Add support for OAuthentication via JupyterHub triggering account creation in FreeIPA

[cmd-ntrf]

It can be easier to ask people to log in Magic Castle with an OAuth authenticator and automatically create the account in FreeIPA instead of using Mokey.

I was able to put together a proof of concept that works with GitHub authenticator.

Here are the steps so far:

1. Create a FreeIPA keytab for JupyterHub:

   ipa role-add 'JupyterHub' --desc='JupyterHub User management'
   ipa role-add-privilege 'JupyterHub' --privilege='Group Administrators'
   ipa role-add-privilege 'JupyterHub' --privilege='User Administrators'
   ipa user-add jupyterhub --first Jupyter --last Hub
   ipa role-add-member 'JupyterHub' --users=jupyterhub
   ipa-getkeytab -p jupyterhub -k /etc/jupyterhub/jupyterhub.keytab

2. Define the function add_system_user of the jupyterhub authenticator:

   class LocalGitHubOAuthenticator(LocalAuthenticator, GitHubOAuthenticator):
   """A version that mixes in local system user creation"""
   def add_system_user(self, user):
       subprocess.run(["kinit", "-kt", "/etc/jupyterhub/jupyterhub.keytab", "-p", "jupyterhub"])
       subprocess.run(["ipa_create_user.py", user.name, "--posix_group", "def-sponsor00"])
       subprocess.run(["kdestroy"])
       time.sleep(5)

3. Create a GitHub app and export the following variables before launching JupyterHub:

   export GITHUB_CLIENT_ID=[redacted]
   export GITHUB_CLIENT_SECRET=[redacted]
   export OAUTH_CALLBACK_URL=[redacted]

   If internally jupyterhub is not running SSL, the OAUTH callback URL prefix must be http.

4. Configure JupyterHub authenticator in /etc/jupyterhub/jupyterhub_config.json:

   "JupyterHub": {
   "authenticator_class": "oauthenticator.LocalGitHubOAuthenticator",
   },
   "LocalAuthenticator": {
   "create_system_users": true
   },
   "GitHubOAuthenticator": {
    "allow_all": true
   }

5. Launch JupyterHub