public class IdTokenVerifier
Thread-safe ID token verifier based on ID Token Validation.
Call #verify(IdToken) to verify an ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:
IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .build(); ... if (!verifier.verify(idToken)) {...}
The verifier validates token signature per current OpenID Connect Spec: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation By default, method gets a certificate from well-known location A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Either or both certificate location and transport implementation can be overridden via Builder
IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .setHttpTransportFactory(customHttpTransportFactory) .build(); ... if (!verifier.verify(idToken)) {...}
not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true. Use #verifyPayload(IdToken) instead.
Note that #verify(IdToken) only implements a subset of the verification steps, mostly just the MUST steps. Please read <a href="http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation>ID Token Validation for the full list of verification steps.
Static Fields
DEFAULT_TIME_SKEW_SECONDS
public static final long DEFAULT_TIME_SKEW_SECONDS
Default value for seconds of time skew to accept when verifying time (5 minutes).
Field Value | |
---|---|
Type | Description |
long |
Constructors
IdTokenVerifier()
public IdTokenVerifier()
IdTokenVerifier(IdTokenVerifier.Builder builder)
protected IdTokenVerifier(IdTokenVerifier.Builder builder)
Parameter | |
---|---|
Name | Description |
builder |
IdTokenVerifier.Builder builder |
Methods
getAcceptableTimeSkewSeconds()
public final long getAcceptableTimeSkewSeconds()
Returns the seconds of time skew to accept when verifying time.
Returns | |
---|---|
Type | Description |
long |
getAudience()
public final Collection<String> getAudience()
Returns the unmodifiable list of trusted audience client IDs or null
to suppress the
audience check.
Returns | |
---|---|
Type | Description |
Collection<String> |
getClock()
public final Clock getClock()
Returns the clock.
Returns | |
---|---|
Type | Description |
com.google.api.client.util.Clock |
getIssuer()
public final String getIssuer()
Returns the first of equivalent expected issuers or null
if issuer check suppressed.
Returns | |
---|---|
Type | Description |
String |
getIssuers()
public final Collection<String> getIssuers()
Returns the equivalent expected issuers or null
if issuer check suppressed.
Returns | |
---|---|
Type | Description |
Collection<String> |
verify(IdToken idToken)
public boolean verify(IdToken idToken)
Verifies that the given ID token is valid using the cached public keys.
It verifies:
- The issuer is one of #getIssuers() by calling IdToken#verifyIssuer(String).
- The audience is one of #getAudience() by calling IdToken#verifyAudience(Collection).
- The current time against the issued at and expiration time, using the #getClock() and allowing for a time skew specified in #getAcceptableTimeSkewSeconds() , by calling IdToken#verifyTime(long, long).
- This method verifies token signature per current OpenID Connect Spec: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. By default, method gets a certificate from well-known location. A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Both certificate location and transport implementation can be overridden via Builder not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true. Use #verifyPayload(IdToken) instead.
Deprecated. This method returns false if network requests to get certificates fail. Use IdTokenVerifier.verfyOrThrow(IdToken) instead to differentiate between potentially retryable network errors and false verification results.
Parameter | |
---|---|
Name | Description |
idToken |
IdToken ID token |
Returns | |
---|---|
Type | Description |
boolean |
|
verifyOrThrow(IdToken idToken)
public boolean verifyOrThrow(IdToken idToken)
Verifies that the given ID token is valid using the cached public keys.
It verifies:
- The issuer is one of #getIssuers() by calling IdToken#verifyIssuer(String).
- The audience is one of #getAudience() by calling IdToken#verifyAudience(Collection).
- The current time against the issued at and expiration time, using the #getClock() and allowing for a time skew specified in #getAcceptableTimeSkewSeconds() , by calling IdToken#verifyTime(long, long).
- This method verifies token signature per current OpenID Connect Spec: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. By default, method gets a certificate from well-known location. A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Both certificate location and transport implementation can be overridden via Builder not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true.
Overriding is allowed, but it must call the super implementation.
Parameter | |
---|---|
Name | Description |
idToken |
IdToken ID token |
Returns | |
---|---|
Type | Description |
boolean |
|
Exceptions | |
---|---|
Type | Description |
IOException |
if verification fails to run. For example, if it fails to get public keys for signature verification. |
verifyPayload(IdToken idToken)
protected boolean verifyPayload(IdToken idToken)
Verifies the payload of the given ID token
It verifies:
- The issuer is one of #getIssuers() by calling IdToken#verifyIssuer(String).
- The audience is one of #getAudience() by calling IdToken#verifyAudience(Collection).
- The current time against the issued at and expiration time, using the #getClock() and allowing for a time skew specified in #getAcceptableTimeSkewSeconds() , by calling IdToken#verifyTime(long, long).
Overriding is allowed, but it must call the super implementation.
Parameter | |
---|---|
Name | Description |
idToken |
IdToken ID token |
Returns | |
---|---|
Type | Description |
boolean |
|