[AzureAD] Add an implementation for Authenticator.authenticator_managed_groups=true

[thomafred]

See this related PR in jupyterhub/jupyterhub-repo.

Added support for external user group management to Azure AD authenticator.

Usage example:

"""sample jupyterhub config file for testing

configures jupyterhub with dummyauthenticator and simplespawner
to enable testing without administrative privileges.
"""

c = get_config()  # noqa
c.Application.log_level = 'DEBUG'

from oauthenticator.azuread import AzureAdOAuthenticator
import os

c.JupyterHub.authenticator_class = AzureAdOAuthenticator

c.AzureAdOAuthenticator.client_id = os.getenv("AAD_CLIENT_ID")
c.AzureAdOAuthenticator.client_secret = os.getenv("AAD_CLIENT_SECRET")
c.AzureAdOAuthenticator.oauth_callback_url = os.getenv("AAD_CALLBACK_URL")
c.AzureAdOAuthenticator.tenant_id = os.getenv("AAD_TENANT_ID")
c.AzureAdOAuthenticator.username_claim = "email"
c.AzureAdOAuthenticator.authorize_url = os.getenv("AAD_AUTHORIZE_URL")
c.AzureAdOAuthenticator.token_url = os.getenv("AAD_TOKEN_URL")
c.Authenticator.authenticator_managed_groups = True
c.Authenticator.refresh_pre_spawn = True

from jupyterhub.spawner import SimpleLocalProcessSpawner

c.JupyterHub.spawner_class = SimpleLocalProcessSpawner

[welcome]

Thanks for submitting your first pull request! You are awesome! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please make sure you followed the pull request template, as this will help us review your contribution more quickly.

You can meet the other Jovyans by joining our Discourse forum. There is also a intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[consideRatio]

Can we assume auth_user_state always include a claim named groups? Does it imply that you have requested the scope groups as well or not?

[consideRatio]

Is the load_user_groups function an Authenticator base class function that is overridden?

[consideRatio]

Hmmm, what is calling this function? I find no reference to it in this repo or the Authenticator base class definition.

Also I found no reference to the authenticator_managed_groups configuration that is configuredin the configuration example you provide within the Authenticator base class.

[consideRatio]

Ah, this PR relies on jupyterhub/jupyterhub#3548.

[thomafred]

@consideRatio - Unsure whether auth_user_state will return with a groups-claim.

The functionality in this PR requires auth_users_state to return some claim with a list of groups if c.Authenticator.authenticator_managed_groups = True. The claim name itself is configurable.

[sseppola]

The groups-claim is non standard for OIDC, but AAD makes it available as an optional claim
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims.

In our case we extend our AAD's policy to make API calls to fetch and return group membership, as shown in this example: https://github.com/azure-ad-b2c/samples/tree/master/policies/rest-api-idp

[consideRatio]

If you have a default that is fixed like this, you can have it as the first argument passed to the Unicode constructor above instead.

[thomafred]

Abandoned in favor of this PR: #573