com.google.api.client.googleapis.auth.oauth2

Class GoogleIdTokenVerifier

java.lang.Object

com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier

@Beta
public class GoogleIdTokenVerifier
extends Object

Beta
Thread-safe Google ID token verifier.

The public keys are loaded from the public certificates endpoint at getPublicCertsEncodedUrl() and cached in this instance. Therefore, for maximum efficiency, applications should use a single globally-shared instance of the GoogleIdTokenVerifier.

Use verify(GoogleIdToken) to verify a Google ID token, and then IdToken.verifyAudience(java.util.Collection<java.lang.String>) to verify the client ID.
Samples usage:

  public static GoogleIdTokenVerifier verifier;

  public static void initVerifier(HttpTransport transport, JsonFactory jsonFactory) {
    verifier = new GoogleIdTokenVerifier(transport, jsonFactory);
  }

  public static boolean verifyToken(GoogleIdToken idToken, Collection trustedClientIds)
      throws GeneralSecurityException, IOException {
    return verifier.verify(idToken) && idToken.verifyAudience(trustedClientIds);
  }
 

Since:

1.7

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	GoogleIdTokenVerifier.Builder Beta Builder for GoogleIdTokenVerifier.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)
	GoogleIdTokenVerifier(com.google.api.client.http.HttpTransport transport, com.google.api.client.json.JsonFactory jsonFactory) Constructor with required parameters.

Method Summary

Methods

Modifier and Type	Method and Description
long	getExpirationTimeMilliseconds() Returns the expiration time in milliseconds to be used with Clock.currentTimeMillis() or 0 for none.
com.google.api.client.json.JsonFactory	getJsonFactory() Returns the JSON factory.
String	getPublicCertsEncodedUrl() Returns the public certificates encoded URL.
List<PublicKey>	getPublicKeys() Returns the public keys or null for none.
com.google.api.client.http.HttpTransport	getTransport() Returns the HTTP transport.
GoogleIdTokenVerifier	loadPublicCerts() Downloads the public keys from the public certificates endpoint at getPublicCertsEncodedUrl().
boolean	verify(GoogleIdToken idToken) Verifies that the given ID token is valid using the cached public keys.
GoogleIdToken	verify(String idTokenString) Verifies that the given ID token is valid using verify(GoogleIdToken) and returns the ID token if succeeded.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

GoogleIdTokenVerifier

public GoogleIdTokenVerifier(com.google.api.client.http.HttpTransport transport,
                     com.google.api.client.json.JsonFactory jsonFactory)

Constructor with required parameters.

Use GoogleIdTokenVerifier.Builder to specify client IDs.

Parameters:

transport - HTTP transport

jsonFactory - JSON factory

GoogleIdTokenVerifier

protected GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)

Parameters:

builder - builder

Since:

1.14

Method Detail

getTransport

public final com.google.api.client.http.HttpTransport getTransport()

Returns the HTTP transport.

Since:

1.14

getJsonFactory

public final com.google.api.client.json.JsonFactory getJsonFactory()

Returns the JSON factory.

getPublicCertsEncodedUrl

public final String getPublicCertsEncodedUrl()

Returns the public certificates encoded URL.

Since:

1.15

getPublicKeys

public final List<PublicKey> getPublicKeys()

Returns the public keys or null for none.

getExpirationTimeMilliseconds

public final long getExpirationTimeMilliseconds()

Returns the expiration time in milliseconds to be used with Clock.currentTimeMillis() or 0 for none.

verify

public boolean verify(GoogleIdToken idToken)
               throws GeneralSecurityException,
                      IOException

Verifies that the given ID token is valid using the cached public keys. It verifies:

• The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
• The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
• The issuer is "accounts.google.com".

Parameters:

idToken - Google ID token

Returns:

true if verified successfully or false if failed

Throws:

GeneralSecurityException

IOException

verify

public GoogleIdToken verify(String idTokenString)
                     throws GeneralSecurityException,
                            IOException

Verifies that the given ID token is valid using verify(GoogleIdToken) and returns the ID token if succeeded.

Parameters:

idTokenString - Google ID token string

Returns:

Google ID token if verified successfully or null if failed

Throws:

GeneralSecurityException

IOException

Since:

1.9

loadPublicCerts

public GoogleIdTokenVerifier loadPublicCerts()
                                      throws GeneralSecurityException,
                                             IOException

Downloads the public keys from the public certificates endpoint at getPublicCertsEncodedUrl().

This method is automatically called if the public keys have not yet been initialized or if the expiration time is very close, so normally this doesn't need to be called. Only call this method explicitly to force the public keys to be updated.

Throws:

GeneralSecurityException

IOException