Authentication failed: error validating claims: square/go-jose/jwt: validation failed, token not valid yet (nbf)

Vault
1

I found some documentation about jwt role creation with some parameters/key ( ot_before_leeway ) to configure nbf but after doing some tests with role creation via curl i t seems “not_before_leeway” is NOT assumed in configuration of the role.

commands used :

"
VAULT_TOKEN=cat /data/.root_token | tail -1

HEADER=“X-Vault-Token: $VAULT_TOKEN”

ROLE_NOTIFICATIONENGINE=’{“allowed_redirect_uris”: null,“bound_audiences”: [“https://whatever.aaa.com”],“bound_cidrs”: null,“bound_claims”: null,“bound_subject”: “”,“claim_mappings”: null,“groups_claim”: “”,“max_ttl”: 0,“num_uses”: 0,“oidc_scopes”: null,“period”: 0,“policies”: [“XXXengine”],“role_type”: “jwt”,“ttl”: 0,“user_claim”: “sub”,“not_before_leeway”: 300}’

curl -X POST $VAULT_ADDR/v1/auth/jwt/role/XXX_contributor -H “$HEADER” -d “$ROLE_NOTIFICATIONENGINE”
"

"

Any suggestion or recommendation would be welcome !
Thanks
Paulo

1 Like
2

I face with the same problem. Is there any solution?

3 
#this is my example of configuring JWT using gitlab ci job:
Vault demo:
  stage: test
  image: vault:1.6.2
  script:
    - vault auth disable jwt
    - vault auth enable jwt
    - |-
      vault write auth/jwt/role/gitlab-ci-role - <<EOF
      {
        "role_type": "jwt",
        "policies": ["apikey-readonly"],
        "token_explicit_max_ttl": 60,
        "user_claim": "user_email",
        "not_before_leeway":-1,
        "bound_claims": {
          "project_id": "$CI_PROJECT_ID"
        }
      }
      EOF
    - vault write auth/jwt/config jwks_url="https://gitlab.com/-/jwks" bound_issuer="gitlab.com"
    - vault write -field=token auth/jwt/login role=gitlab-ci-role jwt=${CI_JOB_JWT}

image

4

My problem was solved after set correct system time on host machine, where vault was installed.