feat: Improve handling of clock skew (#858)

* Allow up to 60 seconds of skew

* Add actionable/helpful error message text.

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>

2 files changed, 6 insertions, 2 deletions

diff --git a/google/auth/_helpers.py b/google/auth/_helpers.py
index 09f32f8..11c6b1a 100644
--- a/google/auth/_helpers.py
+++ b/google/auth/_helpers.py
@@ -20,7 +20,7 @@ import datetime
 import urllib
 
 
-CLOCK_SKEW_SECS = 10  # 10 seconds
+CLOCK_SKEW_SECS = 60  # 60 seconds
 CLOCK_SKEW = datetime.timedelta(seconds=CLOCK_SKEW_SECS)
 
 
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
index d931bf7..1bc7e5e 100644
--- a/google/auth/jwt.py
+++ b/google/auth/jwt.py
@@ -190,7 +190,11 @@ def _verify_iat_and_exp(payload):
     # for clock skew.
     earliest = iat - _helpers.CLOCK_SKEW_SECS
     if now < earliest:
-        raise ValueError("Token used too early, {} < {}".format(now, iat))
+        raise ValueError(
+            "Token used too early, {} < {}. Check that your computer's clock is set correctly.".format(
+                now, iat
+            )
+        )
 
     # Make sure the token wasn't issued in the past.
     exp = payload["exp"]