Added option clockSkewInSeconds to allow setting clock_skew_in_seconds parameter for token verification #625
Conversation
Adding the optional parameter clock_skew_in_seconds=60 to the call to google.oauth2.id_token.verify_token now allows for the token-issuing server's clock to be off by up to a minute without the token becoming invalid due to a 'issued-at-time' timestamp that is in the future.
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
Hi, I wanted to follow up on this issue and ask when it will be merged? |
This option value is used for the token verification instead of the fixed 60 seconds from the earlier commit. This way, the user of firebase_admin can decide if he/she wants to set that value or not. Also all existing uses of firebase_admin won't suddenly change behaviour, since if the option is not specified, it's default of 0 is equivalent to what was used before the introduction of the new option.
|
I changed the pull request a little. The parameter clock_skew_in_seconds for the Google token verification API call is no longer hard-coded with 60 seconds but can be set as an App option. If that option is not set, a default of 0 is used. This makes all uses of firebase_admin work the same way as before. So the change won't introduce a change of behaviour for those existing applications. But users that need the clock skew setting can add an option to their App and overwrite the default of 0 that way. I think that is the better way to introduce using the clock_skew_in_seconds parameter of the Google API. |
|
Why is this PR not merge? |
|
Thank you @fschaeck for your contribution! The changes to App options require an internal API review and might take a while. Hi, @prameshj, @renkelvin let me know your thoughts on this, I can initiate the internal changes. Thank you! |
There was a problem hiding this comment.
Thank you @fschaeck for your contribution! This looks good to me, but as an alternative, what do you think about adding clock_skew_in_seconds =0 to verify_id_token() and verify_session_cookie as an optional parameter?
firebase-admin-python/firebase_admin/auth.py
Line 194 in b9e95e8
|
@lahirumaramba @fschaeck By the way, we have a similar bug with this method. auth.verify_session_cookie(session, check_revoked=True)I solved it this way. session_cookie_request = requests.Request()
CERTS_URL = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys"
id_token.verify_token(session_token=session, request=session_cookie_request, certs_url=CERTS_URL, clock_skew_in_seconds=10) |
|
@fschaeck are you able to merge this now? Subscribing. |
|
appreciate if this could be merged |
|
Thank you for your patience everyone. We just completed the internal API review and we think a better approach would be to add a new optional API: Usage: @fschaeck would you be able to make the changes? Thank you! |
|
Hi mean while this need to be changed what the work around? could not figure out yet how to skew my clock with node js |
Fork the fix and install the git repo with pip works for now. |
Adding the optional parameter clock_skew_in_seconds=60 to the call to google.oauth2.id_token.verify_token now allows for the token-issuing server's clock to be off by up to a minute without the token becoming invalid due to a 'issued-at-time' timestamp that is in the future.
Discussion
Issue #624
Testing
No additional tests required.
API Changes
n/a