[slurm-users] External Authentication Integration with JWKS and RS256 Tokens

Mon Mar 27 09:07:14 UTC 2023

Hi Ümit,

Thanks for the reply. Yes, it looks like this is the issue. Although 
from the master branch it suggests that the claim_field can also be used 
but this is not in the version we have deployed.

Cheers,

Laurence

On 24.03.23 16:51, Ümit Seren wrote:
> Looks like you are missing the username field in the JWT token: 
> https://github.com/SchedMD/slurm/blob/slurm-22-05-8-1/src/plugins/auth/jwt/auth_jwt.c#L419
> You have to make sure that your JWT token contains the SLURM username 
> as an attribute (https://slurm.schedmd.com/jwt.html#compatibility).
>
>
>
> On Fri, Mar 24, 2023 at 4:40 PM Laurence Field 
> <laurence.field at cern.ch> wrote:
>
>     Hi,
>
>     After verifying the JWT and JWKS with some Python code, it
>     magically seems to work. At least the error has changed to
>     /auth_p_verify: jwt_get_grant failure. /This suggests I need to
>     update something in the authorization policy. Will do that now but
>     if anyone has done this before and can give me some hints, they
>     would be most welcome.
>
>     Cheers,
>
>     Laurence
>
>     On 24.03.23 10:41, Laurence Field wrote:
>>
>>     Hi Ümit,
>>
>>     Thanks for your reply. We are using Keycloak and the JWKS does
>>     contain this parameter. I will continue to debug but any
>>     suggestions would be greatly appreciated.
>>
>>     Cheers,
>>
>>     Laurence
>>
>>     On 23.03.23 11:42, Ümit Seren wrote:
>>>     If you use AzureAD as your identity provider beware that their
>>>     JWKS json doesn't contain the alg parameter.
>>>     We opened an issue:
>>>     https://bugs.schedmd.com/show_bug.cgi?id=16168 and it is confirmed.
>>>     As a workaround you can use this jq query to add the alg to the
>>>     jwks json that you get from AzureAD:
>>>     |curl -s
>>>     https://login.microsoftonline.com/TENANT/discovery/v2.0/keys |
>>>     jq '.keys |= map(.alg="RS256")' > $TMPFILE
>>>     |
>>>     Hope this helps
>>>     Best
>>>     Ümit
>>>
>>>     On Thu, Mar 23, 2023 at 11:26 AM Laurence
>>>     <laurence.field at cern.ch> wrote:
>>>
>>>         Hi,
>>>
>>>         I am trying to configure SLURM to use external
>>>         authentication for JWT as described in the documentation.
>>>
>>>         https://slurm.schedmd.com/jwt.html
>>>
>>>         JWT Authentication worked when I tested the setup for
>>>         standalone use but am having difficulty with tokens from our
>>>         oauth provider.
>>>
>>>         My first question is has anyone successfully done this? My
>>>         second question is on the example code to verify the jwt
>>>         key. Is the example up to date as it doesn't work for me.
>>>         The final question is does anyone have any suggestions on
>>>         the concrete error reported in the slurmctld log.
>>>
>>>         /slurmctld: error: failed to verify jwt, rc=22//
>>>         //slurmctld: error: could not find matching kid or decode
>>>         failed/
>>>
>>>         Thanks,
>>>
>>>         Laurence
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20230327/71b3965a/attachment-0001.htm>