Class IdTokenVerifier
- java.lang.Object
-
- com.google.api.client.auth.openidconnect.IdTokenVerifier
-
@Beta public class IdTokenVerifier extends Object
Beta
Thread-safe ID token verifier based on ID Token Validation.Call
verify(IdToken)
to verify a ID token. This is a light-weight object, so you may use a new instance for each configuration of expected issuer and trusted client IDs. Sample usage:IdTokenVerifier verifier = new IdTokenVerifier.Builder() .setIssuer("issuer.example.com") .setAudience(Arrays.asList("myClientId")) .build(); ... if (!verifier.verify(idToken)) {...}
Note that
verify(IdToken)
only implements a subset of the verification steps, mostly just the MUST steps. Please read Since:- 1.16
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
IdTokenVerifier.Builder
-
Field Summary
Fields Modifier and Type Field Description static long
DEFAULT_TIME_SKEW_SECONDS
Default value for seconds of time skew to accept when verifying time (5 minutes).
-
Constructor Summary
Constructors Modifier Constructor Description IdTokenVerifier()
protected
IdTokenVerifier(IdTokenVerifier.Builder builder)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description long
getAcceptableTimeSkewSeconds()
Returns the seconds of time skew to accept when verifying time.Collection<String>
getAudience()
Returns the unmodifiable list of trusted audience client IDs ornull
to suppress the audience check.com.google.api.client.util.Clock
getClock()
Returns the clock.String
getIssuer()
Returns the first of equivalent expected issuers ornull
if issuer check suppressed.Collection<String>
getIssuers()
Returns the equivalent expected issuers ornull
if issuer check suppressed.boolean
verify(IdToken idToken)
Verifies that the given ID token is valid using the cached public keys.
-
-
-
Field Detail
-
DEFAULT_TIME_SKEW_SECONDS
public static final long DEFAULT_TIME_SKEW_SECONDS
Default value for seconds of time skew to accept when verifying time (5 minutes).- See Also:
- Constant Field Values
-
-
Constructor Detail
-
IdTokenVerifier
public IdTokenVerifier()
-
IdTokenVerifier
protected IdTokenVerifier(IdTokenVerifier.Builder builder)
- Parameters:
builder
- builder
-
-
Method Detail
-
getClock
public final com.google.api.client.util.Clock getClock()
Returns the clock.
-
getAcceptableTimeSkewSeconds
public final long getAcceptableTimeSkewSeconds()
Returns the seconds of time skew to accept when verifying time.
-
getIssuer
public final String getIssuer()
Returns the first of equivalent expected issuers ornull
if issuer check suppressed.
-
getIssuers
public final Collection<String> getIssuers()
Returns the equivalent expected issuers ornull
if issuer check suppressed.- Since:
- 1.21.0
-
getAudience
public final Collection<String> getAudience()
Returns the unmodifiable list of trusted audience client IDs ornull
to suppress the audience check.
-
verify
public boolean verify(IdToken idToken)
Verifies that the given ID token is valid using the cached public keys. It verifies:- The issuer is one of
getIssuers()
by callingIdToken.verifyIssuer(String)
. - The audience is one of
getAudience()
by callingIdToken.verifyAudience(Collection)
. - The current time against the issued at and expiration time, using the
getClock()
and allowing for a time skew specified in {#linkgetAcceptableTimeSkewSeconds()
, by callingIdToken.verifyTime(long, long)
.
Overriding is allowed, but it must call the super implementation.
- Parameters:
idToken
- ID token- Returns:
true
if verified successfully orfalse
if failed
- The issuer is one of
-
-