Introduction

In a JWT token the "nbf" (Not Before) Claim is date/time sensitive. The OS date/time is used to verify the validity of the Claim.

Issue

When logging in using the Kubernetes Auth method and presenting a valid JWT token, an error indicating that the JWT token is not yet valid is returned.

Error message:

URL: PUT https://127.0.0.1:8200/v1/auth/k8/login
Code: 403. Errors:

* invalid not before (nbf) claim: token not yet valid

Using a JWT decoder, for example jwt.io, it is determined that the JWT token does have a valid "not before (nbf) claim".

Cause

The date/time on the server and client appear to be correct when doing a basic check using the "date" command. However, on finer inspection it is discovered that the time is not fully synchronised utilising NTP or other appropriate time synchronisation method, as is recommended in the Vault Production Hardening guidelines under the sub-heading of Synchronized Clocks.

Solution

Ensure that a suitable time synchronisation system, for example NTP, is configured to ensure correct and consistent time synchronisation across servers and clients.

Outcome

With time fully synchronised in the environment the JWT token login is successful.

Additional Information

CISA Article: Time Guidance for Network Operators
Vault Documentation: Vault Production Hardening

K8s Auth Method login failing with error that JWT Token is not yet valid.

Introduction

Issue

Cause

Solution

Outcome

Additional Information

Articles in this section

Introduction

Issue

Cause

Solution

Outcome

Additional Information

Articles in this section

Related articles