Periodic AppRole tokens can be considered expired by the UI while still valid

[Ubeek]

Describe the bug

Periodic AppRole tokens can be considered expired by the UI while still able to renew themselves and access secrets.

To Reproduce
Scripted - https://gist.github.com/Ubeek/88334ce6cf4486cdfa48eb1fcd700b61

Manual steps to reproduce the behavior:

1. Launch dev vault server
2. Enable approle auth
3. Create a policy granting read/write to an arbitrary path (e.g. secret/approle_test) and populate it with a secret
4. Create an approle with a token TTL and period of 60 seconds, and a Max Token TTL of 0
5. Attach the above policy to the approle
6. Login with the Approle
7. Renew the approle every 30 seconds for 2 minutes
8. Attempt to read the arbitrary secret from above, this should work
9. Attempt to login to the Vault UI, this should present an error stating 'Your auth token expired on <DATETIME>. You will need to re-authenticate.'

Expected behavior

It is expected that if the token is valid for use on the CLI or via API, that it would also be valid for use with the UI.

Environment:

• Vault Server Version (retrieve with vault status): 0.10.3 - 0.11.1
• Vault CLI Version (retrieve with vault version): 0.10.3 - 0.11.1
• Server Operating System/Architecture: CentOS 7 64bit, Ubuntu 16.04 & Windows 10

[meirish]

Thanks for the very thorough report and the reproduction script! That made it really easy to troubleshoot and fix. We'll have the fix out for this soon!