<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Coming back to this, it is failing again and I don't know why.<br>
</p>
<p><i>slurmctld: error: failed to verify jwt, rc=22</i><i><br>
</i><i>slurmctld: error: could not find matching kid or decode
failed</i></p>
<p>The kids seem to match and python code I have verifies the jwt
with the jwks. Does anyone have any ideas on what the issue might
be? The jwks can be found at the following URL.<br>
</p>
<p><a class="moz-txt-link-freetext" href="https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/certs">https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/certs</a>
<br>
</p>
<p>Cheers, <br>
</p>
<p>Laurence<br>
</p>
<div class="moz-cite-prefix">On 27/03/2023 11:07, Laurence Field
wrote:<br>
</div>
<blockquote type="cite" cite="mid:d2d6c4a9-aaac-865b-7e78-3da7764be2f3@cern.ch">
<p>Hi Ümit, <br>
</p>
<p>Thanks for the reply. Yes, it looks like this is the issue.
Although from the master branch it suggests that the claim_field
can also be used but this is not in the version we have
deployed. <br>
</p>
<p>Cheers, <br>
</p>
<p>Laurence<br>
</p>
<div class="moz-cite-prefix">On 24.03.23 16:51, Ümit Seren wrote:<br>
</div>
<blockquote type="cite" cite="mid:CANBYW4Dnn7q9H=v26TT9HqVa_pC4JnGuJ0PSMt0C7rdhFa-mLw@mail.gmail.com">
<div dir="ltr">
<div>Looks like you are missing the username field in the JWT
token: <a href="https://github.com/SchedMD/slurm/blob/slurm-22-05-8-1/src/plugins/auth/jwt/auth_jwt.c#L419" moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/SchedMD/slurm/blob/slurm-22-05-8-1/src/plugins/auth/jwt/auth_jwt.c#L419</a></div>
<div>You have to make sure that your JWT token contains the
SLURM username as an attribute (<a href="https://slurm.schedmd.com/jwt.html#compatibility" moz-do-not-send="true" class="moz-txt-link-freetext">https://slurm.schedmd.com/jwt.html#compatibility</a>). <br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Mar 24, 2023 at
4:40 PM Laurence Field <<a href="mailto:laurence.field@cern.ch" moz-do-not-send="true" class="moz-txt-link-freetext">laurence.field@cern.ch</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi,<br>
</p>
<p>After verifying the JWT and JWKS with some Python code,
it magically seems to work. At least the error has
changed to <i>auth_p_verify: jwt_get_grant failure. </i>This
suggests I need to update something in the authorization
policy. Will do that now but if anyone has done this
before and can give me some hints, they would be most
welcome. <br>
</p>
<p>Cheers, <br>
</p>
<p>Laurence<br>
</p>
<div>On 24.03.23 10:41, Laurence Field wrote:<br>
</div>
<blockquote type="cite">
<p>Hi Ümit,</p>
<p>Thanks for your reply. We are using Keycloak and the
JWKS does contain this parameter. I will continue to
debug but any suggestions would be greatly
appreciated. <br>
</p>
<p>Cheers, <br>
</p>
<p>Laurence<br>
</p>
<div>On 23.03.23 11:42, Ümit Seren wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">If you use AzureAD as your identity
provider beware that their JWKS json doesn't contain
the alg parameter.
<div>We opened an issue: <a href="https://bugs.schedmd.com/show_bug.cgi?id=16168" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://bugs.schedmd.com/show_bug.cgi?id=16168</a>
and it is confirmed.</div>
<div>As a workaround you can use this jq query to
add the alg to the jwks json that you get from
AzureAD: </div>
<div><code>curl -s <a href="https://login.microsoftonline.com/TENANT/discovery/v2.0/keys" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://login.microsoftonline.com/TENANT/discovery/v2.0/keys</a>
| jq '.keys |= map(.alg="RS256")' > $TMPFILE<br>
</code><br>
Hope this helps</div>
<div>Best</div>
<div>Ümit</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Mar 23,
2023 at 11:26 AM Laurence <<a href="mailto:laurence.field@cern.ch" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">laurence.field@cern.ch</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi,</p>
<p>I am trying to configure SLURM to use
external authentication for JWT as described
in the documentation. <br>
</p>
<p><a href="https://slurm.schedmd.com/jwt.html" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://slurm.schedmd.com/jwt.html</a></p>
<p>JWT Authentication worked when I tested the
setup for standalone use but am having
difficulty with tokens from our oauth
provider. <br>
</p>
<p>My first question is has anyone successfully
done this? My second question is on the
example code to verify the jwt key. Is the
example up to date as it doesn't work for me.
The final question is does anyone have any
suggestions on the concrete error reported in
the slurmctld log.<br>
</p>
<p><i>slurmctld: error: failed to verify jwt,
rc=22</i><i><br>
</i><i>slurmctld: error: could not find
matching kid or decode failed</i></p>
<p>Thanks,</p>
<p>Laurence<br>
</p>
</div>
</blockquote>
</div>
</blockquote>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</blockquote>
</body>
</html>