Use #parse(JsonFactory, String) to parse an ID token from a string. Then, use the
verify methods to verify the ID token as required by the specification.
Call #verify(IdToken) to verify an ID token. This is a light-weight object, so you may
use a new instance for each configuration of expected issuer and trusted client IDs. Sample
usage:
IdTokenVerifier verifier = new IdTokenVerifier.Builder()
.setIssuer("issuer.example.com")
.setAudience(Arrays.asList("myClientId"))
.build();
...
if (!verifier.verify(idToken)) {...}
The verifier validates token signature per current OpenID Connect Spec:
https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation By default, method gets a
certificate from well-known location A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Either or both certificate location and
transport implementation can be overridden via Builder
IdTokenVerifier verifier = new IdTokenVerifier.Builder()
.setIssuer("issuer.example.com")
.setAudience(Arrays.asList("myClientId"))
.setHttpTransportFactory(customHttpTransportFactory)
.build();
...
if (!verifier.verify(idToken)) {...}
not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable
set to true. Use #verifyPayload(IdToken) instead.
Note that #verify(IdToken) only implements a subset of the verification steps, mostly
just the MUST steps. Please read ID Token
Validation for the full list of verification steps.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Package com.google.api.client.auth.openidconnect (1.39.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.39.0 (latest)](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect)\n- [1.38.2](/java/docs/reference/google-oauth-client/1.38.2/com.google.api.client.auth.openidconnect)\n- [1.37.0](/java/docs/reference/google-oauth-client/1.37.0/com.google.api.client.auth.openidconnect)\n- [1.36.0](/java/docs/reference/google-oauth-client/1.36.0/com.google.api.client.auth.openidconnect)\n- [1.34.1](/java/docs/reference/google-oauth-client/1.34.1/com.google.api.client.auth.openidconnect)\n- [1.33.3](/java/docs/reference/google-oauth-client/1.33.3/com.google.api.client.auth.openidconnect)\n- [1.32.1](/java/docs/reference/google-oauth-client/1.32.1/com.google.api.client.auth.openidconnect) \n[com.google.api.client.util.Beta](https://cloud.google.com/java/docs/reference/google-http-client/latest/com.google.api.client.util.Beta.html) \n\n[OpenID Connect](http://openid.net/connect/).\n\nClasses\n-------\n\n### [IdToken](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdToken)\n\nBeta \n\nID token as described in [ID Token](http://openid.net/specs/openid-connect-basic-1_0-27.html#id_token).\n\nUse [#parse(JsonFactory, String)](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdToken#com_google_api_client_auth_openidconnect_IdToken_parse_com_google_api_client_json_JsonFactory_java_lang_String_) to parse an ID token from a string. Then, use the\n`verify` methods to verify the ID token as required by the specification.\n\nImplementation is not thread-safe.\n\n### [IdToken.Payload](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdToken.Payload)\n\nBeta \n\nID token payload.\n\n### [IdTokenResponse](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdTokenResponse)\n\nBeta \n\nOAuth ID Connect JSON model for a successful access token response as specified in [OpenID Connect Basic Client\nProfile 1.0 (draft 23)](http://openid.net/specs/openid-connect-basic-1_0-23.html).\n\nImplementation is not thread-safe. Sample usage: \n\n\n static JsonWebSignature executeIdToken(TokenRequest tokenRequest) throws IOException {\n IdTokenResponse idTokenResponse = IdTokenResponse.execute(tokenRequest);\n return idTokenResponse.parseIdToken();\n }\n \n### [IdTokenVerifier](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdTokenVerifier)\n\nThread-safe ID token verifier based on [ID Token\nValidation](http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation).\n\nCall [#verify(IdToken)](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdTokenVerifier#com_google_api_client_auth_openidconnect_IdTokenVerifier_verify_com_google_api_client_auth_openidconnect_IdToken_) to verify an ID token. This is a light-weight object, so you may\nuse a new instance for each configuration of expected issuer and trusted client IDs. Sample\nusage:\n\nIdTokenVerifier verifier = new IdTokenVerifier.Builder()\n.setIssuer(\"issuer.example.com\")\n.setAudience(Arrays.asList(\"myClientId\"))\n.build();\n...\nif (!verifier.verify(idToken)) {...}\n\nThe verifier validates token signature per current OpenID Connect Spec:\n\u003chttps://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation\u003e By default, method gets a\ncertificate from well-known location A request to certificate location is performed using com.google.api.client.http.javanet.NetHttpTransport Either or both certificate location and\ntransport implementation can be overridden via Builder\n\nIdTokenVerifier verifier = new IdTokenVerifier.Builder()\n.setIssuer(\"issuer.example.com\")\n.setAudience(Arrays.asList(\"myClientId\"))\n.setHttpTransportFactory(customHttpTransportFactory)\n.build();\n...\nif (!verifier.verify(idToken)) {...}\n\nnot recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment variable\nset to true. Use [#verifyPayload(IdToken)](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdTokenVerifier#com_google_api_client_auth_openidconnect_IdTokenVerifier_verifyPayload_com_google_api_client_auth_openidconnect_IdToken_) instead.\n\nNote that [#verify(IdToken)](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdTokenVerifier#com_google_api_client_auth_openidconnect_IdTokenVerifier_verify_com_google_api_client_auth_openidconnect_IdToken_) only implements a subset of the verification steps, mostly\njust the MUST steps. Please read [ID Token\nValidation](http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation) for the full list of verification steps.\n\n### [IdTokenVerifier.Builder](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdTokenVerifier.Builder)\n\nBuilder for [IdTokenVerifier](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdTokenVerifier).\n\nImplementation is not thread-safe.\n\nInterfaces\n----------\n\n### [HttpTransportFactory](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.HttpTransportFactory)\n\nA base interface for all HttpTransport factories.\n\nImplementation must provide a public no-arg constructor. Loading of a factory implementation\nis done via java.util.ServiceLoader."]]
