Class GoogleIdTokenVerifier (2.1.0)

public class GoogleIdTokenVerifier extends IdTokenVerifier

Beta
Thread-safe Google ID token verifier.

Call #verify(IdToken) to verify a ID token. Use the constructor #GoogleIdTokenVerifier(HttpTransport, JsonFactory) for the typical simpler case if your application has only a single instance of GoogleIdTokenVerifier. Otherwise, ideally you should use #GoogleIdTokenVerifier(GooglePublicKeysManager) with a shared global instance of the GooglePublicKeysManager since that way the Google public keys are cached. Sample usage:


 GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
        .setAudience(Arrays.asList("myClientId"))
        .build();

 ...

 if (!verifier.verify(googleIdToken)) {...}

Inheritance

java.lang.Object > com.google.api.client.auth.openidconnect.IdTokenVerifier > GoogleIdTokenVerifier

Inherited Members

com.google.api.client.auth.openidconnect.IdTokenVerifier.getAcceptableTimeSkewSeconds()

com.google.api.client.auth.openidconnect.IdTokenVerifier.getAudience()

com.google.api.client.auth.openidconnect.IdTokenVerifier.getClock()

com.google.api.client.auth.openidconnect.IdTokenVerifier.getIssuer()

com.google.api.client.auth.openidconnect.IdTokenVerifier.getIssuers()

com.google.api.client.auth.openidconnect.IdTokenVerifier.verify(com.google.api.client.auth.openidconnect.IdToken)

com.google.api.client.auth.openidconnect.IdTokenVerifier.verifyPayload(com.google.api.client.auth.openidconnect.IdToken)

Object.clone()

Object.equals(Object)

Object.finalize()

Object.getClass()

Object.hashCode()

Object.notify()

Object.notifyAll()

Object.toString()

Object.wait()

Object.wait(long)

Object.wait(long,int)

Constructors

GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)

protected GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)

Parameter

Name	Description
builder	`GoogleIdTokenVerifier.Builder` builder

GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)

public GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)

Parameter

Name	Description
publicKeys	`GooglePublicKeysManager` Google public keys manager

GoogleIdTokenVerifier(HttpTransport transport, JsonFactory jsonFactory)

public GoogleIdTokenVerifier(HttpTransport transport, JsonFactory jsonFactory)

Parameters

Name	Description
transport	`com.google.api.client.http.HttpTransport` HTTP transport
jsonFactory	`com.google.api.client.json.JsonFactory` JSON factory

Methods

getExpirationTimeMilliseconds() (deprecated)

public final long getExpirationTimeMilliseconds()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getExpirationTimeMilliseconds() instead.

Returns the expiration time in milliseconds to be used with Clock#currentTimeMillis() or 0 for none.

Returns

Type	Description
long

getJsonFactory()

public final JsonFactory getJsonFactory()

Returns the JSON factory.

Returns

Type	Description
com.google.api.client.json.JsonFactory

getPublicCertsEncodedUrl() (deprecated)

public final String getPublicCertsEncodedUrl()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getPublicCertsEncodedUrl() instead.

Returns the public certificates encoded URL.

Returns

Type	Description
String

getPublicKeys() (deprecated)

public final List<PublicKey> getPublicKeys()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getPublicKeys() instead.

Returns the public keys.

Upgrade warning: in prior version 1.16 it may return null and not throw any exceptions, but starting with version 1.17 it cannot return null and may throw GeneralSecurityException or IOException.

Returns

Type	Description
List<PublicKey>

Exceptions

Type	Description
GeneralSecurityException
IOException

getPublicKeysManager()

public final GooglePublicKeysManager getPublicKeysManager()

Returns the Google public keys manager.

Returns

Type	Description
GooglePublicKeysManager

getTransport()

public final HttpTransport getTransport()

Returns the HTTP transport.

Returns

Type	Description
com.google.api.client.http.HttpTransport

loadPublicCerts() (deprecated)

public GoogleIdTokenVerifier loadPublicCerts()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#refresh() instead.

Downloads the public keys from the public certificates endpoint at #getPublicCertsEncodedUrl.

This method is automatically called if the public keys have not yet been initialized or if the expiration time is very close, so normally this doesn't need to be called. Only call this method explicitly to force the public keys to be updated.

Returns

Type	Description
GoogleIdTokenVerifier

Exceptions

Type	Description
GeneralSecurityException
IOException

verify(GoogleIdToken googleIdToken)

public boolean verify(GoogleIdToken googleIdToken)

Verifies that the given ID token is valid using the cached public keys.

It verifies:

The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
The issuer is "accounts.google.com" or "https://accounts.google.com".

Parameter

Name	Description
googleIdToken	`GoogleIdToken` Google ID token

Returns

Type	Description
boolean	`true` if verified successfully or `false` if failed

Exceptions

Type	Description
GeneralSecurityException
IOException

verify(String idTokenString)

public GoogleIdToken verify(String idTokenString)

Verifies that the given ID token is valid using #verify(GoogleIdToken) and returns the ID token if succeeded.

Parameter

Name	Description
idTokenString	`String` Google ID token string

Returns

Type	Description
GoogleIdToken	Google ID token if verified successfully or `null` if failed

Exceptions

Type	Description
GeneralSecurityException
IOException