feat: add ability to verify id tokens #419
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds the ability to verify JWT tokens that are signed using either RS256 or ES256. The current proposed interface is a static method call
boolean TokenVerifier.verify(String, TokenOptions)
which throws a newVerificationException
on failure.By default,
TokenVerifier
only verifies the signatures and expiration.Example usage:
Verifying Signatures
After parsing the JWT, we look up the algorithm and key id (
kid
) from the JWT header. To find/build thePublicKey
necessary to verify the signature, we look up the value from well-known locations for Google signing keys: (https://www.googleapis.com/oauth2/v3/certs for RS256 and https://www.gstatic.com/iap/verify/public_key-jwk for ES256). ThePublicKey
s parsed from these URLs are cached for 1 hour via a GuavaLoadingCache
implementation.You can skip the key lookup by providing a
PublicKey
directly inVerifyOptions
.You can specify a custom Json Web Token Key Sey URL or x509 Certificates URL by specifying the
certificatesLocation
inVerifyOptions
.Verifying Expiration
By default we compare the JWT expires at field with the current timestamp. For testing purposes, you can supply your own
Clock
interface toVerifyOptions
.Verifying Audience
To verify the expected audience, set the audience field in
VerifyOptions
.Verify Issuer
To verify the expected issuer, set the issuer field in
VerifyOptions
.