Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az login fail: The ID token is not yet valid. #20934

Closed
mkkee opened this issue Jan 8, 2022 · 11 comments
Closed

az login fail: The ID token is not yet valid. #20934

mkkee opened this issue Jan 8, 2022 · 11 comments
Assignees
@jiasli
Labels
Account az login/account customer-reported Issues that are reported by GitHub users external to the Azure organization.
Milestone
Backlog

Comments

@mkkee
Copy link

mkkee commented Jan 8, 2022

This is autogenerated. Please review and update as needed.

Describe the bug

getting this error when trying to log in form Powershell:
"0. The ID token is not yet valid. Current epoch = 1641641034. The id_token was: {"
this was working fine yesterday and started to fail today after restart.

Command Name
az login

Errors:

Failed to connect to MSI. Please make sure MSI is configured correctly and check the network connection.
Error detail: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x04E5E838>: Failed to establish a new connection: [WinError 10051] A socket operation was attempted to an unreachable network'))

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • Put any pre-requisite steps here...
  • az login --identity

Expected Behavior

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.8.9
Installer: MSI

azure-cli 2.30.0 *

Additional Context
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Jan 8, 2022
@yonzhan yonzhan added the Account az login/account label Jan 8, 2022
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jan 8, 2022
@yonzhan yonzhan removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Jan 8, 2022
@yonzhan yonzhan added this to the Backlog milestone Jan 8, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Jan 8, 2022

@jiasli for awareness

@jiasli jiasli changed the title az login fail az login fail: The ID token is not yet valid. Jan 10, 2022
@jiasli
Copy link
Member

jiasli commented Jan 10, 2022

Could be related to #20388

However,

  • 0. The ID token is not yet valid. is from MSAL
  • Failed to connect to MSI. Please make sure MSI is configured correctly and check the network connection. is for managed identity.

Which error is the one you see?

@mkkee
Copy link
Author

mkkee commented Jan 10, 2022

I was using my Windows 10 home pc and powershell for couple of days to connect. This happened only once, I restarted the PC and then tried to connect back to Azure but could not. I was doing that many times in the same way without issues.

I opened the powershell, typed "az login" this triggered the browser to load ms page to login in, I logged in web page showed the sucess and then after few seconds powershell reported the error instead standard success message.

@jiasli
Copy link
Member

jiasli commented Jan 11, 2022

Please see #20388 and check if your computer's time is synchronized.

az login --identity is for managed identity and should not be used on a local computer.

@mkkee
Copy link
Author

mkkee commented Jan 11, 2022

I did check the time as a first thing but it was correct down to second. Actually I submitted the issue after few minutes when all possible solutions did not work.
Epoch in the error shows:
Saturday, January 8, 2022 12:23:54 PM GMT+01:00

Isse was reported at:
Saturday, January 8, 2022 12:30:00 PM GMT+01:00

I did not use "az login --identify" just typed "az login"

@jiasli
Copy link
Member

jiasli commented Jan 12, 2022

Isse was reported at:
Saturday, January 8, 2022 12:30:00 PM GMT+01:00

I am afraid this is not true. 😅 The issue was created at

image

@mkkee
Copy link
Author

mkkee commented Jan 12, 2022

You are right my mistake :) but my point is that I really checked the time as first possible problem and it was correct. I wonder if there is anything that can be added in the error message that will help debug i tin the future. If server side rejects this because of the wrong time then report both serer time and token time stamp so that both are reportable and visible that may help in the future.

@jiasli
Copy link
Member

jiasli commented Jan 13, 2022

I think the error message was already pretty clear - it contains the time on the machine (Current epoch = 1641641034) and the nbf (not before) claim.

If server side rejects this because of the wrong time then report both serer time and token time stamp so that both are reportable and visible that may help in the future.

The ID token is not rejected by the service side, but by local client MSAL. MSAL has refined the error message in AzureAD/microsoft-authentication-library-for-python#449. It will suggest the user to check the computer's time.

@mkkee
Copy link
Author

mkkee commented Jan 13, 2022

Clear, I thin I will close the issue then. Cannot replicate it, happened once, most likely it was some time sync issue, after few hours it was working ok. Unless you tell me differently I will close tomorrow.

@jiasli
Copy link
Member

jiasli commented Jan 14, 2022

@mkkee, thanks for the confirmation. If this issue happens again, please let us know.

@jiasli jiasli closed this as completed Jan 14, 2022
@ivarprudnikov
Copy link
Member

Just happened to me, sudo hwclock -s did the trick. There is a whole discussion on SO (https://stackoverflow.com/questions/65086856/wsl2-clock-is-out-of-sync-with-windows)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Account az login/account customer-reported Issues that are reported by GitHub users external to the Azure organization.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@ivarprudnikov @jiasli @mkkee @yonzhan