Authentication failed: error validating claims: square/go-jose/jwt: validation failed, token not valid yet (nbf)

I found some documentation about jwt role creation with some parameters/key ( ot_before_leeway ) to configure nbf but after doing some tests with role creation via curl i t seems “not_before_leeway” is NOT assumed in configuration of the role.

commands used :

VAULT_TOKEN=cat /data/.root_token | tail -1


ROLE_NOTIFICATIONENGINE=’{“allowed_redirect_uris”: null,“bound_audiences”: [“”],“bound_cidrs”: null,“bound_claims”: null,“bound_subject”: “”,“claim_mappings”: null,“groups_claim”: “”,“max_ttl”: 0,“num_uses”: 0,“oidc_scopes”: null,“period”: 0,“policies”: [“XXXengine”],“role_type”: “jwt”,“ttl”: 0,“user_claim”: “sub”,“not_before_leeway”: 300}’

curl -X POST $VAULT_ADDR/v1/auth/jwt/role/XXX_contributor -H “$HEADER” -d “$ROLE_NOTIFICATIONENGINE”


Any suggestion or recommendation would be welcome !

1 Like

I face with the same problem. Is there any solution?

#this is my example of configuring JWT using gitlab ci job:
Vault demo:
  stage: test
  image: vault:1.6.2
    - vault auth disable jwt
    - vault auth enable jwt
    - |-
      vault write auth/jwt/role/gitlab-ci-role - <<EOF
        "role_type": "jwt",
        "policies": ["apikey-readonly"],
        "token_explicit_max_ttl": 60,
        "user_claim": "user_email",
        "bound_claims": {
          "project_id": "$CI_PROJECT_ID"
    - vault write auth/jwt/config jwks_url="" bound_issuer=""
    - vault write -field=token auth/jwt/login role=gitlab-ci-role jwt=${CI_JOB_JWT}


My problem was solved after set correct system time on host machine, where vault was installed.