Token used before issued

[dkhachyan]

Hi!
Clock skew causes an error:

API: AssumeRoleWithWebIdentity()
Time: 06:44:14 UTC 08/31/2021
DeploymentID: eddabc74-3092-482d-af2c-8911ddc0b6d6
RequestID: 16A0511DEEF49C40
RemoteHost: 10.253.50.235
Host: tenant1-pool-0-2.tenant1-hl.minio.svc.cluster.local:9000
UserAgent: Go-http-client/1.1
Error: Token used before issued (*jwt.ValidationError)
       4: cmd/sts-errors.go:58:cmd.writeSTSErrorResponse()
       3: cmd/sts-handlers.go:345:cmd.(*stsAPIHandlers).AssumeRoleWithSSO()
       2: cmd/sts-handlers.go:510:cmd.(*stsAPIHandlers).AssumeRoleWithWebIdentity()
       1: net/http/server.go:2049:http.HandlerFunc.ServeHTTP()

jwt-go module does not support clock tolerance dgrijalva/jwt-go#383

It might be a good idea to add clock tolerance for a few seconds?

Workaround:
golang-jwt/jwt#98

[harshavardhana]

You need to fix your NTP settings @dkhachyan

[dkhachyan]

I agree that NTP is the best solution and we use it. But even kerberos allows clock tolerance up to 5 min.

[harshavardhana]

I agree that NTP is the best solution and we use it. But even kerberos allows clock tolerance up to 5 min.

We do not support that sorry for the JWT tokens here, we expect that you have NTP everywhere configured. We may add tolerance in the future.

[dkhachyan]

Ок, thx!

[dvaldivia]

Fixed in the latest release minio/minio:RELEASE.2021-11-05T09-16-26Z