[slurm-users] External Authentication Integration with JWKS and RS256 Tokens

Laurence Field laurence.field at cern.ch
Mon Mar 27 09:07:14 UTC 2023

Hi Ümit,

Thanks for the reply. Yes, it looks like this is the issue. Although 
from the master branch it suggests that the claim_field can also be used 
but this is not in the version we have deployed.



On 24.03.23 16:51, Ümit Seren wrote:
> Looks like you are missing the username field in the JWT token: 
> https://github.com/SchedMD/slurm/blob/slurm-22-05-8-1/src/plugins/auth/jwt/auth_jwt.c#L419
> You have to make sure that your JWT token contains the SLURM username 
> as an attribute (https://slurm.schedmd.com/jwt.html#compatibility).
> On Fri, Mar 24, 2023 at 4:40 PM Laurence Field 
> <laurence.field at cern.ch> wrote:
>     Hi,
>     After verifying the JWT and JWKS with some Python code, it
>     magically seems to work. At least the error has changed to
>     /auth_p_verify: jwt_get_grant failure. /This suggests I need to
>     update something in the authorization policy. Will do that now but
>     if anyone has done this before and can give me some hints, they
>     would be most welcome.
>     Cheers,
>     Laurence
>     On 24.03.23 10:41, Laurence Field wrote:
>>     Hi Ümit,
>>     Thanks for your reply. We are using Keycloak and the JWKS does
>>     contain this parameter. I will continue to debug but any
>>     suggestions would be greatly appreciated.
>>     Cheers,
>>     Laurence
>>     On 23.03.23 11:42, Ümit Seren wrote:
>>>     If you use AzureAD as your identity provider beware that their
>>>     JWKS json doesn't contain the alg parameter.
>>>     We opened an issue:
>>>     https://bugs.schedmd.com/show_bug.cgi?id=16168 and it is confirmed.
>>>     As a workaround you can use this jq query to add the alg to the
>>>     jwks json that you get from AzureAD:
>>>     |curl -s
>>>     https://login.microsoftonline.com/TENANT/discovery/v2.0/keys |
>>>     jq '.keys |= map(.alg="RS256")' > $TMPFILE
>>>     |
>>>     Hope this helps
>>>     Best
>>>     Ümit
>>>     On Thu, Mar 23, 2023 at 11:26 AM Laurence
>>>     <laurence.field at cern.ch> wrote:
>>>         Hi,
>>>         I am trying to configure SLURM to use external
>>>         authentication for JWT as described in the documentation.
>>>         https://slurm.schedmd.com/jwt.html
>>>         JWT Authentication worked when I tested the setup for
>>>         standalone use but am having difficulty with tokens from our
>>>         oauth provider.
>>>         My first question is has anyone successfully done this? My
>>>         second question is on the example code to verify the jwt
>>>         key. Is the example up to date as it doesn't work for me.
>>>         The final question is does anyone have any suggestions on
>>>         the concrete error reported in the slurmctld log.
>>>         /slurmctld: error: failed to verify jwt, rc=22//
>>>         //slurmctld: error: could not find matching kid or decode
>>>         failed/
>>>         Thanks,
>>>         Laurence
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20230327/71b3965a/attachment-0001.htm>

More information about the slurm-users mailing list