You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Tom Schoonjans <to...@me.com.INVALID> on 2021/02/02 10:24:09 UTC

Invalid OpenID token

Hi,


Our OIDC provider decreased the id_token lifespan to 24 hours and now I am stuck in a loop after logging in.

The logs show the following (redacted):

Rejected invalid OpenID token: JWT (claims->{"at_hash”:”my-hash","aud”:”my-aud","sub”:”my-sub","auth_time":1612024732,"iss”:”my-oidc","exp":1612112000,"given_name”:”my-name","iat":1612025600,"nonce”:”some-nonce","family_name”:”my-family-name","jti”:”my-jti"}) rejected due to invalid claims. Additional details: [The Expiration Time (exp=NumericDate{1612112000 -> Jan 31, 2021 4:53:20 PM UTC}) claim value cannot be more than 300 minutes in the future relative to the evaluation time NumericDate{1612025601 -> Jan 30, 2021 4:53:21 PM UTC} (even when providing 30 seconds of leeway to account for clock skew).]

I am running Guacamole 1.2.0.

Any thoughts on what is going on and how I can fix this? 

Thanks in advance!

Tom


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Invalid OpenID token

Posted by Tim Worcester <ti...@gmail.com>.

Could this be related to the default value of 300 seconds for token
validity?

https://guacamole.apache.org/doc/gug/openid-auth.html#idm46227495608768:~:text=openid%2Dmax%2Dtoken%2Dvalidity

I would try bumping that value up to match your Identity Providers settings.

On Tue, Feb 2, 2021 at 5:24 AM Tom Schoonjans <to...@me.com.invalid>
wrote:

> Hi,
>
>
> Our OIDC provider decreased the id_token lifespan to 24 hours and now I am
> stuck in a loop after logging in.
>
> The logs show the following (redacted):
>
> Rejected invalid OpenID token: JWT
> (claims->{"at_hash”:”my-hash","aud”:”my-aud","sub”:”my-sub","auth_time":1612024732,"iss”:”my-oidc","exp":1612112000,"given_name”:”my-name","iat":1612025600,"nonce”:”some-nonce","family_name”:”my-family-name","jti”:”my-jti"})
> rejected due to invalid claims. Additional details: [The Expiration Time
> (exp=NumericDate{1612112000 -> Jan 31, 2021 4:53:20 PM UTC}) claim value
> cannot be more than 300 minutes in the future relative to the evaluation
> time NumericDate{1612025601 -> Jan 30, 2021 4:53:21 PM UTC} (even when
> providing 30 seconds of leeway to account for clock skew).]
>
> I am running Guacamole 1.2.0.
>
> Any thoughts on what is going on and how I can fix this?
>
> Thanks in advance!
>
> Tom
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>