[slurm-users] External Authentication Integration with JWKS and RS256 Tokens

Laurence Field laurence.field at cern.ch
Fri Mar 24 15:37:50 UTC 2023


After verifying the JWT and JWKS with some Python code, it magically 
seems to work. At least the error has changed to /auth_p_verify: 
jwt_get_grant failure. /This suggests I need to update something in the 
authorization policy. Will do that now but if anyone has done this 
before and can give me some hints, they would be most welcome.



On 24.03.23 10:41, Laurence Field wrote:
> Hi Ümit,
> Thanks for your reply. We are using Keycloak and the JWKS does contain 
> this parameter. I will continue to debug but any suggestions would be 
> greatly appreciated.
> Cheers,
> Laurence
> On 23.03.23 11:42, Ümit Seren wrote:
>> If you use AzureAD as your identity provider beware that their JWKS 
>> json doesn't contain the alg parameter.
>> We opened an issue: https://bugs.schedmd.com/show_bug.cgi?id=16168 
>> and it is confirmed.
>> As a workaround you can use this jq query to add the alg to the jwks 
>> json that you get from AzureAD:
>> |curl -s https://login.microsoftonline.com/TENANT/discovery/v2.0/keys 
>> | jq '.keys |= map(.alg="RS256")' > $TMPFILE
>> |
>> Hope this helps
>> Best
>> Ümit
>> On Thu, Mar 23, 2023 at 11:26 AM Laurence <laurence.field at cern.ch> wrote:
>>     Hi,
>>     I am trying to configure SLURM to use external authentication for
>>     JWT as described in the documentation.
>>     https://slurm.schedmd.com/jwt.html
>>     JWT Authentication worked when I tested the setup for standalone
>>     use but am having difficulty with tokens from our oauth provider.
>>     My first question is has anyone successfully done this? My second
>>     question is on the example code to verify the jwt key. Is the
>>     example up to date as it doesn't work for me. The final question
>>     is does anyone have any suggestions on the concrete error
>>     reported in the slurmctld log.
>>     /slurmctld: error: failed to verify jwt, rc=22//
>>     //slurmctld: error: could not find matching kid or decode failed/
>>     Thanks,
>>     Laurence
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20230324/18a96539/attachment.htm>

More information about the slurm-users mailing list