1 /* 2 * Copyright 2022 Google Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 // [START auth_cloud_verify_google_idtoken] 18 19 import com.google.api.client.json.webtoken.JsonWebToken; 20 import com.google.auth.oauth2.TokenVerifier; 21 22 public class VerifyGoogleIdToken { 23 main(String[] args)24 public static void main(String[] args) { 25 // TODO(Developer): Replace the below variables before running the code. 26 // The Google ID token to verify. 27 String idToken = "id-token"; 28 29 // The service name for which the id token was requested. 30 String targetAudience = "https://example.com"; 31 32 // To verify id tokens, get the Json Web Key endpoint (jwk). 33 // OpenID Connect allows the use of a "Discovery document," a JSON document found at a 34 // well-known location containing key-value pairs which provide details about the 35 // OpenID Connect provider's configuration. 36 // For more information on validating the jwt, see: 37 // https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken 38 // 39 // Here, we validate Google's token using Google's OpenID Connect service (jwkUrl). 40 // For more information on jwk,see: 41 // https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets 42 String jwkUrl = "https://www.googleapis.com/oauth2/v3/certs"; 43 44 verifyGoogleIdToken(idToken, targetAudience, jwkUrl); 45 } 46 47 // Verifies the obtained Google id token. This is done at the receiving end of the OIDC endpoint. 48 // The most common use case for verifying the ID token is when you are protecting 49 // your own APIs with IAP. Google services already verify credentials as a platform, 50 // so verifying ID tokens before making Google API calls is usually unnecessary. verifyGoogleIdToken(String idToken, String audience, String jwkUrl)51 public static void verifyGoogleIdToken(String idToken, String audience, String jwkUrl) { 52 // Initialize the Token verifier and set the audience. 53 TokenVerifier tokenVerifier = 54 TokenVerifier.newBuilder() 55 .setAudience(audience) 56 // Optional, when verifying a Google ID token, the jwk url is set by default. 57 .setIssuer(jwkUrl) 58 .build(); 59 60 try { 61 // Verify the token. 62 JsonWebToken jsonWebToken = tokenVerifier.verify(idToken); 63 64 // Verify that the token contains subject and email claims. 65 JsonWebToken.Payload payload = jsonWebToken.getPayload(); 66 // Get the user id. 67 String userId = payload.getSubject(); 68 System.out.println("User ID: " + userId); 69 70 // Optionally, if "INCLUDE_EMAIL" was set in the token options, check if the 71 // email was verified. 72 if (payload.get("email") != null) { 73 System.out.printf("Email verified: %s", payload.get("email")); 74 } 75 } catch (TokenVerifier.VerificationException e) { 76 System.out.printf("Unable to verify the token: %s", e.getMessage()); 77 } 78 } 79 } 80 // [END auth_cloud_verify_google_idtoken] 81