Description
The function auth.verify_id_token may fail for tokens that were issued by servers which have clocks running a little early.
If verification is done right after the token was issued by such a server, then the call to function google.oauth2.id_token.verify_token in _JWTVerifier.verify in firebase_admin/_token_gen.py may be early enough for the 'issued-at-time' timestamp of the token still being in the future.
That will lead to the error 'Token used too early' from google.oauth2.id_token.verify_token, because the function _JWTVerifier.verify is not passing along the optional parameter clock_skew_in_seconds, which would make the google...verify_token function allow for slightly off clock settings.
The worst part about this is, that depending on the server's clock setting and the speed, googles verify_token function is called and the time it takes, to get the api request through to the verification server, the verification of such tokens sometimes may work and sometimes may not. Making this a very hard to understand - and account for - issue.
Adding the optional parameter clock_skew_in_seconds=60 to the call to google.oauth2.id_token.verify_token would allow for the servers clock to be off by up to a minute and still allow verification of the issued token immediately after it being issued.
Otherwise, developers working with firebase_admin's function auth.verify_id_token would have to add a slight delay before calling the function to account for such clock skew.