Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add ability to verify id tokens #419

Closed
wants to merge 8 commits into from
Closed

feat: add ability to verify id tokens #419

wants to merge 8 commits into from

Conversation

chingor13
Copy link
Contributor

@chingor13 chingor13 commented Apr 22, 2020
edited

This adds the ability to verify JWT tokens that are signed using either RS256 or ES256. The current proposed interface is a static method call boolean TokenVerifier.verify(String, TokenOptions) which throws a new VerificationException on failure.

By default, TokenVerifier only verifies the signatures and expiration.

Example usage:

String token = "some JWT formatted string";
TokenVerifier.VerifyOptions verifyOptions = 
    TokenVerifier.VerifyOptions.newBuilder()
        .setAudience("audience to verify")
        .setIssuer("issuer to verify")
        .build();
TokenVerifier.verify(token, verifyOptions);

Verifying Signatures

After parsing the JWT, we look up the algorithm and key id (kid) from the JWT header. To find/build the PublicKey necessary to verify the signature, we look up the value from well-known locations for Google signing keys: (https://www.googleapis.com/oauth2/v3/certs for RS256 and https://www.gstatic.com/iap/verify/public_key-jwk for ES256). The PublicKeys parsed from these URLs are cached for 1 hour via a Guava LoadingCache implementation.

You can skip the key lookup by providing a PublicKey directly in VerifyOptions.

You can specify a custom Json Web Token Key Sey URL or x509 Certificates URL by specifying the certificatesLocation in VerifyOptions.

Verifying Expiration

By default we compare the JWT expires at field with the current timestamp. For testing purposes, you can supply your own Clock interface to VerifyOptions.

Verifying Audience

To verify the expected audience, set the audience field in VerifyOptions.

Verify Issuer

To verify the expected issuer, set the issuer field in VerifyOptions.

@googlebot googlebot added the cla: yes This human has signed the Contributor License Agreement. label Apr 22, 2020
@chingor13
Copy link
Contributor Author

Closing in favor of #420

@chingor13 chingor13 closed this May 28, 2020
@chingor13 chingor13 deleted the verify-id-token branch May 28, 2020 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@chingor13 @googlebot