search

netbirdio / netbird

Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
9.83k stars 425 forks source link

Error when validating JWT claims: Error parsing token: Token is not valid yet #1942

Open WhyAydan opened 1 month ago

WhyAydan commented 1 month ago

Describe the problem

When setting up via Zitadel v2.46.7 I am unable to login straight away as the console says the following.

Error when validating JWT claims: Error parsing token: Token is not valid yet

To Reproduce

Steps to reproduce the behavior: Grab the latest version of Zitadel and try to setup the connector.

Expected behavior

Login without issues

Are you using NetBird Cloud?

Self-hosted

NetBird version

v2.3.0

Additional context

caddy-1       | {"level":"debug","ts":1715106416.1974788,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"management:80","duration":0.18388418,"request":{"remote_ip":"REDACTED","remote_port":"62111","client_ip":"REDACTED","proto":"HTTP/2.0","method":"GET","host":"REDACTED","uri":"/api/users","headers":{"Sec-Ch-Ua":["\"Not-A.Brand\";v=\"99\", \"Chromium\";v=\"124\""],"Authorization":[],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Dest":["empty"],"Accept-Language":["en-GB,en-US;q=0.9,en;q=0.8"],"X-Forwarded-Proto":["https"],"Accept":["application/json"],"Referer":["https://REDACTED/peers"],"Priority":["u=1, i"],"Sec-Ch-Ua-Platform":["\"macOS\""],"Cookie":[],"X-Forwarded-For":["REDACTED"],"X-Forwarded-Host":["REDACTED"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua-Mobile":["?0"],"Content-Type":["application/json"],"Sec-Fetch-Mode":["cors"],"Dnt":["1"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"REDACTED"}},"headers":{"Date":["Tue, 07 May 2024 18:26:56 GMT"],"Content-Length":["39"],"Content-Type":["application/json; charset=UTF-8"],"Vary":["Origin"]},"status":401}
caddy-1       | {"level":"debug","ts":1715106416.72139,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"management:80","total_upstreams":1}
management-1  | 2024-05-07T18:26:56Z ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: Token is not valid yet
management-1  | 2024-05-07T18:26:56Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: Token is not valid yet
management-1  | 2024-05-07T18:26:56Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
management-1  | 2024-05-07T18:26:56Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3537426485: GET /api/users status 401

management-1  | 2024-05-07T18:27:37Z WARN management/server/account.go:1245: user 266096520175157251 not found in IDP
management-1  | 2024-05-07T18:27:37Z INFO management/server/account.go:1411: cache invalid. Users unknown to the cache: 1
management-1  | 2024-05-07T18:27:37Z INFO management/server/account.go:1372: refreshing cache for account cot70csrfpec73emggs0

It is entirely possible that I'm the issue but who knows.

mlsmaycon commented 1 month ago

@WhyAydan, This error, Token is not valid yet, usually happens when there is a time sync issue with the Zitadel or NetBird's service.

Can you double-check the time in both services and your own workstation to confirm it? If so, you can check some steps from https://askubuntu.com/questions/254826/how-to-force-a-clock-update-using-ntp to update your server's time. Once that is done you can restart the affected service.

WhyAydan commented 1 month ago

@mlsmaycon I shall give it a go, what method do you use for docker? been a while since i time synced them but i recall it being something like this?

volumes:
 - /etc/localtime:/etc/localtime:ro

UPDATE:

mounted the volume and set the env for all containers to be TZ=Europe/London

WhyAydan commented 1 month ago

Thats been resolved but now the logs are getting the following

management-1  | 2024-05-07T19:18:15Z INFO management/server/account.go:1411: cache invalid. Users unknown to the cache: 1
management-1  | 2024-05-07T19:18:15Z INFO management/server/account.go:1372: refreshing cache for account cot70csrfpec73emggs0
management-1  | 2024-05-07T19:18:15Z WARN management/server/account.go:1245: user 266096520175157251 not found in IDP
mlsmaycon commented 1 month ago

@WhyAydan regarding the time, usually synchronizing the host's time is enough.

The error means that there is no user in the Zitadel with the same ID, 266096520175157251. Is this a fresh installation?

WhyAydan commented 1 month ago

Hello, zitadel isn't a fresh install no. However Netbird is :)