com.google.api.client.googleapis.auth.oauth2

Class GoogleIdTokenVerifier

java.lang.Object

com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier

public class GoogleIdTokenVerifier
extends Object

Thread-safe Google ID token verifier.

The public keys are loaded Google's public certificate endpoint at "https://www.googleapis.com/oauth2/v1/certs". The public keys are cached in this instance of GoogleIdTokenVerifier. Therefore, for maximum efficiency, applications should use a single globally-shared instance of the GoogleIdTokenVerifier. Use verify(GoogleIdToken) to verify a Google ID token, and then IdToken.verifyAudience(java.util.Collection<java.lang.String>) to verify the client ID.

Samples usage:

  public static GoogleIdTokenVerifier verifier;

  public static void initVerifier(
      HttpTransport transport, JsonFactory jsonFactory, String clientId) {
    verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
        .setClientId(clientId)
        .build();
  }

  public static boolean verifyToken(GoogleIdToken idToken)
      throws GeneralSecurityException, IOException {
    return verifier.verify(idToken);
  }
 

Since:

1.7

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	GoogleIdTokenVerifier.Builder Builder for GoogleIdTokenVerifier.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)
	GoogleIdTokenVerifier(com.google.api.client.http.HttpTransport transport, com.google.api.client.json.JsonFactory jsonFactory) Constructor with required parameters.
protected	GoogleIdTokenVerifier(Set<String> clientIds, com.google.api.client.http.HttpTransport transport, com.google.api.client.json.JsonFactory jsonFactory) Deprecated. (scheduled to be removed in 1.15) Use GoogleIdTokenVerifier(Builder)
protected	GoogleIdTokenVerifier(Set<String> clientIds, com.google.api.client.http.HttpTransport transport, com.google.api.client.json.JsonFactory jsonFactory, com.google.api.client.util.Clock clock) Deprecated. (scheduled to be removed in 1.15) Use GoogleIdTokenVerifier(Builder)

Method Summary

Methods

Modifier and Type	Method and Description
Set<String>	getClientIds() Deprecated. (scheduled to be removed in 1.15) Use IdToken.verifyAudience(java.util.Collection<java.lang.String>)
long	getExpirationTimeMilliseconds() Returns the expiration time in milliseconds to be used with Clock.currentTimeMillis() or 0 for none.
com.google.api.client.json.JsonFactory	getJsonFactory() Returns the JSON factory.
List<PublicKey>	getPublicKeys() Returns the public keys or null for none.
com.google.api.client.http.HttpTransport	getTransport() Returns the HTTP transport.
GoogleIdTokenVerifier	loadPublicCerts() Downloads the public keys from the public certificates endpoint at "https://www.googleapis.com/oauth2/v1/certs".
boolean	verify(GoogleIdToken idToken) Verifies that the given ID token is valid using the cached public keys.
boolean	verify(GoogleIdToken idToken, String clientId) Deprecated. (scheduled to be removed in 1.15) Use verify(GoogleIdToken)
boolean	verify(Set<String> clientIds, GoogleIdToken idToken) Deprecated. (scheduled to be removed in 1.15) Use verify(GoogleIdToken)
GoogleIdToken	verify(String idTokenString) Verifies that the given ID token is valid using verify(GoogleIdToken) and returns the ID token if succeeded.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

GoogleIdTokenVerifier

public GoogleIdTokenVerifier(com.google.api.client.http.HttpTransport transport,
                     com.google.api.client.json.JsonFactory jsonFactory)

Constructor with required parameters.

Use GoogleIdTokenVerifier.Builder to specify client IDs.

Parameters:

transport - HTTP transport

jsonFactory - JSON factory

GoogleIdTokenVerifier

protected GoogleIdTokenVerifier(GoogleIdTokenVerifier.Builder builder)

Parameters:

builder - builder

Since:

1.14

GoogleIdTokenVerifier

@Deprecated
protected GoogleIdTokenVerifier(Set<String> clientIds,
                                com.google.api.client.http.HttpTransport transport,
                                com.google.api.client.json.JsonFactory jsonFactory)

Deprecated. (scheduled to be removed in 1.15) Use GoogleIdTokenVerifier(Builder)

Construct the GoogleIdTokenVerifier.

