Hello everyone !
I’m trying to set up Horde Server, but I’m facing issues with the authentication part for Horde clients.
For the dashboard, I can authenticate (as an admin), list agents, obtain tokens, etc.
The agents are also properly registered and visible as ready.
However, for the agent, whether I use the command ./RunUAT.bat or the Unreal Toolbox utility, I get the following error:
JWT bearer auth failed
...
IDX10503: Signature validation failed. Token does not have a kid
Configuration Details :
- Horde Server (Windows Server)
- C:\ProgramData\Epic\Horde\Server\server.json
{
"Horde": {
"AuthMethod": "OpenIdConnect",
"OidcAuthority": "https://login.microsoftonline.com/xx/v2.0",
"OidcClientId": "xx",
"OidcClientSecret": "xx",
"oidcAudience": "groups",
"ConfigPath": "globals.json",
"AdminClaimType": "http://epicgames.com/ue/horde/role",
"AdminClaimValue": "admin",
"oidcClaimHordeUserMapping": ["groups"],
"oidcSigninRedirect": "https://<domain>.com:13341/signin-oidc",
"oidcDebugMode": "true",
"httpsPort": "13341",
"Perforce": [
],
"Telemetry": [
{
"Type": "Mongo",
"RetainDays": 1
}
],
"UseLocalPerforceEnv": false
},
"Kestrel": {
"Certificates": {
"Default": {
"Path": "C:\\ProgramData\\Epic\\Horde\\Server\\<domain>.com.pfx",
"Password": "xx"
}
}
}
}
- C:\ProgramData\Epic\Horde\Server\globals.json
{
"version": 2,
"include": [
{
"path": "$(HordeDir)/Defaults/default.global.json"
}
],
"plugins": {
"build": {
"projects": [
}
],
"perforceClusters":
[
]
}
},
"parameters": {
"ugs":
{
}
}
}
- C:\Program Files\Epic Games\Horde\Server\Defaults\default.global.json
...
// Default ACL groups
"acl": {
"entries": [
{
"claim": {
"type": "http://epicgames.com/ue/horde/group",
"value": "View"
},
"profiles": [
"default-read"
]
},
{
"claim": {
"type": "http://epicgames.com/ue/horde/group",
"value": "Run"
},
"profiles": [
"default-run"
]
},
{
"claim": {
"type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
"value": "admin"
},
"actions": [
"ViewJob",
"CreateJob",
"ViewPool",
"ListPools",
"CreateAccount",
"UpdateAccount",
"DeleteAccount",
"ViewAccount",
"CreateNotice",
"UpdateNotice",
"DeleteNotice",
"Debug",
"Impersonate",
"ViewCosts",
"IssueBearerToken",
"AdminRead",
"AdminWrite",
"CreateAgent",
"UpdateAgent",
"DeleteAgent",
"ViewAgent",
"ListAgents",
"UploadSoftware",
"DownloadSoftware",
"DeleteSoftware",
"AddComputeTasks",
"GetComputeTasks",
"ViewLeases",
"ViewLeaseTasks",
"CreateLog",
"UpdateLog",
"ViewLog",
"WriteLogData",
"CreateEvent",
"ViewEvent",
"CreatePool",
"UpdatePool",
"DeletePool",
"ViewPool",
"ListPools",
"CreateSession",
"ViewSession",
"ReadBlobs",
"WriteBlobs",
"ReadRefs",
"WriteRefs",
"DeleteRefs"
]
}
],
...
- Horde Agent (Windows Server)
- C:\ProgramData\Epic\Horde\Agent\agent.json AND C:\Program Files\Epic Games\Horde\Agent\Defaults\agent.json
{
"Horde": {
"Server": "BuildMachine",
"ServerProfiles": [
{
"Name": "BuildMachine",
"Url": "https://<domain>:13341",
"Token": "xx"
}
],
"WorkingDir": "D:\\HordeAgent\\Sandbox"
}
}
- C:\Program Files\Epic Games\Horde\Agent\appsettings.json
{
"Horde":
{
},
"Kestrel": {
"Certificates": {
"Default": {
"Path": "C:\\ProgramData\\Epic\\Horde\\Agent\\<domain>.com.pfx",
"Password": "x"
}
}
},
"Serilog": {
"MinimumLevel": {
"Default": "Information",
"Override": {
"Microsoft": "Information",
"System.Net.Http.HttpClient": "Warning",
"Microsoft.AspNetCore.Routing.EndpointMiddleware": "Warning",
"Microsoft.AspNetCore.Authorization.DefaultAuthorizationService": "Warning",
"HordeServer.Authentication.HordeJwtBearerHandler": "Warning",
"HordeServer.Authentication.OktaHandler": "Warning",
"Microsoft.AspNetCore.Hosting.Diagnostics": "Warning",
"Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker": "Warning",
"Serilog.AspNetCore.RequestLoggingMiddleware": "Warning",
"Grpc.Net.Client.Internal.GrpcCall": "Warning",
"EpicGames.Horde.Storage": "Debug"
}
}
}
}
- Azure
- Authentification → Redirect URls
https://<domain>.com:13341/oidc/callback
https://<domain>.com:13341/oidc-token
https://<domain>.com:13341/signin-oidc
http://localhost:8749/ugs.client
http://localhost:8749/oidc-token
- Token configuration
Claim : groups
Token type : ID, Access, SAML
Optional settings : Default
- Error :
From an agent, if I run the command line with UAT, I get the following:
Horde URL: https://<domain>.com:13341/, Pool: BuildMachine, Condition: (none), OIDC: Disabled, Connection: (none) HordeEncryption: (none)
...
Unable to get worker: EpicGames.Horde.Compute.ComputeClientException: Bad authentication credentials. Check or refresh token. (HTTP status Unauthorized)
If I try to authenticate using the Unreal Toolbox tool, I get the following:
Connection failed: Failed to login due to error. Error redeeming code: Unauthorized / AADSTS7000218: The request body mst contain the following parameter: 'client_assertion' or 'client_secret'.
However, on the Horde Server, the file ‘C:\ProgramData\Epic\Horde\Server\server.json’ does contain the OidcClientSecret value.
What did I do wrong in the configuration ? Am I missing any values that need to be added ?
Which token is it referring to in the Horde server log with the error IDX10503: Signature validation failed. Token does not have a kid ?
I tried all the tokens from ‘/account’, but I keep getting the same log error.
I also tried using a public Let’s Encrypt certificate instead of a self-signed one from our internal PKI, but I still get the same error.