diff --git a/spring-security-openid/pom.xml b/spring-security-openid/pom.xml
index 4c8112a163..aeabb161c9 100644
--- a/spring-security-openid/pom.xml
+++ b/spring-security-openid/pom.xml
@@ -46,6 +46,11 @@
             <version>1.0.9.RELEASE</version>
         </dependency>
         
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>jwks-rsa</artifactId>
+            <version>0.3.0</version>
+        </dependency>
     </dependencies>
 
     <repositories>
diff --git a/spring-security-openid/src/main/java/org/baeldung/security/OpenIdConnectFilter.java b/spring-security-openid/src/main/java/org/baeldung/security/OpenIdConnectFilter.java
index c0970ab3cf..f12169cb27 100644
--- a/spring-security-openid/src/main/java/org/baeldung/security/OpenIdConnectFilter.java
+++ b/spring-security-openid/src/main/java/org/baeldung/security/OpenIdConnectFilter.java
@@ -1,12 +1,16 @@
 package org.baeldung.security;
 
 import java.io.IOException;
+import java.net.URL;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Date;
 import java.util.Map;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -14,16 +18,28 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.jwt.Jwt;
 import org.springframework.security.jwt.JwtHelper;
+import org.springframework.security.jwt.crypto.sign.RsaVerifier;
 import org.springframework.security.oauth2.client.OAuth2RestOperations;
 import org.springframework.security.oauth2.client.OAuth2RestTemplate;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
-import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 
+import com.auth0.jwk.Jwk;
+import com.auth0.jwk.JwkProvider;
+import com.auth0.jwk.UrlJwkProvider;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
 public class OpenIdConnectFilter extends AbstractAuthenticationProcessingFilter {
+    @Value("${google.clientId}")
+    private String clientId;
+
+    @Value("${google.issuer}")
+    private String issuer;
+
+    @Value("${google.jwkUrl}")
+    private String jwkUrl;
+
     public OAuth2RestOperations restTemplate;
 
     public OpenIdConnectFilter(String defaultFilterProcessesUrl) {
@@ -42,19 +58,35 @@ public class OpenIdConnectFilter extends AbstractAuthenticationProcessingFilter
         }
         try {
             final String idToken = accessToken.getAdditionalInformation().get("id_token").toString();
-            final Jwt tokenDecoded = JwtHelper.decode(idToken);
-            System.out.println("===== : " + tokenDecoded.getClaims());
-
+            String kid = JwtHelper.headers(idToken)
+                .get("kid");
+            final Jwt tokenDecoded = JwtHelper.decodeAndVerify(idToken, verifier(kid));
             final Map<String, String> authInfo = new ObjectMapper().readValue(tokenDecoded.getClaims(), Map.class);
-
+            verifyClaims(authInfo);
             final OpenIdConnectUserDetails user = new OpenIdConnectUserDetails(authInfo, accessToken);
             return new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
-        } catch (final InvalidTokenException e) {
+        } catch (final Exception e) {
             throw new BadCredentialsException("Could not obtain user details from token", e);
         }
 
     }
 
+    public void verifyClaims(Map claims) {
+        int exp = (int) claims.get("exp");
+        Date expireDate = new Date(exp * 1000L);
+        Date now = new Date();
+        if (expireDate.before(now) || !claims.get("iss").equals(issuer) || !claims.get("aud").equals(clientId)) {
+            throw new RuntimeException("Invalid claims");
+        }
+    }
+
+
+    private RsaVerifier verifier(String kid) throws Exception {
+        JwkProvider provider = new UrlJwkProvider(new URL(jwkUrl));
+        Jwk jwk = provider.get(kid);
+        return new RsaVerifier((RSAPublicKey) jwk.getPublicKey());
+    }
+
     public void setRestTemplate(OAuth2RestTemplate restTemplate2) {
         restTemplate = restTemplate2;
 
diff --git a/spring-security-openid/src/main/resources/application.properties.sample.properties b/spring-security-openid/src/main/resources/application.properties.sample.properties
index 3b4f7716f0..49022bf280 100644
--- a/spring-security-openid/src/main/resources/application.properties.sample.properties
+++ b/spring-security-openid/src/main/resources/application.properties.sample.properties
@@ -3,4 +3,6 @@ google.clientId=TODO
 google.clientSecret=TODO
 google.accessTokenUri=https://www.googleapis.com/oauth2/v3/token
 google.userAuthorizationUri=https://accounts.google.com/o/oauth2/auth
-google.redirectUri=http://localhost:8081/google-login
\ No newline at end of file
+google.redirectUri=http://localhost:8081/google-login
+google.issuer=accounts.google.com
+google.jwkUrl=https://www.googleapis.com/oauth2/v2/certs
\ No newline at end of file