Class GoogleIdTokenVerifier (1.35.1)

public class GoogleIdTokenVerifier extends IdTokenVerifier

Beta
Thread-safe Google ID token verifier.

Call #verify(IdToken) to verify a ID token. Use the constructor #GoogleIdTokenVerifier(HttpTransport, JsonFactory) for the typical simpler case if your application has only a single instance of GoogleIdTokenVerifier. Otherwise, ideally you should use #GoogleIdTokenVerifier(GooglePublicKeysManager) with a shared global instance of the GooglePublicKeysManager since that way the Google public keys are cached. Sample usage:


 GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
        .setAudience(Arrays.asList("myClientId"))
        .build();

 ...

 if (!verifier.verify(googleIdToken)) {...}
 

Inheritance

java.lang.Object > com.google.api.client.auth.openidconnect.IdTokenVerifier > GoogleIdTokenVerifier

Constructors

GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)

protected GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)
Parameter
NameDescription
builderGoogleIdTokenVerifier.Builder

builder

GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)

public GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)
Parameter
NameDescription
publicKeysGooglePublicKeysManager

Google public keys manager

GoogleIdTokenVerifier(HttpTransport transport, JsonFactory jsonFactory)

public GoogleIdTokenVerifier(HttpTransport transport, JsonFactory jsonFactory)
Parameters
NameDescription
transportcom.google.api.client.http.HttpTransport

HTTP transport

jsonFactorycom.google.api.client.json.JsonFactory

JSON factory

Methods

getExpirationTimeMilliseconds() (deprecated)

public final long getExpirationTimeMilliseconds()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getExpirationTimeMilliseconds() instead.

Returns the expiration time in milliseconds to be used with Clock#currentTimeMillis() or 0 for none.

Returns
TypeDescription
long

getJsonFactory()

public final JsonFactory getJsonFactory()

Returns the JSON factory.

Returns
TypeDescription
com.google.api.client.json.JsonFactory

getPublicCertsEncodedUrl() (deprecated)

public final String getPublicCertsEncodedUrl()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getPublicCertsEncodedUrl() instead.

Returns the public certificates encoded URL.

Returns
TypeDescription
String

getPublicKeys() (deprecated)

public final List<PublicKey> getPublicKeys()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getPublicKeys() instead.

Returns the public keys.

Upgrade warning: in prior version 1.16 it may return null and not throw any exceptions, but starting with version 1.17 it cannot return null and may throw GeneralSecurityException or IOException.

Returns
TypeDescription
List<PublicKey>
Exceptions
TypeDescription
GeneralSecurityException
IOException

getPublicKeysManager()

public final GooglePublicKeysManager getPublicKeysManager()

Returns the Google public keys manager.

Returns
TypeDescription
GooglePublicKeysManager

getTransport()

public final HttpTransport getTransport()

Returns the HTTP transport.

Returns
TypeDescription
com.google.api.client.http.HttpTransport

loadPublicCerts() (deprecated)

public GoogleIdTokenVerifier loadPublicCerts()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#refresh() instead.

Downloads the public keys from the public certificates endpoint at #getPublicCertsEncodedUrl.

This method is automatically called if the public keys have not yet been initialized or if the expiration time is very close, so normally this doesn't need to be called. Only call this method explicitly to force the public keys to be updated.

Returns
TypeDescription
GoogleIdTokenVerifier
Exceptions
TypeDescription
GeneralSecurityException
IOException

verify(GoogleIdToken googleIdToken)

public boolean verify(GoogleIdToken googleIdToken)

Verifies that the given ID token is valid using the cached public keys.

It verifies:

  • The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
  • The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
  • The issuer is "accounts.google.com" or "https://accounts.google.com".
Parameter
NameDescription
googleIdTokenGoogleIdToken

Google ID token

Returns
TypeDescription
boolean

true if verified successfully or false if failed

Exceptions
TypeDescription
GeneralSecurityException
IOException

verify(String idTokenString)

public GoogleIdToken verify(String idTokenString)

Verifies that the given ID token is valid using #verify(GoogleIdToken) and returns the ID token if succeeded.

Parameter
NameDescription
idTokenStringString

Google ID token string

Returns
TypeDescription
GoogleIdToken

Google ID token if verified successfully or null if failed

Exceptions
TypeDescription
GeneralSecurityException
IOException