Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / 738611bd2914f0fd5fa8b49b65f56ef321829c85^! / . / google / auth / jwt.py
commit738611bd2914f0fd5fa8b49b65f56ef321829c85[log] [tgz]
authorarithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>Thu Sep 09 17:09:54 2021 -0700
committerGitHub <noreply@github.com>Thu Sep 09 17:09:54 2021 -0700
tree5a9d1e0c2138c038066dd66d9bf639da4b4123f6
parent13aed5ffe3ba435004ab48202462452f04d7cb29 [diff] [blame]
fix: rename CLOCK_SKEW and separate client/server user case (#863)

* fix: rename CLOCK_SKEW and separate client/server user case

* update clock skew to 20s
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
index 1bc7e5e..bb9ffae 100644
--- a/google/auth/jwt.py
+++ b/google/auth/jwt.py

@@ -167,12 +167,14 @@
     return header
 
 
-def _verify_iat_and_exp(payload):
+def _verify_iat_and_exp(payload, clock_skew_in_seconds=0):
     """Verifies the ``iat`` (Issued At) and ``exp`` (Expires) claims in a token
     payload.
 
     Args:
         payload (Mapping[str, str]): The JWT payload.
+        clock_skew_in_seconds (int): The clock skew used for `iat` and `exp`
+            validation.
 
     Raises:
         ValueError: if any checks failed.
@@ -188,7 +190,7 @@
     iat = payload["iat"]
     # Err on the side of accepting a token that is slightly early to account
     # for clock skew.
-    earliest = iat - _helpers.CLOCK_SKEW_SECS
+    earliest = iat - clock_skew_in_seconds
     if now < earliest:
         raise ValueError(
             "Token used too early, {} < {}. Check that your computer's clock is set correctly.".format(
@@ -200,12 +202,12 @@
     exp = payload["exp"]
     # Err on the side of accepting a token that is slightly out of date
     # to account for clow skew.
-    latest = exp + _helpers.CLOCK_SKEW_SECS
+    latest = exp + clock_skew_in_seconds
     if latest < now:
         raise ValueError("Token expired, {} < {}".format(latest, now))
 
 
-def decode(token, certs=None, verify=True, audience=None):
+def decode(token, certs=None, verify=True, audience=None, clock_skew_in_seconds=0):
     """Decode and verify a JWT.
 
     Args:
@@ -221,6 +223,8 @@
         audience (str or list): The audience claim, 'aud', that this JWT should
             contain. Or a list of audience claims. If None then the JWT's 'aud'
             parameter is not verified.
+        clock_skew_in_seconds (int): The clock skew used for `iat` and `exp`
+            validation.
 
     Returns:
         Mapping[str, str]: The deserialized JSON payload in the JWT.
@@ -271,7 +275,7 @@
         raise ValueError("Could not verify token signature.")
 
     # Verify the issued at and created times in the payload.
-    _verify_iat_and_exp(payload)
+    _verify_iat_and_exp(payload, clock_skew_in_seconds)
 
     # Check audience.
     if audience is not None: