Skip to main content

Spotfire Server : OpenID configuration gives "JWT before use time" error

Sukesh Nischal
  • Created

 After successfully configuring OpenID authentication in Spotfire Server the login attempt may fails with the message "Could not Log In" appearing in the browser.


The following error may be seen in the spotfire server.log

Caused by: com.nimbusds.jwt.proc.BadJWTException: JWT before use time
at com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier.verify(DefaultJWTClaimsVerifier.java:304) ~[nimbus-jose-jwt.jar:8.2.1]
at com.spotfire.server.security.auth.oidc.TokenEndpointResponse$IdTokenClaimsVerifier.verify(TokenEndpointResponse.java:259) ~[spotfire-server.jar:?]
at com.nimbusds.jwt.proc.DefaultJWTProcessor.verifyClaims(DefaultJWTProcessor.java:295) ~[nimbus-jose-jwt.jar:8.2.1]
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:400) ~[nimbus-jose-jwt.jar:8.2.1]
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:330) ~[nimbus-jose-jwt.jar:8.2.1]
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:321) ~[nimbus-jose-jwt.jar:8.2.1]
at com.spotfire.server.security.auth.oidc.TokenEndpointResponse.validateIdToken(TokenEndpointResponse.java:204) ~[spotfire-server.jar:?]


The error is caused by the system clock on the Spotfire Server being out of sync with that of the OpenID provider. Clocks cannot be out of sync in order to prevent replay attacks.

To resolve the issue adjust the Spotfire Server system clock so it is accurate for its time zone. A better solution would be to ensure the Spotfire Server is being synchronised with an NTP service.

The following script snippet run on a Windows Server will ensure Windows is being syncronised with an external NTP service (adjust to use an appropriate server IP)

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"129.6.15.28" /reliable:yes
net start w32time
w32tm /config /update
w32tm /resync


For a Linux Spotfire Server, install and setup a NTP client (e.g Chrony)

It's possible (but not recommended) to inrease the tolerance of the clock skew by using the following config command. E.g to set maximum clock skew to 30 seconds:

config set-config-prop --name="security.oidc.max-clock-skew-seconds" --value="30"

Please contact Revvity Signals Support if the issue persists.

Related articles

Comments

0 comments

Article is closed for comments.