fix: fix token clock skew issue #333
Open
+6
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Token used too early errors are a known issue.
For example: firebase/firebase-admin-python#624, firebase/firebase-admin-python#624, googleapis/google-auth-library-python#889
This happens when the system clock is not completely syncronised with the server. The function
verify_id_tokenmay fail for tokens that were issued by servers which have clocks running a little early.If verification is done right after the token was issued by such a server, then the call to function
google.oauth2.id_token.verify_tokenmay be early enough for the 'issued-at-time' timestamp of the token still being in the future.Adding the optional parameter
clock_skew_in_seconds=60to the call togoogle.oauth2.id_token.verify_tokenwould allow for the servers clock to be off by up to a minute and still allow verification of the issued token immediately after it being issued.Fixes #332