com.google.api.client.googleapis.auth.oauth2

Class GoogleIdTokenVerifier

java.lang.Object

com.google.api.client.auth.openidconnect.IdTokenVerifier

com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier

@Beta
public class GoogleIdTokenVerifier
extends IdTokenVerifier

Beta
Thread-safe Google ID token verifier.

Call IdTokenVerifier.verify(IdToken) to verify a ID token. Use the constructor GoogleIdTokenVerifier(HttpTransport, JsonFactory) for the typical simpler case if your application has only a single instance of GoogleIdTokenVerifier. Otherwise, ideally you should use GoogleIdTokenVerifier(GooglePublicKeysManager) with a shared global instance of the GooglePublicKeysManager since that way the Google public keys are cached. Sample usage:

 GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
        .setAudience(Arrays.asList("myClientId"))
        .build();

 ...

 if (!verifier.verify(googleIdToken)) {...}
 

Since:

1.7

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	GoogleIdTokenVerifier.Builder Beta Builder for GoogleIdTokenVerifier.

Field Summary

Fields inherited from class com.google.api.client.auth.openidconnect.IdTokenVerifier

DEFAULT_TIME_SKEW_SECONDS

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)
	GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)
	GoogleIdTokenVerifier(HttpTransport transport, JsonFactory jsonFactory)

Method Summary

Modifier and Type	Method and Description
long	getExpirationTimeMilliseconds() Deprecated. (scheduled to be removed in 1.18) Use getPublicKeysManager() and GooglePublicKeysManager.getExpirationTimeMilliseconds() instead.
JsonFactory	getJsonFactory() Returns the JSON factory.
String	getPublicCertsEncodedUrl() Deprecated. (scheduled to be removed in 1.18) Use getPublicKeysManager() and GooglePublicKeysManager.getPublicCertsEncodedUrl() instead.
List<PublicKey>	getPublicKeys() Deprecated. (scheduled to be removed in 1.18) Use getPublicKeysManager() and GooglePublicKeysManager.getPublicKeys() instead.
GooglePublicKeysManager	getPublicKeysManager() Returns the Google public keys manager.
HttpTransport	getTransport() Returns the HTTP transport.
GoogleIdTokenVerifier	loadPublicCerts() Deprecated. (scheduled to be removed in 1.18) Use getPublicKeysManager() and GooglePublicKeysManager.refresh() instead.
boolean	verify(GoogleIdToken googleIdToken) Verifies that the given ID token is valid using the cached public keys.
GoogleIdToken	verify(String idTokenString) Verifies that the given ID token is valid using verify(GoogleIdToken) and returns the ID token if succeeded.

Methods inherited from class com.google.api.client.auth.openidconnect.IdTokenVerifier

getAcceptableTimeSkewSeconds, getAudience, getClock, getIssuer, getIssuers, verify

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

GoogleIdTokenVerifier

public GoogleIdTokenVerifier(HttpTransport transport,
                             JsonFactory jsonFactory)

Parameters:

transport - HTTP transport

jsonFactory - JSON factory

GoogleIdTokenVerifier

public GoogleIdTokenVerifier(GooglePublicKeysManager publicKeys)

Parameters:

publicKeys - Google public keys manager

Since:

1.17

GoogleIdTokenVerifier

protected GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)

Parameters:

builder - builder

Since:

1.14

Method Detail

getPublicKeysManager

public final GooglePublicKeysManager getPublicKeysManager()

Returns the Google public keys manager.

Since:

1.17

getTransport

public final HttpTransport getTransport()

Returns the HTTP transport.

Since:

1.14

getJsonFactory

public final JsonFactory getJsonFactory()

Returns the JSON factory.

getPublicCertsEncodedUrl

@Deprecated
public final String getPublicCertsEncodedUrl()

Deprecated. (scheduled to be removed in 1.18) Use getPublicKeysManager() and GooglePublicKeysManager.getPublicCertsEncodedUrl() instead.

Returns the public certificates encoded URL.

Since:

1.15

getPublicKeys

@Deprecated
public final List<PublicKey> getPublicKeys()
                                                throws GeneralSecurityException,
                                                       IOException

Deprecated. (scheduled to be removed in 1.18) Use getPublicKeysManager() and GooglePublicKeysManager.getPublicKeys() instead.

Returns the public keys.

Upgrade warning: in prior version 1.16 it may return null and not throw any exceptions, but starting with version 1.17 it cannot return null and may throw GeneralSecurityException or IOException.

Throws:

GeneralSecurityException

IOException

getExpirationTimeMilliseconds

@Deprecated
public final long getExpirationTimeMilliseconds()

Deprecated. (scheduled to be removed in 1.18) Use getPublicKeysManager() and GooglePublicKeysManager.getExpirationTimeMilliseconds() instead.

Returns the expiration time in milliseconds to be used with Clock.currentTimeMillis() or 0 for none.

verify

public boolean verify(GoogleIdToken googleIdToken)
               throws GeneralSecurityException,
                      IOException

Verifies that the given ID token is valid using the cached public keys.

It verifies:

• The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
• The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
• The issuer is "accounts.google.com" or "https://accounts.google.com".

Parameters:

googleIdToken - Google ID token

Returns:

true if verified successfully or false if failed

Throws:

GeneralSecurityException

IOException

verify

public GoogleIdToken verify(String idTokenString)
                     throws GeneralSecurityException,
                            IOException

Verifies that the given ID token is valid using verify(GoogleIdToken) and returns the ID token if succeeded.

Parameters:

idTokenString - Google ID token string

Returns:

Google ID token if verified successfully or null if failed

Throws:

GeneralSecurityException

IOException

Since:

1.9

loadPublicCerts

@Deprecated
public GoogleIdTokenVerifier loadPublicCerts()
                                                  throws GeneralSecurityException,
                                                         IOException

Deprecated. (scheduled to be removed in 1.18) Use getPublicKeysManager() and GooglePublicKeysManager.refresh() instead.

Downloads the public keys from the public certificates endpoint at getPublicCertsEncodedUrl().

This method is automatically called if the public keys have not yet been initialized or if the expiration time is very close, so normally this doesn't need to be called. Only call this method explicitly to force the public keys to be updated.

Throws:

GeneralSecurityException

IOException