Parameters:

clientIds - set of client IDs or null for none

transport - HTTP transport

jsonFactory - JSON factory

Since:

1.9

GoogleIdTokenVerifier

@Deprecated
protected GoogleIdTokenVerifier(Set<String> clientIds,
                                com.google.api.client.http.HttpTransport transport,
                                com.google.api.client.json.JsonFactory jsonFactory,
                                com.google.api.client.util.Clock clock)

Deprecated. (scheduled to be removed in 1.15) Use GoogleIdTokenVerifier(Builder)

Construct the GoogleIdTokenVerifier.

Parameters:

clientIds - set of client IDs or null for none

transport - HTTP transport

jsonFactory - JSON factory

clock - Clock for expiration checks

Since:

1.9

Method Detail

getTransport

public final com.google.api.client.http.HttpTransport getTransport()

Returns the HTTP transport.

Since:

1.14

getJsonFactory

public final com.google.api.client.json.JsonFactory getJsonFactory()

Returns the JSON factory.

getClientIds

@Deprecated
public final Set<String> getClientIds()

Deprecated. (scheduled to be removed in 1.15) Use IdToken.verifyAudience(java.util.Collection<java.lang.String>)

Returns the set of client IDs.

Since:

1.9

getPublicKeys

public final List<PublicKey> getPublicKeys()

Returns the public keys or null for none.

getExpirationTimeMilliseconds

public final long getExpirationTimeMilliseconds()

Returns the expiration time in milliseconds to be used with Clock.currentTimeMillis() or 0 for none.

verify

public boolean verify(GoogleIdToken idToken)
               throws GeneralSecurityException,
                      IOException

Verifies that the given ID token is valid using the cached public keys. It verifies:

• The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
• The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
• The issuer is "accounts.google.com".

For backwards compatibility, if client IDs are specified, it instead calls verify(Set, GoogleIdToken).

Parameters:

idToken - Google ID token

Returns:

true if verified successfully or false if failed

Throws:

GeneralSecurityException

IOException

verify

public GoogleIdToken verify(String idTokenString)
                     throws GeneralSecurityException,
                            IOException

Verifies that the given ID token is valid using verify(GoogleIdToken) and returns the ID token if succeeded.

Parameters:

idTokenString - Google ID token string

Returns:

Google ID token if verified successfully or null if failed

Throws:

GeneralSecurityException

IOException

Since:

1.9

verify

@Deprecated
public boolean verify(GoogleIdToken idToken,
                        String clientId)
               throws GeneralSecurityException,
                      IOException

Deprecated. (scheduled to be removed in 1.15) Use verify(GoogleIdToken)

Verifies that the given ID token is valid, using the given client ID. It verifies:

• The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
• The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
• The issuer is "accounts.google.com".
• The audience and issuee match the client ID (skipped if clientId is null).

Parameters:

idToken - Google ID token

clientId - client ID or null to skip checking it

Returns:

true if verified successfully or false if failed

Throws:

GeneralSecurityException

IOException

Since:

1.8

verify

@Deprecated
public boolean verify(Set<String> clientIds,
                        GoogleIdToken idToken)
               throws GeneralSecurityException,
                      IOException

Deprecated. (scheduled to be removed in 1.15) Use verify(GoogleIdToken)

Verifies that the given ID token is valid, using the given set of client IDs. It verifies:

• The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from the public certificate endpoint.
• The current time against the issued at and expiration time (allowing for a 5 minute clock skew).
• The issuer is "accounts.google.com".
• The audience and issuee match one of the client IDs (skipped if clientIds is null.

Parameters:

idToken - Google ID token

clientIds - set of client IDs

Returns:

true if verified successfully or false if failed

Throws:

GeneralSecurityException

IOException

Since:

1.9

loadPublicCerts

public GoogleIdTokenVerifier loadPublicCerts()
                                      throws GeneralSecurityException,
                                             IOException

Downloads the public keys from the public certificates endpoint at "https://www.googleapis.com/oauth2/v1/certs".

This method is automatically called if the public keys have not yet been initialized or if the expiration time is very close, so normally this doesn't need to be called. Only call this method explicitly to force the public keys to be updated.

Throws:

GeneralSecurityException

IOException