feat: Improve handling of clock skew (#858)

* Allow up to 60 seconds of skew * Add actionable/helpful error message text. * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com> Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
googleapis · Sep 7, 2021 · 45c4491 · 45c4491
1 parent 11ebaeb
commit 45c4491
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/google/auth/_helpers.py b/google/auth/_helpers.py
@@ -20,7 +20,7 @@
 import urllib
 
 
-CLOCK_SKEW_SECS = 10  # 10 seconds
+CLOCK_SKEW_SECS = 60  # 60 seconds
 CLOCK_SKEW = datetime.timedelta(seconds=CLOCK_SKEW_SECS)
 
 

diff --git a/google/auth/jwt.py b/google/auth/jwt.py
@@ -190,7 +190,11 @@ def _verify_iat_and_exp(payload):
     # for clock skew.
     earliest = iat - _helpers.CLOCK_SKEW_SECS
     if now < earliest:
-        raise ValueError("Token used too early, {} < {}".format(now, iat))
+        raise ValueError(
+            "Token used too early, {} < {}. Check that your computer's clock is set correctly.".format(
+                now, iat
+            )
+        )
 
     # Make sure the token wasn't issued in the past.
     exp = payload["exp"]