Class IdTokenVerifier (1.36.0)

public class IdTokenVerifier

Thread-safe ID token verifier based on ID Token Validation.

Call #verify(IdToken) to verify an ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:

IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .build(); ... if (!verifier.verify(idToken)) {...}

The verifier validates token signature per current OpenID Connect Spec: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation By default, method gets a certificate from well-known location A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Either or both certificate location and transport implementation can be overridden via Builder

IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .setHttpTransportFactory(customHttpTransportFactory) .build(); ... if (!verifier.verify(idToken)) {...}

not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable set to true. Use #verifyPayload(IdToken) instead.

Note that #verify(IdToken) only implements a subset of the verification steps, mostly just the MUST steps. Please read <a href="http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation>ID Token Validation for the full list of verification steps.

Inheritance

java.lang.Object > IdTokenVerifier

Static Fields

DEFAULT_TIME_SKEW_SECONDS

public static final long DEFAULT_TIME_SKEW_SECONDS

Default value for seconds of time skew to accept when verifying time (5 minutes).

Field Value
Type Description
long

Constructors

IdTokenVerifier()

public IdTokenVerifier()

IdTokenVerifier(IdTokenVerifier.Builder builder)

protected IdTokenVerifier(IdTokenVerifier.Builder builder)
Parameter
Name Description
builder IdTokenVerifier.Builder

builder

Methods

getAcceptableTimeSkewSeconds()

public final long getAcceptableTimeSkewSeconds()

Returns the seconds of time skew to accept when verifying time.

Returns
Type Description
long

getAudience()

public final Collection<String> getAudience()

Returns the unmodifiable list of trusted audience client IDs or null to suppress the audience check.

Returns
Type Description
Collection<String>

getClock()

public final Clock getClock()

Returns the clock.

Returns
Type Description
com.google.api.client.util.Clock

getIssuer()

public final String getIssuer()

Returns the first of equivalent expected issuers or null if issuer check suppressed.

Returns
Type Description
String

getIssuers()

public final Collection<String> getIssuers()

Returns the equivalent expected issuers or null if issuer check suppressed.

Returns
Type Description
Collection<String>

verify(IdToken idToken)

public boolean verify(IdToken idToken)

Verifies that the given ID token is valid using the cached public keys.

It verifies:

Deprecated. This method returns false if network requests to get certificates fail. Use IdTokenVerifier.verfyOrThrow(IdToken) instead to differentiate between potentially retryable network errors and false verification results.

Parameter
Name Description
idToken IdToken

ID token

Returns
Type Description
boolean

true if verified successfully or false if failed

verifyOrThrow(IdToken idToken)

public boolean verifyOrThrow(IdToken idToken)

Verifies that the given ID token is valid using the cached public keys.

It verifies:

Overriding is allowed, but it must call the super implementation.

Parameter
Name Description
idToken IdToken

ID token

Returns
Type Description
boolean

true if verified successfully or false if payload validation failed

Exceptions
Type Description
IOException

if verification fails to run. For example, if it fails to get public keys for signature verification.

verifyPayload(IdToken idToken)

protected boolean verifyPayload(IdToken idToken)

Verifies the payload of the given ID token

It verifies:

Overriding is allowed, but it must call the super implementation.

Parameter
Name Description
idToken IdToken

ID token

Returns
Type Description
boolean

true if verified successfully or false if failed