googleauth - Module Google::Auth::IDTokens (v1.15.1)

Reference documentation and code samples for the googleauth module Google::Auth::IDTokens.

Verifying Google ID tokens

This module verifies ID tokens issued by Google. This can be used toauthenticate signed-in users using OpenID Connect. Seehttps://developers.google.com/identity/sign-in/web/backend-auth for moreinformation.

Basic usage

To verify an ID token issued by Google accounts:

payload = Google::Auth::IDTokens.verify_oidc the_token,                                             aud: "my-app-client-id"

If verification succeeds, you will receive the token's payload as a hash.If verification fails, an exception (normally a subclass ofVerificationError) will be raised.

To verify an ID token issued by the Google identity-aware proxy (IAP):

payload = Google::Auth::IDTokens.verify_iap the_token,                                            aud: "my-app-client-id"

These methods will automatically download and cache the Google publickeys necessary to verify these tokens. They will also automaticallyverify the issuer (iss) field for their respective types of ID tokens.

Advanced usage

If you want to provide your own public keys, either by pointing at acustom URI or by providing the key data directly, use the Verifier classand pass in a key source.

To point to a custom URI that returns a JWK set:

source = Google::Auth::IDTokens::JwkHttpKeySource.new "https://example.com/jwk"verifier = Google::Auth::IDTokens::Verifier.new key_source: sourcepayload = verifier.verify the_token, aud: "my-app-client-id"

To provide key data directly:

jwk_data = {  keys: [    {      alg: "ES256",      crv: "P-256",      kid: "LYyP2g",      kty: "EC",      use: "sig",      x: "SlXFFkJ3JxMsXyXNrqzE3ozl_0913PmNbccLLWfeQFU",      y: "GLSahrZfBErmMUcHP0MGaeVnJdBwquhrhQ8eP05NfCI"    }  ]}source = Google::Auth::IDTokens::StaticKeySource.from_jwk_set jwk_dataverifier = Google::Auth::IDTokens::Verifier key_source: sourcepayload = verifier.verify the_token, aud: "my-app-client-id"

Methods

.iap_key_source

defself.iap_key_source()->Google::Auth::IDTokens::JwkHttpKeySource

The key source providing public keys that can be used to verifyID tokens issued by Google IAP.

.oidc_key_source

defself.oidc_key_source()->Google::Auth::IDTokens::JwkHttpKeySource

The key source providing public keys that can be used to verifyID tokens issued by Google OIDC.

.verify_iap

defself.verify_iap(token,aud:nil,azp:nil,iss:IAP_ISSUERS)->Hash

A convenience method that verifies a token allegedly issued by GoogleIAP.

Parameters
  • token (String) — The ID token to verify
  • aud (String, Array<String>, nil)(defaults to: nil) — The expected audience. At leastoneaud field in the token must match at least one of theprovided audiences, or the verification will fail with{Google::Auth::IDToken::AudienceMismatchError}. Ifnil (thedefault), no audience checking is performed.
  • azp (String, Array<String>, nil)(defaults to: nil) — The expected authorized party(azp). At least oneazp field in the token must match at leastone of the provided values, or the verification will fail with{Google::Auth::IDToken::AuthorizedPartyMismatchError}. Ifnil(the default), no azp checking is performed.
  • iss (String, Array<String>, nil)(defaults to: IAP_ISSUERS) — The expected issuer. At leastoneiss field in the token must match at least one of theprovided issuers, or the verification will fail with{Google::Auth::IDToken::IssuerMismatchError}. Ifnil, no issuerchecking is performed. Default is to check against {IAP_ISSUERS}.
Returns
  • (Hash) — The decoded token payload.
Raises

.verify_oidc

defself.verify_oidc(token,aud:nil,azp:nil,iss:OIDC_ISSUERS)->Hash

A convenience method that verifies a token allegedly issued by GoogleOIDC.

Parameters
  • token (String) — The ID token to verify
  • aud (String, Array<String>, nil)(defaults to: nil) — The expected audience. At leastoneaud field in the token must match at least one of theprovided audiences, or the verification will fail with{Google::Auth::IDToken::AudienceMismatchError}. Ifnil (thedefault), no audience checking is performed.
  • azp (String, Array<String>, nil)(defaults to: nil) — The expected authorized party(azp). At least oneazp field in the token must match at leastone of the provided values, or the verification will fail with{Google::Auth::IDToken::AuthorizedPartyMismatchError}. Ifnil(the default), no azp checking is performed.
  • iss (String, Array<String>, nil)(defaults to: OIDC_ISSUERS) — The expected issuer. At leastoneiss field in the token must match at least one of theprovided issuers, or the verification will fail with{Google::Auth::IDToken::IssuerMismatchError}. Ifnil, no issuerchecking is performed. Default is to check against {OIDC_ISSUERS}.
Returns
  • (Hash) — The decoded token payload.
Raises

Constants

OIDC_ISSUERS

value:["accounts.google.com", "https://accounts.google.com"].freeze
A list of issuers expected for Google OIDC-issued tokens.

IAP_ISSUERS

value:["https://cloud.google.com/iap"].freeze
A list of issuers expected for Google IAP-issued tokens.

OAUTH2_V3_CERTS_URL

value:"https://www.googleapis.com/oauth2/v3/certs";
The URL for Google OAuth2 V3 public certs

IAP_JWK_URL

value:"https://www.gstatic.com/iap/verify/public_key-jwk";
The URL for Google IAP public keys

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-30 UTC.