fix: deprecating the IdTokenVerifier.verify, adding verifyOrThrow as an alternative

google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java

@@ -25,7 +25,6 @@
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.client.json.webtoken.JsonWebSignature.Header;
 import com.google.api.client.util.Base64;
-import com.google.api.client.util.Beta;
 import com.google.api.client.util.Clock;
 import com.google.api.client.util.ExponentialBackOff;
 import com.google.api.client.util.Key;
@@ -66,7 +65,6 @@
 import java.util.logging.Logger;
 
 /**
- * {@link Beta} <br>
  * Thread-safe ID token verifier based on <a
  * href="http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation">ID Token
  * Validation</a>.
@@ -110,7 +108,6 @@
  *
  * @since 1.16
  */
-@Beta
 public class IdTokenVerifier {
   private static final Logger LOGGER = Logger.getLogger(IdTokenVerifier.class.getName());
   private static final String IAP_CERT_URL = "https://www.gstatic.com/iap/verify/public_key-jwk";
@@ -230,14 +227,52 @@ public final Collection<String> getAudience() {
    *       variable set to true.
    * </ul>
    *
-   * <p>Overriding is allowed, but it must call the super implementation.
+   * Deprecated, because returns a false-negatives in case of an error while getting public keys for
+   * signature verification. Use {@link IdTokenVerifier.verfyOrThrow(IdToken)} instead.
    *
    * @param idToken ID token
    * @return {@code true} if verified successfully or {@code false} if failed
+   */
+  @Deprecated
+  public boolean verify(IdToken idToken) {
+    try {
+      return verifyOrThrow(idToken);
+    } catch (IOException ex) {
+      LOGGER.log(Level.SEVERE, ex.getMessage(), ex);
+      return false;
+    }
+  }
+
+  /**
+   * Verifies that the given ID token is valid using the cached public keys.
+   *
+   * <p>It verifies:
+   *
+   * <ul>
+   *   <li>The issuer is one of {@link #getIssuers()} by calling {@link
+   *       IdToken#verifyIssuer(String)}.
+   *   <li>The audience is one of {@link #getAudience()} by calling {@link
+   *       IdToken#verifyAudience(Collection)}.
+   *   <li>The current time against the issued at and expiration time, using the {@link #getClock()}
+   *       and allowing for a time skew specified in {@link #getAcceptableTimeSkewSeconds()} , by
+   *       calling {@link IdToken#verifyTime(long, long)}.
+   *   <li>This method verifies token signature per current OpenID Connect Spec:
+   *       https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. By default,
+   *       method gets a certificate from well-known location. A request to certificate location is
+   *       performed using {@link com.google.api.client.http.javanet.NetHttpTransport} Both
+   *       certificate location and transport implementation can be overridden via {@link Builder}
+   *       not recommended: this check can be disabled with OAUTH_CLIENT_SKIP_SIGNATURE environment
+   *       variable set to true.
+   * </ul>
+   *
+   * <p>Overriding is allowed, but it must call the super implementation.
+   *
+   * @param idToken ID token
+   * @return {@code true} if verified successfully or {@code false} if payload validation failed
    * @throws IOException if verification fails to run. For example, if it fails to get public keys
-   *     for signature validation.
+   *     for signature verification.
    */
-  public boolean verify(IdToken idToken) throws IOException {
+  public boolean verifyOrThrow(IdToken idToken) throws IOException {
     boolean payloadValid = verifyPayload(idToken);
 
     if (!payloadValid) {
@@ -331,14 +366,12 @@ private String getCertificateLocation(Header header) throws VerificationExceptio
   }
 
   /**
-   * {@link Beta} <br>
    * Builder for {@link IdTokenVerifier}.
    *
    * <p>Implementation is not thread-safe.
    *
    * @since 1.16
    */
-  @Beta
   public static class Builder {
 
     /** Clock. */