Introduction
In a JWT token the "nbf" (Not Before) Claim is date/time sensitive. The OS date/time is used to verify the validity of the Claim.
Issue
When logging in using the Kubernetes Auth method and presenting a valid JWT token, an error indicating that the JWT token is not yet valid is returned.
Error message:
URL: PUT https://127.0.0.1:8200/v1/auth/k8/login Code: 403. Errors: * invalid not before (nbf) claim: token not yet valid
Using a JWT decoder, for example jwt.io, it is determined that the JWT token does have a valid "not before (nbf) claim".
Cause
The date/time on the server and client appear to be correct when doing a basic check using the "date" command. However, on finer inspection it is discovered that the time is not fully synchronised utilising NTP or other appropriate time synchronisation method, as is recommended in the Vault Production Hardening guidelines under the sub-heading of Synchronized Clocks.
Solution
Ensure that a suitable time synchronisation system, for example NTP, is configured to ensure correct and consistent time synchronisation across servers and clients.
Outcome
With time fully synchronised in the environment the JWT token login is successful.
Additional Information
- CISA Article: Time Guidance for Network Operators
- Vault Documentation: Vault Production Hardening