Looks like you are missing the username field in the JWT token: https://github.com/SchedMD/slurm/blob/slurm-22-05-8-1/src/plugins/auth/jwt/auth_jwt.c#L419 You have to make sure that your JWT token contains the SLURM username as an attribute (https://slurm.schedmd.com/jwt.html#compatibility).
On Fri, Mar 24, 2023 at 4:40 PM Laurence Field <laurence.fi...@cern.ch> wrote: > Hi, > > After verifying the JWT and JWKS with some Python code, it magically seems > to work. At least the error has changed to *auth_p_verify: jwt_get_grant > failure. *This suggests I need to update something in the authorization > policy. Will do that now but if anyone has done this before and can give me > some hints, they would be most welcome. > > Cheers, > > Laurence > On 24.03.23 10:41, Laurence Field wrote: > > Hi Ümit, > > Thanks for your reply. We are using Keycloak and the JWKS does contain > this parameter. I will continue to debug but any suggestions would be > greatly appreciated. > > Cheers, > > Laurence > On 23.03.23 11:42, Ümit Seren wrote: > > If you use AzureAD as your identity provider beware that their JWKS json > doesn't contain the alg parameter. > We opened an issue: https://bugs.schedmd.com/show_bug.cgi?id=16168 and it > is confirmed. > As a workaround you can use this jq query to add the alg to the jwks json > that you get from AzureAD: > curl -s https://login.microsoftonline.com/TENANT/discovery/v2.0/keys | jq > '.keys |= map(.alg="RS256")' > $TMPFILE > > Hope this helps > Best > Ümit > > On Thu, Mar 23, 2023 at 11:26 AM Laurence <laurence.fi...@cern.ch> wrote: > >> Hi, >> >> I am trying to configure SLURM to use external authentication for JWT as >> described in the documentation. >> >> https://slurm.schedmd.com/jwt.html >> >> JWT Authentication worked when I tested the setup for standalone use but >> am having difficulty with tokens from our oauth provider. >> >> My first question is has anyone successfully done this? My second >> question is on the example code to verify the jwt key. Is the example up to >> date as it doesn't work for me. The final question is does anyone have any >> suggestions on the concrete error reported in the slurmctld log. >> >> *slurmctld: error: failed to verify jwt, rc=22* >> *slurmctld: error: could not find matching kid or decode failed* >> >> Thanks, >> >> Laurence >> >
