Class IdToken
java.lang.Object
com.google.api.client.json.webtoken.JsonWebToken
com.google.api.client.json.webtoken.JsonWebSignature
com.google.api.client.auth.openidconnect.IdToken
@Beta
public class IdToken
extends com.google.api.client.json.webtoken.JsonWebSignature
Beta ID token as described in ID Token.
Use parse(JsonFactory, String) to parse an ID token from a string. Then, use the
verify methods to verify the ID token as required by the specification.
Implementation is not thread-safe.
- Since:
- 1.14
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from class com.google.api.client.json.webtoken.JsonWebSignature
com.google.api.client.json.webtoken.JsonWebSignature.Header, com.google.api.client.json.webtoken.JsonWebSignature.Parser -
Constructor Summary
ConstructorsConstructorDescriptionIdToken(com.google.api.client.json.webtoken.JsonWebSignature.Header header, IdToken.Payload payload, byte[] signatureBytes, byte[] signedContentBytes) -
Method Summary
Modifier and TypeMethodDescriptionstatic IdTokenParses the given ID token string and returns the parsed ID token.final booleanverifyAudience(Collection<String> trustedClientIds) Returns whether the audience in the payload contains only client IDs that are trusted as specified in step 2 of ID Token Validation.final booleanverifyExpirationTime(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getExpirationTimeSeconds()is valid relative to the current time, allowing for a clock skew as specified in step 5 of ID Token Validation.final booleanverifyIssuedAtTime(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getIssuedAtTimeSeconds()is valid relative to the current time, allowing for a clock skew as specified in step 6 of ID Token Validation.final booleanverifyIssuer(String expectedIssuer) Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.final booleanverifyIssuer(Collection<String> expectedIssuer) Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.final booleanverifyTime(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getExpirationTimeSeconds()andJsonWebToken.Payload.getIssuedAtTimeSeconds()are valid relative to the current time, allowing for a clock skew as specified in steps 5 and 6 of ID Token Validation.Methods inherited from class com.google.api.client.json.webtoken.JsonWebSignature
getHeader, getSignatureBytes, getSignedContentBytes, parser, signUsingRsaSha256, verifySignature, verifySignature, verifySignatureMethods inherited from class com.google.api.client.json.webtoken.JsonWebToken
toString
-
Constructor Details
-
IdToken
public IdToken(com.google.api.client.json.webtoken.JsonWebSignature.Header header, IdToken.Payload payload, byte[] signatureBytes, byte[] signedContentBytes) - Parameters:
header- headerpayload- payloadsignatureBytes- bytes of the signaturesignedContentBytes- bytes of the signature content
-
-
Method Details
-
getPayload
- Overrides:
getPayloadin classcom.google.api.client.json.webtoken.JsonWebToken
-
verifyIssuer
Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation.- Parameters:
expectedIssuer- expected issuer
-
verifyIssuer
Returns whether the issuer in the payload matches the given expected issuer as specified in step 1 of ID Token Validation. When an issuer is migrating to a new issuer string the expected issuer has multiple aliases, so multiple are permitted here.- Since:
- 1.21.0
-
verifyAudience
Returns whether the audience in the payload contains only client IDs that are trusted as specified in step 2 of ID Token Validation.- Parameters:
trustedClientIds- list of trusted client IDs
-
verifyTime
public final boolean verifyTime(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getExpirationTimeSeconds()andJsonWebToken.Payload.getIssuedAtTimeSeconds()are valid relative to the current time, allowing for a clock skew as specified in steps 5 and 6 of ID Token Validation.- Parameters:
currentTimeMillis- current time in milliseconds (typicallySystem.currentTimeMillis())acceptableTimeSkewSeconds- seconds of acceptable clock skew
-
verifyExpirationTime
public final boolean verifyExpirationTime(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getExpirationTimeSeconds()is valid relative to the current time, allowing for a clock skew as specified in step 5 of ID Token Validation.- Parameters:
currentTimeMillis- current time in milliseconds (typicallySystem.currentTimeMillis())acceptableTimeSkewSeconds- seconds of acceptable clock skew
-
verifyIssuedAtTime
public final boolean verifyIssuedAtTime(long currentTimeMillis, long acceptableTimeSkewSeconds) Returns whether theJsonWebToken.Payload.getIssuedAtTimeSeconds()is valid relative to the current time, allowing for a clock skew as specified in step 6 of ID Token Validation.- Parameters:
currentTimeMillis- current time in milliseconds (typicallySystem.currentTimeMillis())acceptableTimeSkewSeconds- seconds of acceptable clock skew
-
parse
public static IdToken parse(com.google.api.client.json.JsonFactory jsonFactory, String idTokenString) throws IOException Parses the given ID token string and returns the parsed ID token.- Parameters:
jsonFactory- JSON factoryidTokenString- ID token string- Returns:
- parsed ID token
- Throws:
IOException
-