Our understanding is that slurmrestd is limited to using HS256 keys for JWT tokens. We would like to add or change this to support RSA256 keys, which would make it possible for AWS products and customers to use Amazon Cognito to generate JWT tokens for the API.
This has been merged into our master branch and will be available in Slurm 21.08 when released. Commit details follow. Initial documentation is at https://slurm.schedmd.com/archive/slurm-master/jwt.html . For testing, I have found the guide at https://sanderknape.com/2020/08/amazon-cognito-jwts-authenticate-amazon-http-api/ to be helpful with manually generating tokens to test with. If you have any questions on the support please let me know. I will ask our documentation team to elaborate further on the support here and provide some better examples, but the functional changes to Slurm should be complete at this point. - Tim commit fb38033e32ce080a244a125d01d4de258fac540a Author: Tim Wickberg <tim@schedmd.com> AuthorDate: Thu Jun 24 13:55:41 2021 -0600 Document new jwks option in slurm.cond and slurmdbd.conf. commit 6b00849364bb2b868182c7617db40811eb60a8bf Author: Tim Wickberg <tim@schedmd.com> AuthorDate: Fri Jun 25 15:57:56 2021 -0600 auth/jwt - add support for RS256 tokens. Public keys must be provided through a JWKS file (with kid, e, and n fields). Multiple public keys are supported. If enabled, HS256 support will be disabled by default. It can be explicitly re-enabled by providing an explicit "jwt_file=" path. The token must provide either a 'sun' ("Slurm User Name") or 'username' field. Bug 11534. commit d23cf070c43463bd60f2bdb1e223c848729cd42a Author: Tim Wickberg <tim@schedmd.com> AuthorDate: Thu Jun 24 13:40:40 2021 -0600 auth/jwt - add pem_key.c and link to build
