Class IdTokenVerifier (1.36.0)

Thread-safe ID token verifier based on ID Token Validation.

Call #verify(IdToken) to verify an ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:

IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .build(); ... if (!verifier.verify(idToken)) {...}

The verifier validates token signature per current OpenID Connect Spec: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation By default, method gets a certificate from well-known location A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Either or both certificate location and transport implementation can be overridden via Builder

IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .setHttpTransportFactory(customHttpTransportFactory) .build(); ... if (!verifier.verify(idToken)) {...}

not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true. Use #verifyPayload(IdToken) instead.

Note that #verify(IdToken) only implements a subset of the verification steps, mostly just the MUST steps. Please read <a href="http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation>ID Token Validation for the full list of verification steps.

Default value for seconds of time skew to accept when verifying time (5 minutes).

Returns the seconds of time skew to accept when verifying time.

Returns the unmodifiable list of trusted audience client IDs or null to suppress the audience check.

Returns the clock.

Returns the first of equivalent expected issuers or null if issuer check suppressed.

Returns the equivalent expected issuers or null if issuer check suppressed.

Verifies that the given ID token is valid using the cached public keys.

It verifies:

• The issuer is one of #getIssuers() by calling IdToken#verifyIssuer(String).
• The audience is one of #getAudience() by calling IdToken#verifyAudience(Collection).
• The current time against the issued at and expiration time, using the #getClock() and allowing for a time skew specified in #getAcceptableTimeSkewSeconds() , by calling IdToken#verifyTime(long, long).
• This method verifies token signature per current OpenID Connect Spec: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. By default, method gets a certificate from well-known location. A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Both certificate location and transport implementation can be overridden via Builder not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true. Use #verifyPayload(IdToken) instead.

Deprecated. This method returns false if network requests to get certificates fail. Use IdTokenVerifier.verfyOrThrow(IdToken) instead to differentiate between potentially retryable network errors and false verification results.

Verifies that the given ID token is valid using the cached public keys.

It verifies:

• The issuer is one of #getIssuers() by calling IdToken#verifyIssuer(String).
• The audience is one of #getAudience() by calling IdToken#verifyAudience(Collection).
• The current time against the issued at and expiration time, using the #getClock() and allowing for a time skew specified in #getAcceptableTimeSkewSeconds() , by calling IdToken#verifyTime(long, long).
• This method verifies token signature per current OpenID Connect Spec: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. By default, method gets a certificate from well-known location. A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Both certificate location and transport implementation can be overridden via Builder not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true.

Overriding is allowed, but it must call the super implementation.

Verifies the payload of the given ID token

It verifies:

• The issuer is one of #getIssuers() by calling IdToken#verifyIssuer(String).
• The audience is one of #getAudience() by calling IdToken#verifyAudience(Collection).
• The current time against the issued at and expiration time, using the #getClock() and allowing for a time skew specified in #getAcceptableTimeSkewSeconds() , by calling IdToken#verifyTime(long, long).

Overriding is allowed, but it must call the super implementation.