/** * @param transport HTTP transport * @param jsonFactory JSON factory */ public Builder(HttpTransport transport, JsonFactory jsonFactory) { this(new GooglePublicKeysManager(transport, jsonFactory)); }
/** * Returns the expiration time in milliseconds to be used with {@link Clock#currentTimeMillis()} * or {@code 0} for none. * * @deprecated (scheduled to be removed in 1.18) Use {@link #getPublicKeysManager()} and * {@link GooglePublicKeysManager#getExpirationTimeMilliseconds()} instead. */ @Deprecated public final long getExpirationTimeMilliseconds() { return publicKeys.getExpirationTimeMilliseconds(); }
/** Returns the JSON factory. */ public final JsonFactory getJsonFactory() { return publicKeys.getJsonFactory(); }
/** * Returns the public keys. * * <p> * Upgrade warning: in prior version 1.16 it may return {@code null} and not throw any exceptions, * but starting with version 1.17 it cannot return {@code null} and may throw * {@link GeneralSecurityException} or {@link IOException}. * </p> * * @deprecated (scheduled to be removed in 1.18) Use {@link #getPublicKeysManager()} and * {@link GooglePublicKeysManager#getPublicKeys()} instead. */ @Deprecated public final List<PublicKey> getPublicKeys() throws GeneralSecurityException, IOException { return publicKeys.getPublicKeys(); }
/** * Returns the public certificates encoded URL. * * @since 1.15 * @deprecated (scheduled to be removed in 1.18) Use {@link #getPublicCerts()} and * {@link GooglePublicKeysManager#getPublicCertsEncodedUrl()} instead. */ @Deprecated public final String getPublicCertsEncodedUrl() { return publicKeys.getPublicCertsEncodedUrl(); }
/** * Returns the HTTP transport. * * @since 1.14 */ public final HttpTransport getTransport() { return publicKeys.getTransport(); }
/** * Downloads the public keys from the public certificates endpoint at * {@link #getPublicCertsEncodedUrl}. * * <p> * This method is automatically called if the public keys have not yet been initialized or if the * expiration time is very close, so normally this doesn't need to be called. Only call this * method explicitly to force the public keys to be updated. * </p> * * @deprecated (scheduled to be removed in 1.18) Use {@link #getPublicKeysManager()} and * {@link GooglePublicKeysManager#refresh()} instead. */ @Deprecated public GoogleIdTokenVerifier loadPublicCerts() throws GeneralSecurityException, IOException { publicKeys.refresh(); return this; }
/** * Sets the public certificates encoded URL. * * <p> * The default value is {@link GoogleOAuthConstants#DEFAULT_PUBLIC_CERTS_ENCODED_URL}. * </p> * * <p> * Overriding is only supported for the purpose of calling the super implementation and changing * the return type, but nothing else. * </p> * * @since 1.15 * @deprecated (scheduled to be removed in 1.18) Use * {@link GooglePublicKeysManager.Builder#setPublicCertsEncodedUrl(String)} instead. */ @Deprecated public Builder setPublicCertsEncodedUrl(String publicKeysEncodedUrl) { // TODO(yanivi): make publicKeys field final when this method is removed publicKeys = new GooglePublicKeysManager.Builder( getTransport(), getJsonFactory()).setPublicCertsEncodedUrl(publicKeysEncodedUrl) .setClock(publicKeys.getClock()).build(); return this; }
.buildGetRequest(new GenericUrl(publicCertsEncodedUrl)).execute(); expirationTimeMilliseconds = clock.currentTimeMillis() + getCacheTimeInSec(certsResponse.getHeaders()) * 1000;
/** * Verifies the cryptographic signature on the FirebaseToken. Can block on a web request to fetch * the keys if they have expired. */ private boolean verifySignature(IdToken token) throws GeneralSecurityException, IOException { for (PublicKey key : publicKeysManager.getPublicKeys()) { if (token.verifySignature(key)) { return true; } } return false; }
/** * Returns the public certificates encoded URL. * * @since 1.15 * @deprecated (scheduled to be removed in 1.18) Use {@link #getPublicKeysManager()} and * {@link GooglePublicKeysManager#getPublicCertsEncodedUrl()} instead. */ @Deprecated public final String getPublicCertsEncodedUrl() { return publicKeys.getPublicCertsEncodedUrl(); }
/** Returns the HTTP transport. */ public final HttpTransport getTransport() { return publicKeys.getTransport(); }
/** * Returns an unmodifiable view of the public keys. * * <p> * For efficiency, an in-memory cache of the public keys is used here. If this method is called * for the first time, or the certificates have expired since last time it has been called (or are * within 5 minutes of expiring), {@link #refresh()} will be called before returning the value. * </p> */ public final List<PublicKey> getPublicKeys() throws GeneralSecurityException, IOException { lock.lock(); try { if (publicKeys == null || clock.currentTimeMillis() + REFRESH_SKEW_MILLIS > expirationTimeMilliseconds) { refresh(); } return publicKeys; } finally { lock.unlock(); } }
/** * Verifies that the given ID token is valid using the cached public keys. * * It verifies: * * <ul> * <li>The RS256 signature, which uses RSA and SHA-256 based on the public keys downloaded from * the public certificate endpoint.</li> * <li>The current time against the issued at and expiration time (allowing for a 5 minute clock * skew).</li> * <li>The issuer is {@code "accounts.google.com"} or {@code "https://accounts.google.com"}.</li> * </ul> * * @param googleIdToken Google ID token * @return {@code true} if verified successfully or {@code false} if failed */ public boolean verify(GoogleIdToken googleIdToken) throws GeneralSecurityException, IOException { // check the payload if (!super.verify(googleIdToken)) { return false; } // verify signature, try all public keys in turn. for (PublicKey publicKey : publicKeys.getPublicKeys()) { if (googleIdToken.verifySignature(publicKey)) { return true; } } return false; }
/** Builds a new instance of {@link GooglePublicKeysManager}. */ public GooglePublicKeysManager build() { return new GooglePublicKeysManager(this); }
/** Returns the JSON factory. */ public final JsonFactory getJsonFactory() { return publicKeys.getJsonFactory(); }