Horde Server Authentification setup

Hello everyone !

I’m trying to set up Horde Server, but I’m facing issues with the authentication part for Horde clients.

For the dashboard, I can authenticate (as an admin), list agents, obtain tokens, etc.
The agents are also properly registered and visible as ready.

However, for the agent, whether I use the command ./RunUAT.bat or the Unreal Toolbox utility, I get the following error:

JWT bearer auth failed
...
IDX10503: Signature validation failed. Token does not have a kid

Configuration Details :

  • Horde Server (Windows Server)
  1. C:\ProgramData\Epic\Horde\Server\server.json
{
	"Horde": {
		"AuthMethod": "OpenIdConnect",
		"OidcAuthority": "https://login.microsoftonline.com/xx/v2.0",
		"OidcClientId": "xx",
		"OidcClientSecret": "xx",
		"oidcAudience": "groups",
		"ConfigPath": "globals.json",
		"AdminClaimType": "http://epicgames.com/ue/horde/role",
		"AdminClaimValue": "admin",
		"oidcClaimHordeUserMapping": ["groups"],
		"oidcSigninRedirect": "https://<domain>.com:13341/signin-oidc",
		"oidcDebugMode": "true",
		"httpsPort": "13341",
		"Perforce": [
		],
		"Telemetry": [
			{
				"Type": "Mongo",
				"RetainDays": 1
			}
		],
		"UseLocalPerforceEnv": false
    },
    "Kestrel": {
        "Certificates": {
           "Default": {
                "Path": "C:\\ProgramData\\Epic\\Horde\\Server\\<domain>.com.pfx",
                "Password": "xx"
            }
        }
    }
}
  1. C:\ProgramData\Epic\Horde\Server\globals.json
{
	"version": 2,
	"include": [
		{
			"path": "$(HordeDir)/Defaults/default.global.json"
		}
	],
	"plugins": {
		"build": {
			"projects": [
			}
			],
			"perforceClusters": 
			[
			]
		}
	},
	"parameters": {
		"ugs": 
		{
		}
	}
}
  1. C:\Program Files\Epic Games\Horde\Server\Defaults\default.global.json
...
	// Default ACL groups
	"acl": {
		"entries": [
			{
				"claim": {
					"type": "http://epicgames.com/ue/horde/group", 
					"value": "View"
				},
				"profiles": [
					"default-read"
				]
			},
			{
				"claim": {
					"type": "http://epicgames.com/ue/horde/group", 
					"value": "Run"
				},
				"profiles": [
					"default-run"
				]
			},
	        {
				"claim": {
					"type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
					"value": "admin"
				},
				"actions": [
					"ViewJob",
					"CreateJob",
					"ViewPool",
					"ListPools",
					"CreateAccount",
					"UpdateAccount",
					"DeleteAccount",
					"ViewAccount",
					"CreateNotice",
					"UpdateNotice",
					"DeleteNotice",
					"Debug",
					"Impersonate",
					"ViewCosts",
					"IssueBearerToken",
					"AdminRead",
					"AdminWrite",
					"CreateAgent",
					"UpdateAgent",
					"DeleteAgent",
					"ViewAgent",
					"ListAgents",
					"UploadSoftware",
					"DownloadSoftware",
					"DeleteSoftware",
					"AddComputeTasks",
					"GetComputeTasks",
					"ViewLeases",
					"ViewLeaseTasks",
					"CreateLog",
					"UpdateLog",
					"ViewLog",
					"WriteLogData",
					"CreateEvent",
					"ViewEvent",
					"CreatePool",
					"UpdatePool",
					"DeletePool",
					"ViewPool",
					"ListPools",
					"CreateSession",
					"ViewSession",
					"ReadBlobs",
					"WriteBlobs",
					"ReadRefs",
					"WriteRefs",
					"DeleteRefs"
				]
			}
		],
...
  • Horde Agent (Windows Server)
  1. C:\ProgramData\Epic\Horde\Agent\agent.json AND C:\Program Files\Epic Games\Horde\Agent\Defaults\agent.json
{
 "Horde": {
  "Server": "BuildMachine",
  "ServerProfiles": [
   {
    "Name": "BuildMachine",
    "Url": "https://<domain>:13341",
    "Token": "xx"
   }
  ],
  "WorkingDir": "D:\\HordeAgent\\Sandbox"
 }
}
  1. C:\Program Files\Epic Games\Horde\Agent\appsettings.json
{
	"Horde":
	{
	},
    "Kestrel": {
        "Certificates": {
           "Default": {
                "Path": "C:\\ProgramData\\Epic\\Horde\\Agent\\<domain>.com.pfx",
                "Password": "x"
            }
        }
    },
	"Serilog": {
		"MinimumLevel": {
			"Default": "Information",
			"Override": {
				"Microsoft": "Information",
				"System.Net.Http.HttpClient": "Warning",
				"Microsoft.AspNetCore.Routing.EndpointMiddleware": "Warning",
				"Microsoft.AspNetCore.Authorization.DefaultAuthorizationService": "Warning",
				"HordeServer.Authentication.HordeJwtBearerHandler": "Warning",
				"HordeServer.Authentication.OktaHandler": "Warning",
				"Microsoft.AspNetCore.Hosting.Diagnostics": "Warning",
				"Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker": "Warning",
				"Serilog.AspNetCore.RequestLoggingMiddleware": "Warning",
				"Grpc.Net.Client.Internal.GrpcCall": "Warning",
				"EpicGames.Horde.Storage": "Debug"
			}
		}
	}
}
  • Azure
  1. Authentification → Redirect URls
https://<domain>.com:13341/oidc/callback
https://<domain>.com:13341/oidc-token
https://<domain>.com:13341/signin-oidc
http://localhost:8749/ugs.client
http://localhost:8749/oidc-token
  1. Token configuration
Claim : groups
Token type : ID, Access, SAML
Optional settings : Default

  • Error :

From an agent, if I run the command line with UAT, I get the following:

Horde URL: https://<domain>.com:13341/, Pool: BuildMachine, Condition: (none), OIDC: Disabled, Connection: (none) HordeEncryption: (none)
...
Unable to get worker: EpicGames.Horde.Compute.ComputeClientException: Bad authentication credentials. Check or refresh token. (HTTP status Unauthorized)

If I try to authenticate using the Unreal Toolbox tool, I get the following:

Connection failed: Failed to login due to error. Error redeeming code: Unauthorized / AADSTS7000218: The request body mst contain the following parameter: 'client_assertion' or 'client_secret'.

However, on the Horde Server, the file ‘C:\ProgramData\Epic\Horde\Server\server.json’ does contain the OidcClientSecret value.


What did I do wrong in the configuration ? Am I missing any values that need to be added ?

Which token is it referring to in the Horde server log with the error IDX10503: Signature validation failed. Token does not have a kid ?

I tried all the tokens from ‘/account’, but I keep getting the same log error.

I also tried using a public Let’s Encrypt certificate instead of a self-signed one from our internal PKI, but I still get the same error.

Did this get resolved , am facing the same error from Toolbox and UGS.

No, we are still looking for a solution for the authentication with the agents.