From 45c4491fb971c9edf590b27b9e271b7a23a1bba6 Mon Sep 17 00:00:00 2001
From: Liron Newman <eesheesh@users.noreply.github.com>
Date: Tue, 7 Sep 2021 23:07:07 +0100
Subject: [PATCH] feat: Improve handling of clock skew (#858)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Allow up to 60 seconds of skew

* Add actionable/helpful error message text.

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
---
 google/auth/_helpers.py | 2 +-
 google/auth/jwt.py      | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/google/auth/_helpers.py b/google/auth/_helpers.py
index 09f32f84e..11c6b1adb 100644
--- a/google/auth/_helpers.py
+++ b/google/auth/_helpers.py
@@ -20,7 +20,7 @@
 import urllib
 
 
-CLOCK_SKEW_SECS = 10  # 10 seconds
+CLOCK_SKEW_SECS = 60  # 60 seconds
 CLOCK_SKEW = datetime.timedelta(seconds=CLOCK_SKEW_SECS)
 
 
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
index d931bf7b9..1bc7e5e71 100644
--- a/google/auth/jwt.py
+++ b/google/auth/jwt.py
@@ -190,7 +190,11 @@ def _verify_iat_and_exp(payload):
     # for clock skew.
     earliest = iat - _helpers.CLOCK_SKEW_SECS
     if now < earliest:
-        raise ValueError("Token used too early, {} < {}".format(now, iat))
+        raise ValueError(
+            "Token used too early, {} < {}. Check that your computer's clock is set correctly.".format(
+                now, iat
+            )
+        )
 
     # Make sure the token wasn't issued in the past.
     exp = payload["exp"]