Class IdTokenVerifier
java.lang.Object
com.google.api.client.auth.openidconnect.IdTokenVerifier
Beta Thread-safe ID token verifier based on ID Token Validation.
Call verify(IdToken) to verify a ID token. This is a light-weight object, so you may use
a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:
IdTokenVerifier verifier = new IdTokenVerifier.Builder()
.setIssuer("issuer.example.com")
.setAudience(Arrays.asList("myClientId"))
.build();
...
if (!verifier.verify(idToken)) {...}
Note that verify(IdToken) only implements a subset of the verification steps, mostly
just the MUST steps. Please read ID Token
Validation for the full list of verification steps.
- Since:
- 1.16
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic class(package private) static class(package private) static classCustom CacheLoader for mapping certificate urls to the contained public keys.(package private) static classCustom exception for wrapping all verification errors. -
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final longSeconds of time skew to accept when verifying time.private final Collection<String> Unmodifiable list of trusted audience client IDs ornullto suppress the audience check.private final Stringprivate final com.google.api.client.util.ClockClock to use for expiration checks.static final longDefault value for seconds of time skew to accept when verifying time (5 minutes).private final Environmentprivate static final String(package private) static final com.google.api.client.http.HttpTransportprivate static final Stringprivate final Collection<String> Unmodifiable collection of equivalent expected issuers ornullto suppress the issuer check.private static final Loggerprivate static final String(package private) static final String -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionfinal longReturns the seconds of time skew to accept when verifying time.final Collection<String> Returns the unmodifiable list of trusted audience client IDs ornullto suppress the audience check.private StringgetCertificateLocation(com.google.api.client.json.webtoken.JsonWebSignature.Header header) final com.google.api.client.util.ClockgetClock()Returns the clock.final StringReturns the first of equivalent expected issuers ornullif issuer check suppressed.final Collection<String> Returns the equivalent expected issuers ornullif issuer check suppressed.booleanVerifies that the given ID token is valid using the cached public keys.(package private) booleanverifySignature(IdToken idToken)
-
Field Details
-
LOGGER
-
IAP_CERT_URL
- See Also:
-
FEDERATED_SIGNON_CERT_URL
- See Also:
-
SUPPORTED_ALGORITHMS
-
NOT_SUPPORTED_ALGORITHM
- See Also:
-
HTTP_TRANSPORT
static final com.google.api.client.http.HttpTransport HTTP_TRANSPORT -
SKIP_SIGNATURE_ENV_VAR
- See Also:
-
DEFAULT_TIME_SKEW_SECONDS
public static final long DEFAULT_TIME_SKEW_SECONDSDefault value for seconds of time skew to accept when verifying time (5 minutes).- See Also:
-
clock
private final com.google.api.client.util.Clock clockClock to use for expiration checks. -
certificatesLocation
-
environment
-
publicKeyCache
-
acceptableTimeSkewSeconds
private final long acceptableTimeSkewSecondsSeconds of time skew to accept when verifying time. -
issuers
Unmodifiable collection of equivalent expected issuers ornullto suppress the issuer check. -
audience
Unmodifiable list of trusted audience client IDs ornullto suppress the audience check.
-
-
Constructor Details
-
IdTokenVerifier
public IdTokenVerifier() -
IdTokenVerifier
- Parameters:
builder- builder
-
-
Method Details
-
getClock
public final com.google.api.client.util.Clock getClock()Returns the clock. -
getAcceptableTimeSkewSeconds
public final long getAcceptableTimeSkewSeconds()Returns the seconds of time skew to accept when verifying time. -
getIssuer
Returns the first of equivalent expected issuers ornullif issuer check suppressed. -
getIssuers
Returns the equivalent expected issuers ornullif issuer check suppressed.- Since:
- 1.21.0
-
getAudience
Returns the unmodifiable list of trusted audience client IDs ornullto suppress the audience check. -
verify
Verifies that the given ID token is valid using the cached public keys. It verifies:- The issuer is one of
getIssuers()by callingIdToken.verifyIssuer(String). - The audience is one of
getAudience()by callingIdToken.verifyAudience(Collection). - The current time against the issued at and expiration time, using the
getClock()and allowing for a time skew specified in {#linkgetAcceptableTimeSkewSeconds(), by callingIdToken.verifyTime(long, long). - This method verifies token signature per current OpenID Connect Spec:
https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. By default,
method gets a certificate from well-known location. A request to certificate location is
performed using
NetHttpTransportBoth certificate location and transport implementation can be overridden viaIdTokenVerifier.Buildernot recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true.
Overriding is allowed, but it must call the super implementation.
- Parameters:
idToken- ID token- Returns:
trueif verified successfully orfalseif failed
- The issuer is one of
-
verifySignature
-
getCertificateLocation
private String getCertificateLocation(com.google.api.client.json.webtoken.JsonWebSignature.Header header) throws IdTokenVerifier.VerificationException
-