feat: add TokenVerifier class that can verify RS256/ES256 tokens (#420)

* feat: add TokenVerifier class that can verify RS256/ES256 tokens * test: inject HttpTransportFactory for testing * test: inject HttpTransportFactory for testing * fix: use google-http-client for actual signature verification * chore: lint * test: split test into unit and integration Unit tests mock out the http request activity. Integration tests hit the live urls. * chore: lint * fix: return the JsonWebSignature instance on verify * test: remove IT test as the signature keys can/will change over time * docs: add javadoc for TokenVerifier * docs: add guide for verifying tokens in the README * chore: remove auto-value config changes * chore: tense, lower-case first word, no period * chore: run formatter * chore: more javadoc fixes * chore: remove line from README example * sample: add snippet showing check for additional claim * fix: remove default constructor - users should always use builder
googleapis · Jun 24, 2020 · 5014ac7 · 5014ac7
1 parent 0d55c37
commit 5014ac7
Show file tree

Hide file tree

Showing 7 changed files with 795 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -243,6 +243,55 @@ Bigquery bq = new Bigquery.Builder(HTTP_TRANSPORT, JSON_FACTORY, requestInitiali
     .build();
 ```
 
+## Verifying JWT Tokens (Beta)
+
+To verify a JWT token, use the [`TokenVerifier`][token-verifier] class.
+
+### Verifying a Signature
+
+To verify a signature, use the default [`TokenVerifier`][token-verifier]:
+
+```java
+import com.google.api.client.json.webtoken.JsonWebSignature;
+import com.google.auth.oauth2.TokenVerifier;
+
+TokenVerifier tokenVerifier = TokenVerifier.newBuilder().build();
+try {
+  JsonWebSignature jsonWebSignature = tokenVerifier.verify(tokenString);
+  // optionally verify additional claims
+  if (!"expected-value".equals(jsonWebSignature.getPayload().get("additional-claim"))) {
+    // handle custom verification error
+  }
+} catch (TokenVerifier.VerificationException e) {
+  // invalid token
+}
+```
+
+### Customizing the TokenVerifier
+
+To customize a [`TokenVerifier`][token-verifier], instantiate it via its builder:
+
+```java
+import com.google.api.client.json.webtoken.JsonWebSignature;
+import com.google.auth.oauth2.TokenVerifier;
+
+TokenVerifier tokenVerifier = TokenVerifier.newBuilder()
+  .setAudience("audience-to-verify")
+  .setIssuer("issuer-to-verify")
+  .build();
+try {
+  JsonWebSignature jsonWebSignature = tokenVerifier.verify(tokenString);
+  // optionally verify additional claims
+  if (!"expected-value".equals(jsonWebSignature.getPayload().get("additional-claim"))) {
+    // handle custom verification error
+  }
+} catch (TokenVerifier.VerificationException e) {
+  // invalid token
+}
+```
+
+For more options, see the [`TokenVerifier.Builder`][token-verifier-builder] documentation.
+
 ## CI Status
 
 Java Version | Status
@@ -283,5 +332,7 @@ BSD 3-Clause - See [LICENSE](LICENSE) for more information.
 [apiary-clients]: https://search.maven.org/search?q=g:com.google.apis
 [http-credentials-adapter]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/http/HttpCredentialsAdapter.html
 [http-request-initializer]: https://googleapis.dev/java/google-http-client/latest/index.html?com/google/api/client/http/HttpRequestInitializer.html
+[token-verifier]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/oauth2/TokenVerifier.html
+[token-verifier-builder]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/oauth2/TokenVerifier.Builder.html
 [http-transport-factory]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/http/HttpTransportFactory.html
 [google-credentials]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/oauth2/GoogleCredentials.html