firebase · fschaeck · Jul 14, 2022 · Aug 6, 2022 · Sep 13, 2022 · Dec 3, 2022
diff --git a/firebase_admin/__init__.py b/firebase_admin/__init__.py
@@ -28,7 +28,7 @@
 
 _DEFAULT_APP_NAME = '[DEFAULT]'
 _FIREBASE_CONFIG_ENV_VAR = 'FIREBASE_CONFIG'
-_CONFIG_VALID_KEYS = ['databaseAuthVariableOverride', 'databaseURL', 'httpTimeout', 'projectId',
+_CONFIG_VALID_KEYS = ['clockSkewInSeconds', 'databaseAuthVariableOverride', 'databaseURL', 'httpTimeout', 'projectId',
  'storageBucket']
 
 def initialize_app(credential=None, options=None, name=_DEFAULT_APP_NAME):
@@ -48,9 +48,10 @@ def initialize_app(credential=None, options=None, name=_DEFAULT_APP_NAME):
  credential: A credential object used to initialize the SDK (optional). If none is provided,
  Google Application Default Credentials are used.
  options: A dictionary of configuration options (optional). Supported options include
- ``databaseURL``, ``storageBucket``, ``projectId``, ``databaseAuthVariableOverride``,
- ``serviceAccountId`` and ``httpTimeout``. If ``httpTimeout`` is not set, the SDK
- uses a default timeout of 120 seconds.
+ ``clockSkewInSeconds``, ``databaseURL``, ``storageBucket``, ``projectId``,
+ ``databaseAuthVariableOverride``, ``serviceAccountId`` and ``httpTimeout``.
+ If ``httpTimeout`` is not set, the SDK uses a default timeout of 120 seconds.
+ If ``clockSkewInSeconds`` is not set, 0 is used when verifying a token.
  name: Name of the app (optional).
  Returns:
  App: A newly initialized instance of App.

diff --git a/firebase_admin/_token_gen.py b/firebase_admin/_token_gen.py
@@ -55,6 +55,7 @@
  'service-accounts/default/email')
 ALGORITHM_RS256 = 'RS256'
 ALGORITHM_NONE = 'none'
+DEFAULT_CLOCK_SKEW_IN_SECONDS = 0
 
 # Emulator fake account
 AUTH_EMULATOR_EMAIL = 'firebase-auth-emulator@example.com'
@@ -271,13 +272,15 @@ class TokenVerifier:
 
  def __init__(self, app):
  timeout = app.options.get('httpTimeout', _http_client.DEFAULT_TIMEOUT_SECONDS)
+ clock_skew_in_seconds = app.options.get('clockSkewInSeconds', DEFAULT_CLOCK_SKEW_IN_SECONDS)
  self.request = CertificateFetchRequest(timeout)
  self.id_token_verifier = _JWTVerifier(
  project_id=app.project_id, short_name='ID token',
  operation='verify_id_token()',
  doc_url='https://firebase.google.com/docs/auth/admin/verify-id-tokens',
  cert_url=ID_TOKEN_CERT_URI,
  issuer=ID_TOKEN_ISSUER_PREFIX,
+ clock_skew_in_seconds=clock_skew_in_seconds,
  invalid_token_error=_auth_utils.InvalidIdTokenError,
  expired_token_error=ExpiredIdTokenError)
  self.cookie_verifier = _JWTVerifier(
@@ -312,6 +315,7 @@ def __init__(self, **kwargs):
  self.articled_short_name = 'a {0}'.format(self.short_name)
  self._invalid_token_error = kwargs.pop('invalid_token_error')
  self._expired_token_error = kwargs.pop('expired_token_error')
+ self._clock_skew_in_seconds = kwargs.pop('clock_skew_in_seconds',DEFAULT_CLOCK_SKEW_IN_SECONDS)
 
  def verify(self, token, request):
  """Verifies the signature and data for the provided JWT."""
@@ -393,7 +397,8 @@ def verify(self, token, request):
  token,
  request=request,
  audience=self.project_id,
- certs_url=self.cert_url)
+ certs_url=self.cert_url,
+ clock_skew_in_seconds=self._clock_skew_in_seconds)
  verified_claims['uid'] = verified_claims['sub']
  return verified_claims
  except google.auth.exceptions.TransportError as error: