We have an issue where we get an error of Expired token on one of our routers, the message shown in the router logs is {"file":"``github.com/openziti/ziti/router/xgress_edge/hosted.go:472","func":"github.com/openziti/ziti/router/xgress_edge.(*hostedServiceRegistry).Remove","level":"info","msg":"terminator`` removed from router set","reason":"token has invalid claims: token is expired","terminatorId":"2cuBOXBDQeMw1gM22tXIi3","time":"2025-09-25T14:15:13.459Z"}
While on the controller side:
[223654.135] ERROR ziti/controller/handler_edge_ctrl.(*createTerminatorV2Handler).returnError [ch{qdkdOhm.xz}->u{classic}->i{qdkdOhm.xz/0pmV}]: {error=[token has invalid claims: token is expired] routerId=[qdkdOhm.xz] terminatorId=[1WdL82MOySXf7BOgauCWy3]} responded with error [223654.903] ERROR ziti/controller/handler_edge_ctrl.(*createTerminatorV2Handler).returnError [ch{qdkdOhm.xz}->u{classic}->i{qdkdOhm.xz/0pmV}]: {error=[token has invalid claims: token is expired] routerId=[qdkdOhm.xz] terminatorId=[LuccXiXHMny9tQCEoaWOK]} responded with error [223655.444] ERROR ziti/controller/handler_edge_ctrl.(*createTerminatorV2Handler).returnError [ch{qdkdOhm.xz}->u{classic}->i{qdkdOhm.xz/0pmV}]: {error=[token has invalid claims: token is expired] routerId=[qdkdOhm.xz] terminatorId=[3ErYHKVOJHcEbQUfXGXSGD]} responded with error [223655.590] ERROR ziti/controller/handler_edge_ctrl.(*createTerminatorV2Handler).returnError [ch{qdkdOhm.xz}->u{classic}->i{qdkdOhm.xz/0pmV}]: {terminatorId=[4Uz0f2J1srDpI5euWUJNjP] routerId=[qdkdOhm.xz] error=[token has invalid claims: token is expired]} responded with erro
We are not sure why would this happen, but a restart usually fixes it
Can you provide the version and describe how long it takes for this to occur? Can you also provide an example of your controller edge.oidc configuration. If all of your controllers have the same edge.oidc config provide one or describe the differences.
Eample edge.oidc block:
edge:
#...
oidc:
# (optional, default 30m) Sets the time OIDC issued access JWTs are valid for. Must be greater than 1m and must be 1m less
# than `refreshTokenDuration`
accessTokenDuration: 30m
# (optional, default 30m) Sets the time OIDC issued id JWTs are valid for. Must be greater than 1m.
idTokenDuration: 30m
# (optional, default 24hr)
refreshTokenDuration: 24h
Hey, I’m also experiencing similar logs, but it’s comming from a different module if I’m not mistaken. My users said that they often had to reauthenticate using the “ext jwt login”. (I’m using Microsoft Entra) @andrew.martinez Can you please explain what is the purpose of the parameters that you provided? The reason I’m asking, as I understand the expirations of the tokens are set by the idp, so how come we set these in ziti, is that a way to tell ziti that when to refresh the tokens, or when authenticating with external jwt, ziti creats it’s own tokens and uses them further on?
When I saw your comment yesterday I tried setting the access and id token duration to 4h as an experiment, and the below messages started to get less common, it’s visible on the chart I’m providing. Thanks for your answer in advance!
{"authMethod":"ext-jwt","error":"jwt failed to parse: token has invalid claims: token is expired","expectedAudience":"","file":"github.com/openziti/ziti/controller/model/authenticator_mod_ext_jwt.go:88","func":"github.com/openziti/ziti/controller/model.(*candidateResult).LogResult","issuer":"","level":"error","msg":"failed to validate candidate JWT at index 0","time":"2025-09-27T07:05:00.749Z","tokenAudiences":""}
