Merge remote-tracking branch 'oauth2cli/dev' into time-suggestion

Author: rayluo

msal/oauth2cli/oidc.py

@@ -44,10 +44,11 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
     err = None  # https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
     _now = int(now or time.time())
     skew = 120  # 2 minutes
+    TIME_SUGGESTION = "Make sure your computer's time is correctly synchronized."
     if _now + skew < decoded.get("nbf", _now - 1):  # nbf is optional per JWT specs
         # This is not an ID token validation, but a JWT validation
         # https://tools.ietf.org/html/rfc7519#section-4.1.5
-        err = "0. The ID token is not yet valid."
+        err = "0. The ID token is not yet valid. " + TIME_SUGGESTION
     if issuer and issuer != decoded["iss"]:
         # https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
         err = ('2. The Issuer Identifier for the OpenID Provider, "%s", '
@@ -68,7 +69,7 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
     # the TLS server validation MAY be used to validate the issuer
     # in place of checking the token signature.
     if _now - skew > decoded["exp"]:
-        err = "9. The current time MUST be before the time represented by the exp Claim."
+        err = "9. The ID token already expires. " + TIME_SUGGESTION
     if nonce and nonce != decoded.get("nonce"):
         err = ("11. Nonce must be the same value "
             "as the one that was sent in the Authentication Request.")