We are using an application that is throwing the following error when we try to access the page from within our internal network:
Uncaught (in promise) Error: Not Before time (nbf) claim in the ID token indicates that this token can’t be used just yet. Currrent time (Thu Nov 03 2022 13:54:22 GMT-0400 (Eastern Daylight Time)) is before Thu Nov 03 2022 13:54:58 GMT-0400 (Eastern Daylight Time)
When we use an external network, we can access the page without an issue. Any idea what could be causing this on our internal network? Thank you!
This can only lead into a wild guessing but for my it looks like you are using a api which needs a token for access. The token seems to be build on a server with a different timezone and so the compare throws this error.
Was thinking the same thing regarding timezone, but why do you think it work on systems outside of my network? The systems on the external network are in the same timezone as the systems on my internal network.
Whatever is creating the token (this code, from a quick google scan, is from a JWT verifier) is putting a value into the “nbf” field of the token that is about half a minute ahead of your local system clock (or at least, the clock on the verifying system), which is causing the error. You might need to sync your systems’ clocks, or else recode whatever is creating the JWT to return an earlier not-before time.
Exactly what I thought too, but how is it possible, that the token is created on another server as the one which is verifying it? What is the sense of a token created not by the server which is requesting it for access?
Well if it’s a single server doing the encoding/decoding, it either expects the operation requested to take 40-ish seconds and is using the NBF as a “dont throttle the system with checks against this operation”, or has been coded incorrectly in its encoding of the token.
For shiggles, I had a poke around this codebase. They accounted for this possibility. There is a configuration option “leeway” in their code that allows for clock skew. If you set that higher (120 for 2 minutes?) it should fix the problem… (interestingly, the default for this should be 60 seconds, so someone’s configured it downward…)