User is unable to authenticate to the vSphere Supervisor via Pinniped
search cancel

User is unable to authenticate to the vSphere Supervisor via Pinniped

book

Article ID: 439988

calendar_today

Updated On:

Products

VCF Automation

Issue/Introduction

-  OIDC authentication is integrated with the supervisor provided by VCFA  

-  Authentication fails with "invalid ID token" and "oidc: token is expired" errors during the callback handling phase.

Error: could not complete Pinniped login: error handling callback: received invalid ID token: oidc: token is expired (Token Expiry: xxxx-xx-xx <timestamp>)

pinniped-auth login failed: exit status 1

-  Same error found in supervisor kube-apiserver log:

"Unable to authenticate the request" err="[invalid bearer token, oidc: verify token: oidc: token is expired (Token Expiry: xxxx-xx-xx <timestamp>)]"

Environment

VMware Cloud Foundation Automation 9.0.x

Resolution

- Validate Time Synchronization:
Ensure the clocks on the Supervisor Control Plane VM, vCenter, VCFA, and the client desktop match the Identity Provider.
 
- Re-initialize Authentication Context:
Use the VCF CLI to re-initialize the authentication context. You can find detailed instructions in the following documentation: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vsphere-supervisor-services-and-standalone-components/latest/understanding-authorization-in-supervisor.html
 
Powered by Wolken Software