Skip to content

fix: fix token clock skew issue #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

fix: fix token clock skew issue #333

wants to merge 10 commits into from
+6 −2

Conversation

twishabansal
Copy link
Contributor

@twishabansal twishabansal commented Aug 8, 2025
edited
Loading

Token used too early errors are a known issue.
For example: firebase/firebase-admin-python#624, googleapis/google-auth-library-python#889

This happens when the system clock is not completely syncronised with the server. The function verify_id_token may fail for tokens that were issued by servers which have clocks running a little early.

If verification is done right after the token was issued by such a server, then the call to function google.oauth2.id_token.verify_token may be early enough for the 'issued-at-time' timestamp of the token still being in the future.

Adding the optional parameter clock_skew_in_seconds=60 to the call to google.oauth2.id_token.verify_token would allow for the servers clock to be off by up to a minute and still allow verification of the issued token immediately after it being issued.

Fixes #332

@twishabansal twishabansal marked this pull request as ready for review August 8, 2025 12:59
@twishabansal twishabansal requested a review from a team as a code owner August 8, 2025 12:59
@twishabansal twishabansal mentioned this pull request Aug 8, 2025
Open
3 tasks
anubhav756
anubhav756 previously approved these changes Aug 8, 2025
View reviewed changes
kurtisvg
kurtisvg reviewed Aug 11, 2025
View reviewed changes
packages/toolbox-core/src/toolbox_core/auth_methods.py Outdated
@@ -71,7 +71,9 @@ def _update_cache(new_token: str) -> None:
# verify_oauth2_token not only decodes but also validates the token's
# signature and claims against Google's public keys.
# It's a synchronous, CPU-bound operation, safe for async contexts.
claims = id_token.verify_oauth2_token(new_token, Request())
claims = id_token.verify_oauth2_token(
new_token, Request(), clock_skew_in_seconds=60
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

60s is a long time. Would we be better off with a smaller range of like 1s or 5s?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't find any standard implementations of this. I did, however, see that firebase only allows clock_skew < 60 (ref).

I have changed it to 10 for now. Let me know if you think that's too much and we should make it smaller.

@twishabansal twishabansal requested a review from kurtisvg August 12, 2025 07:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anubhav756 anubhav756 anubhav756 left review comments

@kurtisvg kurtisvg Awaiting requested review from kurtisvg

At least 1 approving review is required to merge this pull request.

Assignees

@kurtisvg kurtisvg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

When trying to call MCPToolbox on Cloud run I get Failed to validate and cache the new token: Token used too early
3 participants
@twishabansal @anubhav756 @kurtisvg