<div dir="ltr"><div>Looks like you are missing the username field in the JWT token: <a href="https://github.com/SchedMD/slurm/blob/slurm-22-05-8-1/src/plugins/auth/jwt/auth_jwt.c#L419">https://github.com/SchedMD/slurm/blob/slurm-22-05-8-1/src/plugins/auth/jwt/auth_jwt.c#L419</a></div><div>You have to make sure that your JWT token contains the SLURM username as an attribute (<a href="https://slurm.schedmd.com/jwt.html#compatibility">https://slurm.schedmd.com/jwt.html#compatibility</a>). <br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 24, 2023 at 4:40 PM Laurence Field <<a href="mailto:laurence.field@cern.ch">laurence.field@cern.ch</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi,<br>
</p>
<p>After verifying the JWT and JWKS with some Python code, it
magically seems to work. At least the error has changed to <i>auth_p_verify:
jwt_get_grant failure. </i>This suggests I need to update
something in the authorization policy. Will do that now but if
anyone has done this before and can give me some hints, they would
be most welcome. <br>
</p>
<p>Cheers, <br>
</p>
<p>Laurence<br>
</p>
<div>On 24.03.23 10:41, Laurence Field
wrote:<br>
</div>
<blockquote type="cite">
<p>Hi Ümit,</p>
<p>Thanks for your reply. We are using Keycloak and the JWKS does
contain this parameter. I will continue to debug but any
suggestions would be greatly appreciated. <br>
</p>
<p>Cheers, <br>
</p>
<p>Laurence<br>
</p>
<div>On 23.03.23 11:42, Ümit Seren wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">If you use AzureAD as your identity provider
beware that their JWKS json doesn't contain the alg parameter.
<div>We opened an issue: <a href="https://bugs.schedmd.com/show_bug.cgi?id=16168" target="_blank">https://bugs.schedmd.com/show_bug.cgi?id=16168</a>
and it is confirmed.</div>
<div>As a workaround you can use this jq query to add the alg
to the jwks json that you get from AzureAD: </div>
<div><code>curl -s <a href="https://login.microsoftonline.com/TENANT/discovery/v2.0/keys" target="_blank">https://login.microsoftonline.com/TENANT/discovery/v2.0/keys</a>
| jq '.keys |= map(.alg="RS256")' > $TMPFILE<br>
</code><br>
Hope this helps</div>
<div>Best</div>
<div>Ümit</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Mar 23, 2023 at
11:26 AM Laurence <<a href="mailto:laurence.field@cern.ch" target="_blank">laurence.field@cern.ch</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi,</p>
<p>I am trying to configure SLURM to use external
authentication for JWT as described in the
documentation. <br>
</p>
<p><a href="https://slurm.schedmd.com/jwt.html" target="_blank">https://slurm.schedmd.com/jwt.html</a></p>
<p>JWT Authentication worked when I tested the setup for
standalone use but am having difficulty with tokens from
our oauth provider. <br>
</p>
<p>My first question is has anyone successfully done this?
My second question is on the example code to verify the
jwt key. Is the example up to date as it doesn't work
for me. The final question is does anyone have any
suggestions on the concrete error reported in the
slurmctld log.<br>
</p>
<p><i>slurmctld: error: failed to verify jwt, rc=22</i><i><br>
</i><i>slurmctld: error: could not find matching kid or
decode failed</i></p>
<p>Thanks,</p>
<p>Laurence<br>
</p>
</div>
</blockquote>
</div>
</blockquote>
</blockquote>
</div>
</blockquote></div>