.client.json.webtoken.JsonWebSignature.Header header)com.google.api.client.util.ClockgetClock()Returns the clock.java.lang.StringgetIssuer()Returns the first of equivalent expected issuers ornullif issuer check suppressed.java.util.Collection<java.lang.String>getIssuers()Returns the equivalent expected issuers ornullif issuer check suppressed.booleanverify(IdToken idToken)Verifies that the given ID token is valid using the cached public keys.(package private) booleanverifySignature(IdToken idToken)
-
-
-
Field Detail
-
LOGGER
private static final java.util.logging.Logger LOGGER
-
IAP_CERT_URL
private static final java.lang.String IAP_CERT_URL
- See Also:
- Constant Field Values
-
FEDERATED_SIGNON_CERT_URL
private static final java.lang.String FEDERATED_SIGNON_CERT_URL
- See Also:
- Constant Field Values
-
SUPPORTED_ALGORITHMS
private static final java.util.Set<java.lang.String> SUPPORTED_ALGORITHMS
-
NOT_SUPPORTED_ALGORITHM
private static final java.lang.String NOT_SUPPORTED_ALGORITHM
- See Also:
- Constant Field Values
-
HTTP_TRANSPORT
static final com.google.api.client.http.HttpTransport HTTP_TRANSPORT
-
SKIP_SIGNATURE_ENV_VAR
static final java.lang.String SKIP_SIGNATURE_ENV_VAR
- See Also:
- Constant Field Values
-
DEFAULT_TIME_SKEW_SECONDS
public static final long DEFAULT_TIME_SKEW_SECONDS
Default value for seconds of time skew to accept when verifying time (5 minutes).- See Also:
- Constant Field Values
-
clock
private final com.google.api.client.util.Clock clock
Clock to use for expiration checks.
-
certificatesLocation
private final java.lang.String certificatesLocation
-
environment
private final Environment environment
-
publicKeyCache
private final com.google.common.cache.LoadingCache<java.lang.String,java.util.Map<java.lang.String,java.security.PublicKey>> publicKeyCache
-
acceptableTimeSkewSeconds
private final long acceptableTimeSkewSeconds
Seconds of time skew to accept when verifying time.
-
issuers
private final java.util.Collection<java.lang.String> issuers
Unmodifiable collection of equivalent expected issuers ornullto suppress the issuer check.
-
audience
private final java.util.Collection<java.lang.String> audience
Unmodifiable list of trusted audience client IDs ornullto suppress the audience check.
-
-
Constructor Detail
-
IdTokenVerifier
public IdTokenVerifier()
-
IdTokenVerifier
protected IdTokenVerifier(IdTokenVerifier.Builder builder)
- Parameters:
builder- builder
-
-
Method Detail
-
getClock
public final com.google.api.client.util.Clock getClock()
Returns the clock.
-
getAcceptableTimeSkewSeconds
public final long getAcceptableTimeSkewSeconds()
Returns the seconds of time skew to accept when verifying time.
-
getIssuer
public final java.lang.String getIssuer()
Returns the first of equivalent expected issuers ornullif issuer check suppressed.
-
getIssuers
public final java.util.Collection<java.lang.String> getIssuers()
Returns the equivalent expected issuers ornullif issuer check suppressed.- Since:
- 1.21.0
-
getAudience
public final java.util.Collection<java.lang.String> getAudience()
Returns the unmodifiable list of trusted audience client IDs ornullto suppress the audience check.
-
verify
public boolean verify(IdToken idToken)
Verifies that the given ID token is valid using the cached public keys. It verifies:- The issuer is one of
getIssuers()by callingIdToken.verifyIssuer(String). - The audience is one of
getAudience()by callingIdToken.verifyAudience(Collection). - The current time against the issued at and expiration time, using the
getClock()and allowing for a time skew specified in {#linkgetAcceptableTimeSkewSeconds(), by callingIdToken.verifyTime(long, long). - This method verifies token signature per current OpenID Connect Spec:
https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. By default,
method gets a certificate from well-known location. A request to certificate location is
performed using
NetHttpTransportBoth certificate location and transport implementation can be overridden viaIdTokenVerifier.Buildernot recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true.
Overriding is allowed, but it must call the super implementation.
- Parameters:
idToken- ID token- Returns:
trueif verified successfully orfalseif failed
- The issuer is one of
-
verifySignature
boolean verifySignature(IdToken idToken) throws IdTokenVerifier.VerificationException
-
getCertificateLocation
private java.lang.String getCertificateLocation(com.google.api.client.json.webtoken.JsonWebSignature.Header header) throws IdTokenVerifier.VerificationException
-
-