SSO login with Authentik fails: invalid jwt token, token used before issued #2283

Open
opened 2025-11-20 07:07:03 -05:00 by saavagebueno · 12 comments
Owner

Originally created by @biliblihuorong on GitHub (Sep 15, 2025).

Description:
When trying to integrate NetBird with Authentik as the OIDC provider, the login flow fails with an invalid JWT error.

Steps to reproduce:

Configure NetBird with Authentik as the OIDC provider.

Run:

netbird up --management-url https://vpn..

Try to log in using the provided SSO device URL.

Expected behavior:
Successful login and registration of the client.

Actual behavior (logs):

shell ❯❯ netbird up --management-url https://vpn..
Please do the SSO login in your browser.
If your browser didn't open automatically, use this URL to log in:

https://sso../application/o/authorize/?audience=&client_id=&code_challenge=&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A53000&response_type=code&scope=openid+profile+email+offline_access+api&state=

Error: daemon up failed: sso login failed: waiting sso login failed with: rpc error: code = InvalidArgument desc = invalid jwt token, err: token could not be parsed: token has invalid claims: token used before issued

Device login example:

Please do the SSO login in your browser.
If your browser didn't open automatically, use this URL to log in:

https://sso../device?code=******

Environment:

NetBird version: 0.57.0

Authentik version: 2025.6.3

Deployment method: docker-compose

Notes:

Using Authentik v2025.6.3, login works fine in the web dashboard, but client login (netbird up) fails with JWT claim validation (token used before issued).

System time on both server and Authentik is synchronized (NTP enabled).

It seems that the JWT generated by Authentik has a nbf (not before) or iat claim mismatch, which causes NetBird to reject it.

Might be related to clock skew or strict claim validation.

Originally created by @biliblihuorong on GitHub (Sep 15, 2025). Description: When trying to integrate NetBird with Authentik as the OIDC provider, the login flow fails with an invalid JWT error. Steps to reproduce: Configure NetBird with Authentik as the OIDC provider. Run: netbird up --management-url https://vpn.***.*** Try to log in using the provided SSO device URL. Expected behavior: Successful login and registration of the client. Actual behavior (logs): ⚡shell ❯❯ netbird up --management-url https://vpn.***.*** Please do the SSO login in your browser. If your browser didn't open automatically, use this URL to log in: https://sso.***.***/application/o/authorize/?audience=******&client_id=******&code_challenge=******&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A53000&response_type=code&scope=openid+profile+email+offline_access+api&state=****** Error: daemon up failed: sso login failed: waiting sso login failed with: rpc error: code = InvalidArgument desc = invalid jwt token, err: token could not be parsed: token has invalid claims: token used before issued Device login example: Please do the SSO login in your browser. If your browser didn't open automatically, use this URL to log in: https://sso.***.***/device?code=****** Environment: NetBird version: 0.57.0 Authentik version: 2025.6.3 Deployment method: docker-compose Notes: Using Authentik v2025.6.3, login works fine in the web dashboard, but client login (netbird up) fails with JWT claim validation (token used before issued). System time on both server and Authentik is synchronized (NTP enabled). It seems that the JWT generated by Authentik has a nbf (not before) or iat claim mismatch, which causes NetBird to reject it. Might be related to clock skew or strict claim validation.
saavagebueno added the triage-needed label 2025-11-20 07:07:03 -05:00
Author
Owner

@tugdualenligne commented on GitHub (Sep 27, 2025):

I’m affected by the same issue. Let us know ideas to overcome this. I’ve added TZ instructions to my docker-compose, but it didn’t help

@tugdualenligne commented on GitHub (Sep 27, 2025): I’m affected by the same issue. Let us know ideas to overcome this. I’ve added TZ instructions to my docker-compose, but it didn’t help
Author
Owner

@biliblihuorong commented on GitHub (Sep 27, 2025):

I’m affected by the same issue. Let us know ideas to overcome this. I’ve added TZ instructions to my docker-compose, but it didn’t help
I'm not entirely sure what the issue is. Try installing the Docker client; it might resolve the problem. Since I reported this issue, other machines have been functioning normally. However, I forgot to deactivate the device upon expiration, and upon reauthorizing, I still occasionally encounter this issue.

