From 003ca44b4d41a73053eef2c46ba3ec2c8f135e95 Mon Sep 17 00:00:00 2001
From: Timur Sadykov <stim@google.com>
Date: Thu, 2 Jun 2022 14:16:08 -0700
Subject: [PATCH] fix: use verifyPayload instead of verify to disable duplicate
 signature check (#2080)

---
 .../client/googleapis/auth/oauth2/GoogleIdTokenVerifier.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier.java
index 7592d075c..6425875d1 100644
--- a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier.java
+++ b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier.java
@@ -161,10 +161,11 @@ public final long getExpirationTimeMilliseconds() {
    * @return {@code true} if verified successfully or {@code false} if failed
    */
   public boolean verify(GoogleIdToken googleIdToken) throws GeneralSecurityException, IOException {
-    // check the payload
-    if (!super.verify(googleIdToken)) {
+    // check the payload only
+    if (!super.verifyPayload(googleIdToken)) {
       return false;
     }
+
     // verify signature, try all public keys in turn.
     for (PublicKey publicKey : publicKeys.getPublicKeys()) {
       if (googleIdToken.verifySignature(publicKey)) {