Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Token used too early error thrown by firebase_admin auth's verify_id_token method

Tags:

python

firebase

google-authentication

Whenever I run

from firebase_admin import auth
auth.verify_id_token(firebase_auth_token)

It throws the following error:

Token used too early, 1650302066 < 1650302067. Check that your computer's clock is set correctly.

I'm aware that the underlying google auth APIs do check the time of the token, however as outlined here there should be a 10 second clock skew. Apparently, my server time is off by 1 second, however running this still fails even though this is well below the allowed 10 second skew. Is there a way to fix this?

like image 951
M. Chak Avatar asked Feb 04 '26 06:02

M. Chak

2 Answers

This is how the firebase_admin.verify_id_token verifies the token:

verified_claims = google.oauth2.id_token.verify_token(
                    token,
                    request=request,
                    audience=self.project_id,
                    certs_url=self.cert_url)

and this is the definition of google.oauth2.id_token.verify_token(...)

def verify_token(
    id_token,
    request,
    audience=None,
    certs_url=_GOOGLE_OAUTH2_CERTS_URL,
    clock_skew_in_seconds=0,
):

As you can see, the function verify_token allows to specify a "clock_skew_in_seconds" but the firebase_admin function is not passing it along, thus the the default of 0 is used and since your server clock is off by 1 second, the check in verify_token fails.

I would consider this a bug in firebase_admin.verify_id_token and maybe you can open an issue against the firebase admin SDK, but other than that you can only make sure, your clock is either exact or shows a time EARLIER than the actual time

Edit:

I actually opened an issue on GitHub for firebase/firebase-admin-Python and created an according pull request since I looked at all the source files already anyway...

If and when the pull request is merged, the server's clock is allowed to be off by up to a minute.

like image 74
Frank Avatar answered Feb 05 '26 22:02

Frank

Had similar problem, solved it by adding "clock_skew_in_seconds=10" in validating definition `

   def validate(auth_token):
    """
    validate method Queries the Google oAUTH2 api to fetch the user info
    """
    try:
        idinfo = id_token.verify_oauth2_token(
            auth_token, requests.Request(), clock_skew_in_seconds=10)

        if 'accounts.google.com' in idinfo['iss']:
            return idinfo

    except:
        return "The token is either invalid or has expired"`
like image 27
ARSH Avatar answered Feb 05 '26 21:02

ARSH

Sign in to Comment

Related questions

Using re with a variable list argument
A timeout decorator class with multiprocessing gives a pickling error
Adding two dictionaries to list by array
Rotated Digits in Python
join rows of different files in python
python list to dataframe with column headers and removing data types
PyQt5: How to open a new Dialog with button click
Convert date from string format to OLE automation date
Python Writing From Multiple Files Overwrites Previous Content
'No python at' error preventing anything from running - python pycharm
How to get the index of specific item in python matrix
Summing the odd numbers in a list using list comprehension, for and if in one line
pipenv is not recognized on powershell
Docker and playwright

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!