Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All oauth users not being allowed by default #3332

Closed
ajeffowens opened this issue Jan 30, 2024 · 4 comments
Closed

All oauth users not being allowed by default #3332

ajeffowens opened this issue Jan 30, 2024 · 4 comments
Labels
bug

Comments

@ajeffowens
Copy link

I am using jupyterhub helm chart version 3.2.1 with the generic-oauth authenticator. The authenticator works when I provided a user whitelist (hub.config.Authenticator.allowed_users). As in, users that are whitelisted can get in, but nobody else can. Everyone gets a 403 when the whitelist is not applied. I would like for all authenticated users to be allowed by default, but I am not seeing how to do that in the doc.

relevant section of helm values:

....
hub:
  config:
    Authenticator:
      enable_auth_state: true
      create_system_users: true
    GenericOAuthenticator:
      client_id:  jhubuser
      client_secret: f2***ef82
      oauth_callback_url: https://v***s.com/hub/oauth_callback
      authorize_url: https://v***s.com/***oauth/authorize
      token_url: https://v***s.com/***/oauth/token
      userdata_url: https://v***s.com/***/userinfo
      scope:
        - openid
      username_key: user_name
      login_service: '***'
      tls_verify: False
      userdata_params: {'state': 'state'}
    JupyterHub:
      authenticator_class: generic-oauth
      log_level: DEBUG
    CryptKeeper:
      keys:
        - "15d***59"
  extraConfig:
    myConfig.py: |
      async def add_auth_env(spawner):
        '''
        We set user's id, login and access token on single user image to
        enable repository integration for JupyterHub.
        See: https://gitlab.com/gitlab-org/gitlab-ce/issues/47138#note_154294790
        '''
        auth_state = await spawner.user.get_auth_state()

        if not auth_state:
          spawner.log.warning("No auth state for %s", spawner.user)
          return
        spawner.environment['ACCESS_TOKEN'] = auth_state['access_token']
        spawner.environment['REFRESH_TOKEN'] = auth_state['refresh_token']
      c.KubeSpawner.pre_spawn_hook = add_auth_env
...

Here is what the logs looks like when a user is denied. Either by way of not being in the allowed_users list or when user is not in whitelist:

hub-64bc8c9bd7-rqktb hub [I 2024-01-29 20:27:34.194 JupyterHub oauth2:97] OAuth redirect: https://v***s.com/hub/oauth_callback
hub-64bc8c9bd7-rqktb hub [D 2024-01-29 20:27:34.194 JupyterHub base:587] Setting cookie oauthenticator-state: {'httponly': True, 'secure': True, 'expires_days': 1}
hub-64bc8c9bd7-rqktb hub [I 2024-01-29 20:27:34.195 JupyterHub log:191] 302 GET /hub/oauth_login?next=%2Fhub%2F -> https://v***s.com/***/oauth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fv***s.com%2Fhub%2Foauth_callback&client_id=jhubuser&state=[secret]&scope=openid (@192.168.0.9) 1.17ms
hub-64bc8c9bd7-rqktb hub [W 2024-01-29 20:27:37.002 JupyterHub auth:533] User '***' not allowed.
hub-64bc8c9bd7-rqktb hub [W 2024-01-29 20:27:37.002 JupyterHub base:843] Failed login for unknown user
hub-64bc8c9bd7-rqktb hub [W 2024-01-29 20:27:37.002 JupyterHub web:1869] 403 GET /hub/oauth_callback?code=Bhlh***J9 (192.168.0.4): Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.
hub-64bc8c9bd7-rqktb hub [D 2024-01-29 20:27:37.002 JupyterHub base:1371] No template for 403
hub-64bc8c9bd7-rqktb hub [W 2024-01-29 20:27:37.015 JupyterHub log:191] 403 GET /hub/oauth_callback?code=[secret]&state=[secret] (@192.168.0.4) 186.30ms

As you can see, the auth is good, the callback happens, but the user is denied by jupyterhub.

This is running on aks 1.26.10
@ajeffowens ajeffowens added the bug label Jan 30, 2024
@welcome Welcome
Copy link

welcome bot commented Jan 30, 2024

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@manics
Copy link
Member

manics commented Jan 30, 2024

You'll need to add allow_all to allow all users:
https://oauthenticator.readthedocs.io/en/latest/reference/changelog.html#breaking-changes
We made this change after several reports of admins not realising that by default OAuthenticator would allow all users in, which is a particular problem with public OAuth providers such as GitHub.

It looks like we're missing an upgrade guide for Z2JH 3 https://z2jh.jupyter.org/en/stable/administrator/upgrading/index.html

@ajeffowens
Copy link
Author

Awesome, thank you @manics. hub.config.Authenticator.allow_all: true has resolved the issue

@consideRatio
Copy link
Member

Awesome, thank you @manics. hub.config.Authenticator.allow_all: true has resolved the issue

Note that it should probably be either hub.config.OAuthenticator.allow_all: true or hub.config.GenericOAuthenticator.allow_all: true because its introduced in the OAutenticator class.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manics @consideRatio @ajeffowens