Class GoogleIdTokenVerifier (2.6.0)

public class GoogleIdTokenVerifier extends IdTokenVerifier

Beta
Thread-safe Google ID token verifier.

Call #verify(IdToken) to verify a ID token. Use the constructor #GoogleIdTokenVerifier(HttpTransport, JsonFactory) for the typical simpler case if your application has only a single instance of GoogleIdTokenVerifier. Otherwise, ideally you should use #GoogleIdTokenVerifier(GooglePublicKeysManager) with a shared global instance of the GooglePublicKeysManager since that way the Google public keys are cached. Sample usage:


 GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
        .setAudience(Arrays.asList("myClientId"))
        .build();

 ...

 if (!verifier.verify(googleIdToken)) {...}
 

Inheritance

java.lang.Object > com.google.api.client.auth.openidconnect.IdTokenVerifier > GoogleIdTokenVerifier

Constructors

GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)

protected GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)
Parameter
Name Description
builder GoogleIdTokenVerifier.Builder

builder

GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)

public GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)
Parameter
Name Description
publicKeys GooglePublicKeysManager

Google public keys manager

GoogleIdTokenVerifier(HttpTransport transport, JsonFactory jsonFactory)

public GoogleIdTokenVerifier(HttpTransport transport, JsonFactory jsonFactory)
Parameters
Name Description
transport com.google.api.client.http.HttpTransport

HTTP transport

jsonFactory com.google.api.client.json.JsonFactory

JSON factory

Methods

getExpirationTimeMilliseconds() (deprecated)

public final long getExpirationTimeMilliseconds()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getExpirationTimeMilliseconds() instead.

Returns the expiration time in milliseconds to be used with Clock#currentTimeMillis() or 0 for none.

Returns
Type Description
long

getJsonFactory()

public final JsonFactory getJsonFactory()

Returns the JSON factory.

Returns
Type Description
com.google.api.client.json.JsonFactory

getPublicCertsEncodedUrl() (deprecated)

public final String getPublicCertsEncodedUrl()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getPublicCertsEncodedUrl() instead.

Returns the public certificates encoded URL.

Returns
Type Description
String

getPublicKeys() (deprecated)

public final List<PublicKey> getPublicKeys()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#getPublicKeys() instead.

Returns the public keys.

Upgrade warning: in prior version 1.16 it may return null and not throw any exceptions, but starting with version 1.17 it cannot return null and may throw GeneralSecurityException or IOException.

Returns
Type Description
List<PublicKey>
Exceptions
Type Description
GeneralSecurityException
IOException

getPublicKeysManager()

public final GooglePublicKeysManager getPublicKeysManager()

Returns the Google public keys manager.

Returns
Type Description
GooglePublicKeysManager

getTransport()

public final HttpTransport getTransport()

Returns the HTTP transport.

Returns
Type Description
com.google.api.client.http.HttpTransport

loadPublicCerts() (deprecated)

public GoogleIdTokenVerifier loadPublicCerts()

Deprecated. (scheduled to be removed in 1.18) Use #getPublicKeysManager() and GooglePublicKeysManager#refresh() instead.

Downloads the public keys from the public certificates endpoint at #getPublicCertsEncodedUrl.

This method is automatically called if the public keys have not yet been initialized or if the expiration time is very close, so normally this doesn't need to be called. Only call this method explicitly to force the public keys to be updated.

Returns
Type Description
GoogleIdTokenVerifier
Exceptions
Type Description
GeneralSecurityException
IOException

verify(GoogleIdToken googleIdToken)

public boolean verify(GoogleIdToken googleIdToken)

Verifies that the given ID token is valid using the cached public keys.

It verifies:

  • The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
  • The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
  • The issuer is "accounts.google.com" or "https://accounts.google.com".
Parameter
Name Description
googleIdToken GoogleIdToken

Google ID token

Returns
Type Description
boolean

true if verified successfully or false if failed

Exceptions
Type Description
GeneralSecurityException
IOException

verify(String idTokenString)

public GoogleIdToken verify(String idTokenString)

Verifies that the given ID token is valid using #verify(GoogleIdToken) and returns the ID token if succeeded.

Parameter
Name Description
idTokenString String

Google ID token string

Returns
Type Description
GoogleIdToken

Google ID token if verified successfully or null if failed

Exceptions
Type Description
GeneralSecurityException
IOException