@biliblihuorong commented on GitHub (Sep 27, 2025): > I’m affected by the same issue. Let us know ideas to overcome this. I’ve added TZ instructions to my docker-compose, but it didn’t help I'm not entirely sure what the issue is. Try installing the Docker client; it might resolve the problem. Since I reported this issue, other machines have been functioning normally. However, I forgot to deactivate the device upon expiration, and upon reauthorizing, I still occasionally encounter this issue.
Author
Owner

@tugdualenligne commented on GitHub (Sep 28, 2025):

Sorry biliblihuorong, I’m not sure I understood your message. Are you
saying I should install Netbird client in a docker image and that could
correct my issue ?
Not sure there is a relation. Got the impression this is an Authentik
issue

I opened a ticket on their sideThanks

Le dim. 28 sept. 2025 à 02:30, biliblihuorong @.***> a
écrit :

biliblihuorong left a comment (netbirdio/netbird#4500)
https://github.com/netbirdio/netbird/issues/4500#issuecomment-3342143102

I’m affected by the same issue. Let us know ideas to overcome this. I’ve
added TZ instructions to my docker-compose, but it didn’t help
I'm not entirely sure what the issue is. Try installing the Docker client;
it might resolve the problem. Since I reported this issue, other machines
have been functioning normally. However, I forgot to deactivate the device
upon expiration, and upon reauthorizing, I still occasionally encounter
this issue.


Reply to this email directly, view it on GitHub
https://github.com/netbirdio/netbird/issues/4500#issuecomment-3342143102,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AD5OO4UCEA2HAEBPY4DLMND3U4TWXAVCNFSM6AAAAACGREUG3OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBSGE2DGMJQGI
.
You are receiving this because you commented.Message ID:
@.***>

@tugdualenligne commented on GitHub (Sep 28, 2025): Sorry biliblihuorong, I’m not sure I understood your message. Are you saying I should install Netbird client in a docker image and that could correct my issue ? *Not sure there is a relation. Got the impression this is an Authentik issue* *I opened a ticket on their side*Thanks Le dim. 28 sept. 2025 à 02:30, biliblihuorong ***@***.***> a écrit : > *biliblihuorong* left a comment (netbirdio/netbird#4500) > <https://github.com/netbirdio/netbird/issues/4500#issuecomment-3342143102> > > I’m affected by the same issue. Let us know ideas to overcome this. I’ve > added TZ instructions to my docker-compose, but it didn’t help > I'm not entirely sure what the issue is. Try installing the Docker client; > it might resolve the problem. Since I reported this issue, other machines > have been functioning normally. However, I forgot to deactivate the device > upon expiration, and upon reauthorizing, I still occasionally encounter > this issue. > > — > Reply to this email directly, view it on GitHub > <https://github.com/netbirdio/netbird/issues/4500#issuecomment-3342143102>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AD5OO4UCEA2HAEBPY4DLMND3U4TWXAVCNFSM6AAAAACGREUG3OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNBSGE2DGMJQGI> > . > You are receiving this because you commented.Message ID: > ***@***.***> >
Author
Owner

@biliblihuorong commented on GitHub (Sep 28, 2025):

Yes, you can try installing the Netbird client using Docker. That might resolve the issue.At least one of my servers had this issue, and this is how I resolved it.

