[slurm-users] External Authentication Integration with JWKS and RS256 Tokens
Ümit Seren
uemit.seren at gmail.com
Fri Mar 24 15:51:36 UTC 2023
Looks like you are missing the username field in the JWT token:
https://github.com/SchedMD/slurm/blob/slurm-22-05-8-1/src/plugins/auth/jwt/auth_jwt.c#L419
You have to make sure that your JWT token contains the SLURM username as an
attribute (https://slurm.schedmd.com/jwt.html#compatibility).
On Fri, Mar 24, 2023 at 4:40 PM Laurence Field <laurence.field at cern.ch>
wrote:
> Hi,
>
> After verifying the JWT and JWKS with some Python code, it magically seems
> to work. At least the error has changed to *auth_p_verify: jwt_get_grant
> failure. *This suggests I need to update something in the authorization
> policy. Will do that now but if anyone has done this before and can give me
> some hints, they would be most welcome.
>
> Cheers,
>
> Laurence
> On 24.03.23 10:41, Laurence Field wrote:
>
> Hi Ümit,
>
> Thanks for your reply. We are using Keycloak and the JWKS does contain
> this parameter. I will continue to debug but any suggestions would be
> greatly appreciated.
>
> Cheers,
>
> Laurence
> On 23.03.23 11:42, Ümit Seren wrote:
>
> If you use AzureAD as your identity provider beware that their JWKS json
> doesn't contain the alg parameter.
> We opened an issue: https://bugs.schedmd.com/show_bug.cgi?id=16168 and it
> is confirmed.
> As a workaround you can use this jq query to add the alg to the jwks json
> that you get from AzureAD:
> curl -s https://login.microsoftonline.com/TENANT/discovery/v2.0/keys | jq
> '.keys |= map(.alg="RS256")' > $TMPFILE
>
> Hope this helps
> Best
> Ümit
>
> On Thu, Mar 23, 2023 at 11:26 AM Laurence <laurence.field at cern.ch> wrote:
>
>> Hi,
>>
>> I am trying to configure SLURM to use external authentication for JWT as
>> described in the documentation.
>>
>> https://slurm.schedmd.com/jwt.html
>>
>> JWT Authentication worked when I tested the setup for standalone use but
>> am having difficulty with tokens from our oauth provider.
>>
>> My first question is has anyone successfully done this? My second
>> question is on the example code to verify the jwt key. Is the example up to
>> date as it doesn't work for me. The final question is does anyone have any
>> suggestions on the concrete error reported in the slurmctld log.
>>
>> *slurmctld: error: failed to verify jwt, rc=22*
>> *slurmctld: error: could not find matching kid or decode failed*
>>
>> Thanks,
>>
>> Laurence
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20230324/e9452520/attachment.htm>
More information about the slurm-users
mailing list