[slurm-users] External Authentication Integration with JWKS and RS256 Tokens

Laurence Field laurence.field at cern.ch
Fri Mar 24 09:41:08 UTC 2023

Hi Ümit,

Thanks for your reply. We are using Keycloak and the JWKS does contain 
this parameter. I will continue to debug but any suggestions would be 
greatly appreciated.



On 23.03.23 11:42, Ümit Seren wrote:
> If you use AzureAD as your identity provider beware that their JWKS 
> json doesn't contain the alg parameter.
> We opened an issue: https://bugs.schedmd.com/show_bug.cgi?id=16168 and 
> it is confirmed.
> As a workaround you can use this jq query to add the alg to the jwks 
> json that you get from AzureAD:
> |curl -s https://login.microsoftonline.com/TENANT/discovery/v2.0/keys 
> | jq '.keys |= map(.alg="RS256")' > $TMPFILE
> |
> Hope this helps
> Best
> Ümit
> On Thu, Mar 23, 2023 at 11:26 AM Laurence <laurence.field at cern.ch> wrote:
>     Hi,
>     I am trying to configure SLURM to use external authentication for
>     JWT as described in the documentation.
>     https://slurm.schedmd.com/jwt.html
>     JWT Authentication worked when I tested the setup for standalone
>     use but am having difficulty with tokens from our oauth provider.
>     My first question is has anyone successfully done this? My second
>     question is on the example code to verify the jwt key. Is the
>     example up to date as it doesn't work for me. The final question
>     is does anyone have any suggestions on the concrete error reported
>     in the slurmctld log.
>     /slurmctld: error: failed to verify jwt, rc=22//
>     //slurmctld: error: could not find matching kid or decode failed/
>     Thanks,
>     Laurence
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20230324/78c16f34/attachment.htm>

More information about the slurm-users mailing list