[slurm-users] External Authentication Integration with JWKS and RS256 Tokens

Laurence laurence.field at cern.ch
Thu Oct 5 13:30:17 UTC 2023

Coming back to this, it is failing again and I don't know why.

/slurmctld: error: failed to verify jwt, rc=22//
//slurmctld: error: could not find matching kid or decode failed/

The kids seem to match and python code I have verifies the jwt with the 
jwks. Does anyone have any ideas on what the issue might be? The jwks 
can be found at the following URL.




On 27/03/2023 11:07, Laurence Field wrote:
> Hi Ümit,
> Thanks for the reply. Yes, it looks like this is the issue. Although 
> from the master branch it suggests that the claim_field can also be 
> used but this is not in the version we have deployed.
> Cheers,
> Laurence
> On 24.03.23 16:51, Ümit Seren wrote:
>> Looks like you are missing the username field in the JWT token: 
>> https://github.com/SchedMD/slurm/blob/slurm-22-05-8-1/src/plugins/auth/jwt/auth_jwt.c#L419
>> You have to make sure that your JWT token contains the SLURM username 
>> as an attribute (https://slurm.schedmd.com/jwt.html#compatibility).
>> On Fri, Mar 24, 2023 at 4:40 PM Laurence Field 
>> <laurence.field at cern.ch> wrote:
>>     Hi,
>>     After verifying the JWT and JWKS with some Python code, it
>>     magically seems to work. At least the error has changed to
>>     /auth_p_verify: jwt_get_grant failure. /This suggests I need to
>>     update something in the authorization policy. Will do that now
>>     but if anyone has done this before and can give me some hints,
>>     they would be most welcome.
>>     Cheers,
>>     Laurence
>>     On 24.03.23 10:41, Laurence Field wrote:
>>>     Hi Ümit,
>>>     Thanks for your reply. We are using Keycloak and the JWKS does
>>>     contain this parameter. I will continue to debug but any
>>>     suggestions would be greatly appreciated.
>>>     Cheers,
>>>     Laurence
>>>     On 23.03.23 11:42, Ümit Seren wrote:
>>>>     If you use AzureAD as your identity provider beware that their
>>>>     JWKS json doesn't contain the alg parameter.
>>>>     We opened an issue:
>>>>     https://bugs.schedmd.com/show_bug.cgi?id=16168 and it is confirmed.
>>>>     As a workaround you can use this jq query to add the alg to the
>>>>     jwks json that you get from AzureAD:
>>>>     |curl -s
>>>>     https://login.microsoftonline.com/TENANT/discovery/v2.0/keys |
>>>>     jq '.keys |= map(.alg="RS256")' > $TMPFILE
>>>>     |
>>>>     Hope this helps
>>>>     Best
>>>>     Ümit
>>>>     On Thu, Mar 23, 2023 at 11:26 AM Laurence
>>>>     <laurence.field at cern.ch> wrote:
>>>>         Hi,
>>>>         I am trying to configure SLURM to use external
>>>>         authentication for JWT as described in the documentation.
>>>>         https://slurm.schedmd.com/jwt.html
>>>>         JWT Authentication worked when I tested the setup for
>>>>         standalone use but am having difficulty with tokens from
>>>>         our oauth provider.
>>>>         My first question is has anyone successfully done this? My
>>>>         second question is on the example code to verify the jwt
>>>>         key. Is the example up to date as it doesn't work for me.
>>>>         The final question is does anyone have any suggestions on
>>>>         the concrete error reported in the slurmctld log.
>>>>         /slurmctld: error: failed to verify jwt, rc=22//
>>>>         //slurmctld: error: could not find matching kid or decode
>>>>         failed/
>>>>         Thanks,
>>>>         Laurence
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20231005/5a1a748d/attachment-0001.htm>

More information about the slurm-users mailing list