Sorry biliblihuorong, I’m not sure I understood your message. Are you
saying I should install Netbird client in a docker image and that could
correct my issue ?
Not sure there is a relation. Got the impression this is an Authentik
issue

I opened a ticket on their sideThanks

Le dim. 28 sept. 2025 à 02:30, biliblihuorong @.***> a
écrit :

@biliblihuorong commented on GitHub (Sep 28, 2025): Yes, you can try installing the Netbird client using Docker. That might resolve the issue.At least one of my servers had this issue, and this is how I resolved it. > Sorry biliblihuorong, I’m not sure I understood your message. Are you > saying I should install Netbird client in a docker image and that could > correct my issue ? > *Not sure there is a relation. Got the impression this is an Authentik > issue* > > *I opened a ticket on their side*Thanks > > > Le dim. 28 sept. 2025 à 02:30, biliblihuorong ***@***.***> a > écrit : > […](#)
Author
Owner

@tugdualenligne commented on GitHub (Sep 28, 2025):

Effectively I can connect to Netbird a Docker container with Netbird client. However, that doesn't change anythin: I can't connect a peer using Authentik SSO

@tugdualenligne commented on GitHub (Sep 28, 2025): Effectively I can connect to Netbird a Docker container with Netbird client. However, that doesn't change anythin: I can't connect a peer using Authentik SSO
Author
Owner

@tugdualenligne commented on GitHub (Sep 29, 2025):

And when trying to add a new peer from my Macbook, I get this error message:
"management/server/store/sql_store.go:2791: grpc context ended early, error: context canceled"

I must confess I'm totally lost. I've got 50+ containers working nicely on my machine but this Netbird resist quite strongly... ;-)

@tugdualenligne commented on GitHub (Sep 29, 2025): And when trying to add a new peer from my Macbook, I get this error message: "management/server/store/sql_store.go:2791: grpc context ended early, error: context canceled" I must confess I'm totally lost. I've got 50+ containers working nicely on my machine but this Netbird resist quite strongly... ;-)
Author
Owner

@tugdualenligne commented on GitHub (Oct 7, 2025):

Hi there,

I suspect my issue is related to time difference between Authentik and Netbird. I’m surprised nobody reports this issue, except the user above.

I have checked on my two servers that NTP works and time is consistent

However, I noticed in the docker console of my Netbird containers that time is two hours behind (it is UTC while it should be on CEST)
I tried the TZ=Europe/Paris in the docker compose of my NB containers, and while it works in my 50+ other containers, it seems it has no effect on my Netbird containers
If anyone has an idea how to correct this…
Thx!

@tugdualenligne commented on GitHub (Oct 7, 2025): Hi there, I suspect my issue is related to time difference between Authentik and Netbird. I’m surprised nobody reports this issue, except the user above. I have checked on my two servers that NTP works and time is consistent However, I noticed in the docker console of my Netbird containers that time is two hours behind (it is UTC while it should be on CEST) I tried the TZ=Europe/Paris in the docker compose of my NB containers, and while it works in my 50+ other containers, it seems it has no effect on my Netbird containers If anyone has an idea how to correct this… Thx!
Author
Owner

@guyaevans commented on GitHub (Oct 7, 2025):

I have the same issue, however I have the same time between my netbird containers and authentik containers

Netbird

root@d99345e065e0:/# date
Tue Oct  7 19:24:30 UTC 2025

Authentik

authentik@9a4ccb49f7da:/$ date
Tue Oct  7 19:24:50 UTC 2025
@guyaevans commented on GitHub (Oct 7, 2025): I have the same issue, however I have the same time between my netbird containers and authentik containers Netbird ``` root@d99345e065e0:/# date Tue Oct 7 19:24:30 UTC 2025 ``` Authentik ``` authentik@9a4ccb49f7da:/$ date Tue Oct 7 19:24:50 UTC 2025 ```
Author
Owner

@tugdualenligne commented on GitHub (Oct 7, 2025):

You’re right, I just managed forcing time alignement between Netbird and Authentik and I still have the issue
Honestly this is driving me crazy
Any help appreciated, thx!

