Class IdTokenVerifier (1.34.0)

public class IdTokenVerifier
Beta
Thread-safe ID token verifier based on ID Token Validation.

Call #verify(IdToken) to verify a ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage: IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .build(); ... if (!verifier.verify(idToken)) {...} The verifier validates token signature per current OpenID Connect Spec: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation By default, method gets a certificate from well-known location A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Either or both certificate location and transport implementation can be overridden via Builder

IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .setHttpTransportFactory(customHttpTransportFactory) .build(); ... if (!verifier.verify(idToken)) {...}

not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true.

Note that #verify(IdToken) only implements a subset of the verification steps, mostly just the MUST steps. Please read <a href="http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation>ID Token Validation for the full list of verification steps.

Inheritance

java.lang.Object > IdTokenVerifier

Static Fields

DEFAULT_TIME_SKEW_SECONDS

public static final long DEFAULT_TIME_SKEW_SECONDS

Default value for seconds of time skew to accept when verifying time (5 minutes).

Field Value
TypeDescription
long

Constructors

IdTokenVerifier()

public IdTokenVerifier()

IdTokenVerifier(IdTokenVerifier.Builder builder)

protected IdTokenVerifier(IdTokenVerifier.Builder builder)
Parameter
NameDescription
builderIdTokenVerifier.Builder

builder

Methods

getAcceptableTimeSkewSeconds()

public final long getAcceptableTimeSkewSeconds()

Returns the seconds of time skew to accept when verifying time.

Returns
TypeDescription
long

getAudience()

public final Collection<String> getAudience()

Returns the unmodifiable list of trusted audience client IDs or null to suppress the audience check.

Returns
TypeDescription
Collection<String>

getClock()

public final Clock getClock()

Returns the clock.

Returns
TypeDescription
com.google.api.client.util.Clock

getIssuer()

public final String getIssuer()

Returns the first of equivalent expected issuers or null if issuer check suppressed.

Returns
TypeDescription
String

getIssuers()

public final Collection<String> getIssuers()

Returns the equivalent expected issuers or null if issuer check suppressed.

Returns
TypeDescription
Collection<String>

verify(IdToken idToken)

public boolean verify(IdToken idToken)

Verifies that the given ID token is valid using the cached public keys.

It verifies:

Overriding is allowed, but it must call the super implementation.

Parameter
NameDescription
idTokenIdToken

ID token

Returns
TypeDescription
boolean

true if verified successfully or false if failed

verifyPayload(IdToken idToken)

protected boolean verifyPayload(IdToken idToken)

Verifies the payload of the given ID token

It verifies:

Overriding is allowed, but it must call the super implementation.

Parameter
NameDescription
idTokenIdToken

ID token

Returns
TypeDescription
boolean

true if verified successfully or false if failed