Hi,
I am trying to configure SLURM to use external authentication for
JWT as described in the documentation.
https://slurm.schedmd.com/jwt.html
JWT Authentication worked when I tested the setup for standalone
use but am having difficulty with tokens from our oauth provider.
My first question is has anyone successfully done this? My second
question is on the example code to verify the jwt key. Is the
example up to date as it doesn't work for me. The final question
is does anyone have any suggestions on the concrete error reported
in the slurmctld log.
slurmctld: error: failed to verify jwt, rc=22
slurmctld: error: could not find matching kid or decode
failed
Thanks,
Laurence
curl -s https://login.microsoftonline.com/TENANT/discovery/v2.0/keys | jq '.keys |= map(.alg="RS256")' > $TMPFILE
Hi Ümit,
Thanks for your reply. We are using Keycloak and the JWKS does
contain this parameter. I will continue to debug but any
suggestions would be greatly appreciated.
Cheers,
Laurence
Hi,
After verifying the JWT and JWKS with some Python code, it
magically seems to work. At least the error has changed to auth_p_verify:
jwt_get_grant failure. This suggests I need to update
something in the authorization policy. Will do that now but if
anyone has done this before and can give me some hints, they would
be most welcome.
Cheers,
Laurence
Hi Ümit,
Thanks for the reply. Yes, it looks like this is the issue.
Although from the master branch it suggests that the claim_field
can also be used but this is not in the version we have deployed.
Cheers,
Laurence
Coming back to this, it is failing again and I don't know why.
slurmctld: error: failed to verify jwt, rc=22
slurmctld: error: could not find matching kid or decode
failed
The kids seem to match and python code I have verifies the jwt
with the jwks. Does anyone have any ideas on what the issue might
be? The jwks can be found at the following URL.
https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/certs
Cheers,
Laurence