I'm still getting this error message:
2025-10-07T22:03:25+02:00 WARN [context: GRPC, requestID: 6e480fa3-0918-4bf4-be94-117f2855a57d, accountID: UNKNOWN, peerID: yT2XohuHGhoH3io/7+PfAMYOgrbPcAP9qf2V7Cc7uhM=] management/server/grpcserver.go:612: failed validating JWT token sent from peer yT2XohuHGhoH3io/7+PfAMYOgrbPcAP9qf2V7Cc7uhM= with error rpc error: code = InvalidArgument desc = invalid jwt token, err: token could not be parsed: token has invalid claims: token used before issued. Trying again as it may be due to the IdP cache issue

@tugdualenligne commented on GitHub (Oct 7, 2025): You’re right, I just managed forcing time alignement between Netbird and Authentik and I still have the issue Honestly this is driving me crazy Any help appreciated, thx! I'm still getting this error message: 2025-10-07T22:03:25+02:00 WARN [context: GRPC, requestID: 6e480fa3-0918-4bf4-be94-117f2855a57d, accountID: UNKNOWN, peerID: yT2XohuHGhoH3io/7+PfAMYOgrbPcAP9qf2V7Cc7uhM=] management/server/grpcserver.go:612: failed validating JWT token sent from peer yT2XohuHGhoH3io/7+PfAMYOgrbPcAP9qf2V7Cc7uhM= with error rpc error: code = InvalidArgument desc = invalid jwt token, err: token could not be parsed: token has invalid claims: token used before issued. Trying again as it may be due to the IdP cache issue
Author
Owner

@tugdualenligne commented on GitHub (Oct 11, 2025):

The solution I just found after many many different trials: on my side it is an issue with time sync which was not good enough. I know the error message gave a good indication, but I thought I had harmonised time between my systems but it wasn't precise enough
On Debian and Ubuntu servers (i.e. your Authentik host or Docker host) you need to install ntpsec and restart its service. This force synchronise time and, tada, it works! At last!
Between the difficulties with Traefik, and the documentation which is not fully aligned between Netbird and Authentik, it took me two weeks of trial and errors
Many thanks for what seems a great tool. Will play with it now that I have both normal peers (setup key) and peers authenticated through my IDP (Authentik)

EDIT: also, the TZ=Europe/Paris does not work for me in the NB containers. You have to add these volumes for each container:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro

@tugdualenligne commented on GitHub (Oct 11, 2025): The solution I just found after many many different trials: on my side it is an issue with time sync which was not good enough. I know the error message gave a good indication, but I thought I had harmonised time between my systems but it wasn't precise enough On Debian and Ubuntu servers (i.e. your Authentik host or Docker host) you need to install ntpsec and restart its service. This force synchronise time and, tada, it works! At last! Between the difficulties with Traefik, and the documentation which is not fully aligned between Netbird and Authentik, it took me two weeks of trial and errors Many thanks for what seems a great tool. Will play with it now that I have both normal peers (setup key) and peers authenticated through my IDP (Authentik) EDIT: also, the TZ=Europe/Paris does not work for me in the NB containers. You have to add these volumes for each container: - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro
Author
Owner

@guyaevans commented on GitHub (Oct 17, 2025):

Installing ntpsec and mapping the volumes did actually work!

@guyaevans commented on GitHub (Oct 17, 2025): Installing ntpsec and mapping the volumes did actually work!
Author
Owner

@nonanonymousanon commented on GitHub (Oct 23, 2025):

While it is not ideal there is also a setting in Zitadel for "ClockSkew" and increasing this to 1 second did work for me. Whereas adding the volumes below did not.

  • /etc/timezone:/etc/timezone:ro
  • /etc/localtime:/etc/localtime:ro
Image

Edit: I am still experiencing this issue.

@nonanonymousanon commented on GitHub (Oct 23, 2025): While it is not ideal there is also a setting in Zitadel for "ClockSkew" and increasing this to 1 second did work for me. Whereas adding the volumes below did not. - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro <img width="1022" height="771" alt="Image" src="https://github.com/user-attachments/assets/5c6908a6-c962-4f5f-8912-59969d16de9b" /> Edit: I am still experiencing this issue.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#2283