utilizing google cloud service account

build.gradle

group 'internal.example'
version '1.0-SNAPSHOT'

apply plugin: 'java'

sourceCompatibility = 1.8

repositories {
    mavenCentral()
}

dependencies {
    compile group: 'com.google.http-client', name: 'google-http-client-jackson2', version: '1.22.0'
    compile group: 'com.google.oauth-client', name: 'google-oauth-client', version: '1.22.0'
    compile group: 'com.google.api-client', name: 'google-api-client-appengine', version: '1.22.0'

    compile group: 'log4j', name: 'log4j', version: '1.2.16'
    compile group: 'org.slf4j', name: 'slf4j-log4j12', version: '1.7.7'
    testCompile group: 'junit', name: 'junit', version: '4.12'
}

curl.sh

it_token_string=$1
# ref. https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests
curl -d "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=${id_token_string}" \
 https://www.googleapis.com/oauth2/v4/token

# ref. http://stackoverflow.com/questions/30780407/google-oauth2-jwt-token-verification-exception
curl https://www.googleapis.com/oauth2/v2/tokeninfo?id_token=$id_token_string 

PreparetoMakeAuthorizedApiCall.java

package internal.example.google.auth;

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.Clock;

import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.util.Arrays;
import java.util.Collection;

public class PreparetoMakeAuthorizedApiCall {

    public static void main(String[] args) throws Exception {

        GoogleCredential googleCredential = GoogleServiceAccount.getCredential();
        googleCredential = googleCredential.createScoped(GoogleServiceAccount.getScopes());

        final String idTokenString = GoogleServiceAccount.composeIdTokenString(googleCredential);
        GoogleServiceAccount.parseIdTokenString(idTokenString);
        try {
            GoogleServiceAccount.inspectGoogleIdTokenVerifier(idTokenString);
        } catch (Exception err) {
            err.printStackTrace();
        }
    }

    static class GoogleServiceAccount {

        static final JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();

        static String composeIdTokenString(GoogleCredential credential) throws IOException, GeneralSecurityException {

            String email = credential.getServiceAccountId();
            PrivateKey privateKey = credential.getServiceAccountPrivateKey();

            JsonWebSignature.Header header = new JsonWebSignature.Header();
            header.setAlgorithm("RS256");
            header.setType("JWT");
            JsonWebSignature.Payload payload = new JsonWebSignature.Payload();
            payload.setIssuer(email);
//            payload.setIssuer("https://accounts.google.com");
            payload.set("scope","email profile");
            payload.setAudience("https://www.googleapis.com/oauth2/v4/token");
            payload.setExpirationTimeSeconds(Clock.SYSTEM.currentTimeMillis() / 1000 + 3600);
            payload.setIssuedAtTimeSeconds(Clock.SYSTEM.currentTimeMillis()/ 1000 - 300);
            payload.set("email", email);

            String itTokenString = JsonWebSignature.signUsingRsaSha256(privateKey, JSON_FACTORY, header, payload);
            System.out.println(itTokenString);
            return itTokenString;
        }

        static void parseIdTokenString(String idTokenString) throws IOException {
            GoogleIdToken idToken = GoogleIdToken.parse(JSON_FACTORY, idTokenString);
            System.out.println(idToken.getPayload().getEmail());
            boolean result = idToken.verifyExpirationTime(Clock.SYSTEM.currentTimeMillis(), 300L);
            System.out.println((result ? "true": "false"));
            result = idToken.verifyIssuedAtTime(Clock.SYSTEM.currentTimeMillis(), 300L);
            System.out.println((result ? "true": "false"));
            result = idToken.verifyIssuer(getIssuers());
            System.out.println((result ? "true": "false"));
        }

        static void inspectGoogleIdTokenVerifier(String idTokenString) throws Exception {
            HttpTransport transport = GoogleNetHttpTransport.newTrustedTransport();

            GoogleIdTokenVerifier idTokenVerifier = new GoogleIdTokenVerifier.Builder(transport, JSON_FACTORY)
                    .setAudience(Arrays.asList("https://www.googleapis.com/oauth2/v4/token"))
                    .setIssuers(getIssuers())
                    .build();
            GoogleIdToken googleIdToken = idTokenVerifier.verify(idTokenString);
            System.out.println(googleIdToken.getPayload().getEmail());
        }

        static Collection<String> getIssuers() throws IOException {
            return Arrays.asList("accounts.google.com",
                    "https://accounts.google.com",
                    getCredential().getServiceAccountId());
        }

        static GoogleCredential getCredential() throws IOException {
            return GoogleCredential.fromStream(new FileInputStream("service-account.json"));
        }

        static Collection<String> getScopes() {
            return Arrays.asList("email", "profile");
        }
    }
}

// Ref. https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwtsample_java