com.google.api.client.googleapis.auth.oauth2

Class GoogleIdTokenVerifier

java.lang.Object

com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier

public class GoogleIdTokenVerifier
extends Object

Thread-safe Google ID token verifier.

The public keys are loaded Google's public certificate endpoint at "https://www.googleapis.com/oauth2/v1/certs". The public keys are cached in this instance of GoogleIdTokenVerifier. Therefore, for maximum efficiency, applications should use a single globally-shared instance of the GoogleIdTokenVerifier. Use verify(GoogleIdToken) or GoogleIdToken.verify(GoogleIdTokenVerifier) to verify a Google ID token.

Samples usage:

  public static GoogleIdTokenVerifier verifier;

  public static void initVerifier(
      HttpTransport transport, JsonFactory jsonFactory, String clientId) {
    verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
        .setClientId(clientId)
        .build();
  }

  public static boolean verifyToken(GoogleIdToken idToken)
      throws GeneralSecurityException, IOException {
    return verifier.verify(idToken);
  }
 

Since:

1.7

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	GoogleIdTokenVerifier.Builder Builder for GoogleIdTokenVerifier.

Constructor Summary

Constructors

Modifier	Constructor and Description
	GoogleIdTokenVerifier(com.google.api.client.http.HttpTransport transport, com.google.api.client.json.JsonFactory jsonFactory) Constructor with required parameters.
protected	GoogleIdTokenVerifier(Set<String> clientIds, com.google.api.client.http.HttpTransport transport, com.google.api.client.json.JsonFactory jsonFactory) Construct the GoogleIdTokenVerifier.
protected	GoogleIdTokenVerifier(Set<String> clientIds, com.google.api.client.http.HttpTransport transport, com.google.api.client.json.JsonFactory jsonFactory, com.google.api.client.util.Clock clock) Construct the GoogleIdTokenVerifier.

Method Summary

Methods

Modifier and Type	Method and Description
Set<String>	getClientIds() Returns the set of client IDs.
long	getExpirationTimeMilliseconds() Returns the expiration time in milliseconds to be used with Clock.currentTimeMillis() or 0 for none.
com.google.api.client.json.JsonFactory	getJsonFactory() Returns the JSON factory.
List<PublicKey>	getPublicKeys() Returns the public keys or null for none.
GoogleIdTokenVerifier	loadPublicCerts() Downloads the public keys from the public certificates endpoint at "https://www.googleapis.com/oauth2/v1/certs".
boolean	verify(GoogleIdToken idToken) Verifies that the given ID token is valid using verify(GoogleIdToken, String) with the getClientIds().
boolean	verify(GoogleIdToken idToken, String clientId) Verifies that the given ID token is valid, using the given client ID.
boolean	verify(Set<String> clientIds, GoogleIdToken idToken) Verifies that the given ID token is valid, using the given set of client IDs.
GoogleIdToken	verify(String idTokenString) Returns a Google ID token if the given ID token string is valid using verify(GoogleIdToken, String) with the getClientIds().

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

GoogleIdTokenVerifier

public GoogleIdTokenVerifier(com.google.api.client.http.HttpTransport transport,
                     com.google.api.client.json.JsonFactory jsonFactory)

Constructor with required parameters.

Use GoogleIdTokenVerifier.Builder to specify client IDs.

Parameters:

transport - HTTP transport

jsonFactory - JSON factory

GoogleIdTokenVerifier

protected GoogleIdTokenVerifier(Set<String> clientIds,
                     com.google.api.client.http.HttpTransport transport,
                     com.google.api.client.json.JsonFactory jsonFactory)

Construct the GoogleIdTokenVerifier.

Parameters:

clientIds - set of client IDs or null for none

transport - HTTP transport

jsonFactory - JSON factory

Since:

1.9

GoogleIdTokenVerifier

protected GoogleIdTokenVerifier(Set<String> clientIds,
                     com.google.api.client.http.HttpTransport transport,
                     com.google.api.client.json.JsonFactory jsonFactory,
                     com.google.api.client.util.Clock clock)

Construct the GoogleIdTokenVerifier.

Parameters:

clientIds - set of client IDs or null for none

transport - HTTP transport

jsonFactory - JSON factory

clock - Clock for expiration checks

Since:

1.9

Method Detail

getJsonFactory

public final com.google.api.client.json.JsonFactory getJsonFactory()

Returns the JSON factory.

getClientIds

public final Set<String> getClientIds()

Returns the set of client IDs.

Since:

1.9

getPublicKeys

public final List<PublicKey> getPublicKeys()

Returns the public keys or null for none.

getExpirationTimeMilliseconds

public final long getExpirationTimeMilliseconds()

Returns the expiration time in milliseconds to be used with Clock.currentTimeMillis() or 0 for none.

verify

public boolean verify(GoogleIdToken idToken)
               throws GeneralSecurityException,
                      IOException

Verifies that the given ID token is valid using verify(GoogleIdToken, String) with the getClientIds().

Parameters:

idToken - Google ID token

Returns:

true if verified successfully or false if failed

Throws:

GeneralSecurityException

IOException

verify

public GoogleIdToken verify(String idTokenString)
                     throws GeneralSecurityException,
                            IOException

Returns a Google ID token if the given ID token string is valid using verify(GoogleIdToken, String) with the getClientIds().

Parameters:

idTokenString - Google ID token string

Returns:

Google ID token if verified successfully or null if failed

Throws:

GeneralSecurityException

IOException

Since:

1.9

verify

public boolean verify(GoogleIdToken idToken,
             String clientId)
               throws GeneralSecurityException,
                      IOException

Verifies that the given ID token is valid, using the given client ID. It verifies:

• The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
• The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
• The issuer is "accounts.google.com".
• The audience and issuee match the client ID (skipped if clientId is null.

Parameters:

idToken - Google ID token

clientId - client ID or null to skip checking it

Returns:

true if verified successfully or false if failed

Throws:

GeneralSecurityException

IOException

Since:

1.8

verify

public boolean verify(Set<String> clientIds,
             GoogleIdToken idToken)
               throws GeneralSecurityException,
                      IOException

Verifies that the given ID token is valid, using the given set of client IDs. It verifies:

• The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
• The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
• The issuer is "accounts.google.com".
• The audience and issuee match one of the client IDs (skipped if clientIds is null.

Parameters:

idToken - Google ID token

clientIds - set of client IDs

Returns:

true if verified successfully or false if failed

Throws:

GeneralSecurityException

IOException

Since:

1.9

loadPublicCerts

public GoogleIdTokenVerifier loadPublicCerts()
                                      throws GeneralSecurityException,
                                             IOException

Downloads the public keys from the public certificates endpoint at "https://www.googleapis.com/oauth2/v1/certs".

This method is automatically called if the public keys have not yet been initialized or if the expiration time is very close, so normally this doesn't need to be called. Only call this method explicitly to force the public keys to be updated.

Throws:

GeneralSecurityException

IOException