public class GoogleIdTokenVerifier extends IdTokenVerifierBeta
Thread-safe Google ID token verifier.
Call #verify(IdToken) to verify a ID token. Use the constructor #GoogleIdTokenVerifier(HttpTransport, JsonFactory) for the typical simpler case if your application has only a single instance of GoogleIdTokenVerifier. Otherwise, ideally you should use #GoogleIdTokenVerifier(GooglePublicKeysManager) with a shared global instance of the GooglePublicKeysManager since that way the Google public keys are cached. Sample usage:
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
.setAudience(Arrays.asList("myClientId"))
.build();
...
if (!verifier.verify(googleIdToken)) {...}
Inheritance
java.lang.Object > com.google.api.client.auth.openidconnect.IdTokenVerifier > GoogleIdTokenVerifierConstructors
GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)
protected GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)| Parameter | |
|---|---|
| Name | Description |
builder |
GoogleIdTokenVerifier.Builderbuilder |
GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)
public GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)| Parameter | |
|---|---|
| Name | Description |
publicKeys |
GooglePublicKeysManagerGoogle public keys manager |
GoogleIdTokenVerifier(HttpTransport transport, JsonFactory jsonFactory)
public GoogleIdTokenVerifier(HttpTransport transport, JsonFactory jsonFactory)| Parameters | |
|---|---|
| Name | Description |
transport |
com.google.api.client.http.HttpTransportHTTP transport |
jsonFactory |
com.google.api.client.json.JsonFactoryJSON factory |
Methods
getExpirationTimeMilliseconds() (deprecated)
public final long getExpirationTimeMilliseconds()Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getExpirationTimeMilliseconds() instead.
Returns the expiration time in milliseconds to be used with Clock#currentTimeMillis()
or 0 for none.
| Returns | |
|---|---|
| Type | Description |
long |
|
getJsonFactory()
public final JsonFactory getJsonFactory()Returns the JSON factory.
| Returns | |
|---|---|
| Type | Description |
com.google.api.client.json.JsonFactory |
|
getPublicCertsEncodedUrl() (deprecated)
public final String getPublicCertsEncodedUrl()Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getPublicCertsEncodedUrl() instead.
Returns the public certificates encoded URL.
| Returns | |
|---|---|
| Type | Description |
String |
|
getPublicKeys() (deprecated)
public final List<PublicKey> getPublicKeys()Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getPublicKeys() instead.
Returns the public keys.
Upgrade warning: in prior version 1.16 it may return null and not throw any
exceptions, but starting with version 1.17 it cannot return null and may throw GeneralSecurityException or IOException.
| Returns | |
|---|---|
| Type | Description |
List<PublicKey> |
|
| Exceptions | |
|---|---|
| Type | Description |
GeneralSecurityException |
|
IOException |
|
getPublicKeysManager()
public final GooglePublicKeysManager getPublicKeysManager()Returns the Google public keys manager.
| Returns | |
|---|---|
| Type | Description |
GooglePublicKeysManager |
|
getTransport()
public final HttpTransport getTransport()Returns the HTTP transport.
| Returns | |
|---|---|
| Type | Description |
com.google.api.client.http.HttpTransport |
|
loadPublicCerts() (deprecated)
public GoogleIdTokenVerifier loadPublicCerts()Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#refresh() instead.
Downloads the public keys from the public certificates endpoint at #getPublicCertsEncodedUrl.
This method is automatically called if the public keys have not yet been initialized or if the expiration time is very close, so normally this doesn't need to be called. Only call this method explicitly to force the public keys to be updated.
| Returns | |
|---|---|
| Type | Description |
GoogleIdTokenVerifier |
|
| Exceptions | |
|---|---|
| Type | Description |
GeneralSecurityException |
|
IOException |
|
verify(GoogleIdToken googleIdToken)
public boolean verify(GoogleIdToken googleIdToken)Verifies that the given ID token is valid using the cached public keys.
It verifies:
- The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
- The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
- The issuer is
"accounts.google.com"or"https://accounts.google.com".
| Parameter | |
|---|---|
| Name | Description |
googleIdToken |
GoogleIdTokenGoogle ID token |
| Returns | |
|---|---|
| Type | Description |
boolean |
|
| Exceptions | |
|---|---|
| Type | Description |
GeneralSecurityException |
|
IOException |
|
verify(String idTokenString)
public GoogleIdToken verify(String idTokenString)Verifies that the given ID token is valid using #verify(GoogleIdToken) and returns the ID token if succeeded.
| Parameter | |
|---|---|
| Name | Description |
idTokenString |
StringGoogle ID token string |
| Returns | |
|---|---|
| Type | Description |
GoogleIdToken |
Google ID token if verified successfully or |
| Exceptions | |
|---|---|
| Type | Description |
GeneralSecurityException |
|
IOException |
|