private Optional<CachedRecord> verifyGoogle(String accessToken, GoogleIdToken token, Tracer tracer, SpanContext tracingSpan) throws SecurityException { Span span = tracer.buildSpan("googleTokenVerification") .asChildOf(tracingSpan) .start(); try { if (verifier.verify(token)) { return Optional.of(new CachedRecord(buildSubject(accessToken, token.getPayload()), () -> !verifyLocal(token.getPayload()))); } else { return Optional.empty(); } } catch (GeneralSecurityException | IOException e) { throw new SecurityException("Failed to verify Google token", e); } finally { span.finish(); } }
this.tokenParser = (jsonFactory, token) -> { try { return GoogleIdToken.parse(jsonFactory, token); } catch (IOException e) { throw new SecurityException("Failed to parse Google token", e);
public Optional<OAuthDetails> checkAuthHeader(String authToken) { try { GoogleIdToken token = GoogleIdToken.parse(jsonFactory, authToken); if (tokenVerifier.verify(token)) { GoogleIdToken.Payload payload = token.getPayload(); if (!payload.getAudience().equals(googleOAuthWebClientId)) { return Optional.absent(); } if (!googleAuthClientIds.contains(payload.getAuthorizedParty())) return Optional.absent(); return Optional.of(new OAuthDetails(payload.getSubject(), payload.getEmail())); } } catch (GeneralSecurityException | IOException e) { Log.debug("oauth failed", e); } return Optional.absent(); }
.setAudience(Arrays.asList(SERVER_CLIENT_ID)) .build(); boolean verified = googleIdToken.verify(verifier); if (!verified) { GoogleIdToken.Payload payload = googleIdToken.getPayload(); String userId = payload.getSubject(); String email = payload.getEmail();
public boolean verify(GoogleIdToken googleIdToken) throws GeneralSecurityException, IOException { // check the payload if (!super.verify(googleIdToken)) { return false; } // verify signature for (PublicKey publicKey : publicKeys.getPublicKeys()) { try { if (googleIdToken.verifySignature(publicKey)) { return true; } } catch (Exception e) { System.err.println("Verify Token:" + e); } } return false; }
JsonWebSignature jws = JsonWebSignature.parser(mJFactory).setPayloadClass(Payload.class).parse(tokenString); GoogleIdToken token = new GoogleIdToken(jws.getHeader(), (Payload) jws.getPayload(), jws.getSignatureBytes(), jws.getSignedContentBytes()) { public boolean verify(GoogleIdTokenVerifier verifier) throws GeneralSecurityException, IOException { try { return verifier.verify(this); } catch (java.security.SignatureException e) { return false; } } };
public GoogleIdToken.Payload parse(String tokenString) { GoogleIdToken.Payload payload = null; try { GoogleIdToken token = GoogleIdToken.parse(jsonFactory, tokenString); if (verifier.verify(token)) { GoogleIdToken.Payload tempPayload = token.getPayload(); if (!tempPayload.getAudience().equals(audience)) problem = "Audience mismatch, " + audience + " != " + tempPayload.getAudience(); else if (!clientIDs.contains(tempPayload.getAuthorizedParty())) problem = "Client ID mismatch"; else payload = tempPayload; } } catch (GeneralSecurityException e) { problem = "Security issue: " + e.getLocalizedMessage(); } catch (IOException e) { problem = "Network problem: " + e.getLocalizedMessage(); } return payload; }
if (googleIdToken.verifySignature(publicKey)) { return true;
JsonWebSignature jws = JsonWebSignature.parser(mJFactory).setPayloadClass(Payload.class).parse(tokenString); GoogleIdToken token = new GoogleIdToken(jws.getHeader(), (Payload) jws.getPayload(), jws.getSignatureBytes(), jws.getSignedContentBytes()) { public boolean verify(GoogleIdTokenVerifier verifier) throws GeneralSecurityException, IOException { try { return verifier.verify(this); } catch (java.security.SignatureException e) { return false; } } };
private AuthenticationResponse cachedResponse(String token, Tracer tracer, SpanContext tracingSpan) { try { GoogleIdToken gToken = tokenParser.apply(jsonFactory, token); GoogleIdToken.Payload payload = gToken.getPayload(); // validate timeout if (verifyLocal(payload)) { return subjectCache.computeValue(token, () -> verifyGoogle(token, gToken, tracer, tracingSpan)) .map(CachedRecord::getSubject) .map(AuthenticationResponse::success) .orElseGet(() -> fail(null)); } else { subjectCache.remove(token); return fail(null); } } catch (SecurityException e) { if (e.getCause() instanceof IOException) { return failInvalidRequest((IOException) e.getCause()); } return fail(e.getCause()); } catch (Exception e) { return fail(e); } }
/** * Verifies that the given ID token is valid using {@link #verify(GoogleIdToken)} and returns the * ID token if succeeded. * * @param idTokenString Google ID token string * @return Google ID token if verified successfully or {@code null} if failed * @since 1.9 */ public GoogleIdToken verify(String idTokenString) throws GeneralSecurityException, IOException { GoogleIdToken idToken = GoogleIdToken.parse(getJsonFactory(), idTokenString); return verify(idToken) ? idToken : null; }
/** * Verifies that the given ID token is valid using the cached public keys. * * It verifies: * * <ul> * <li>The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from * the public certificate endpoint.</li> * <li>The current time against the issued at and expiration time (allowing for a 5 minute clock * skew).</li> * <li>The issuer is {@code "accounts.google.com"} or {@code "https://accounts.google.com"}.</li> * </ul> * * @param googleIdToken Google ID token * @return {@code true} if verified successfully or {@code false} if failed */ public boolean verify(GoogleIdToken googleIdToken) throws GeneralSecurityException, IOException { // check the payload if (!super.verify(googleIdToken)) { return false; } // verify signature, try all public keys in turn. for (PublicKey publicKey : publicKeys.getPublicKeys()) { if (googleIdToken.verifySignature(publicKey)) { return true; } } return false; }
/** * Parses the given ID token string and returns the parsed {@link GoogleIdToken}. * * @param jsonFactory JSON factory * @param idTokenString ID token string * @return parsed Google ID token */ public static GoogleIdToken parse(JsonFactory jsonFactory, String idTokenString) throws IOException { JsonWebSignature jws = JsonWebSignature.parser(jsonFactory).setPayloadClass(Payload.class).parse(idTokenString); return new GoogleIdToken(jws.getHeader(), (Payload) jws.getPayload(), jws.getSignatureBytes(), jws.getSignedContentBytes()); }
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder( Client.getInstance().getHttpTransport(), Client.getInstance().getJsonFactory()).build(); GoogleIdToken token = verifier.verify(stringToken); String clientId = token.getPayload().getAuthorizedParty();
/** * {@link Beta} <br/> * Parses using {@link GoogleIdToken#parse(JsonFactory, String)} based on the {@link #getFactory() * JSON factory} and {@link #getIdToken() ID token}. */ @Beta public GoogleIdToken parseIdToken() throws IOException { return GoogleIdToken.parse(getFactory(), getIdToken()); }
if (googleIdToken.verifySignature(publicKey)) { log.info("verifySignature: success!"); return true;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest; import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken; import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse; import com.google.api.client.http.HttpTransport; import com.google.api.client.http.javanet.NetHttpTransport; import com.google.api.client.json.jackson.JacksonFactory; private final val TRANSPORT: HttpTransport = new NetHttpTransport() private final val JSON_FACTORY: JacksonFactory = new JacksonFactory() GoogleTokenResponse tokenResponse = new GoogleAuthorizationCodeTokenRequest(TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, code, "postmessage").execute(); GoogleIdToken idToken = tokenResponse.parseIdToken(); String gplusId = idToken.getPayload().getSubject();
GoogleIdToken.Payload payload = idToken.getPayload();
final String email = googleIdToken.getPayload().getEmail(); if (email == null) { logger.debug("No email in id token");
GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString); if (mVerifier.verify(token)) { GoogleIdToken.Payload tempPayload = token.getPayload(); if (!tempPayload.getAudience().equals(mAudience)) mProblem = "Audience mismatch";