search

ideonate / cdsdashboards

JupyterHub extension for ContainDS Dashboards
https://cdsdashboards.readthedocs.io/
Other
200 stars 38 forks source link

Auth form must be sent from auth page - on Z2JH #26

Closed danlester closed 3 years ago

danlester commented 4 years ago

Where HTTPS termination happens on the load balancer under z2jh on EKS/AWS:

proxy:
  https:
    enabled: true
    type: offload

authing into someone else's dashboard doesn't work - you get '403 auth form must be sent from auth page'.

Same as this issue: https://github.com/ideonate/cdsdashboards/issues/22 but needs a different solution under z2jh

It is a bug/feature in either JupyterHub's OAuth code or in the Configurable HTTP Proxy component, depending on how you look at it.

Unfortunately, the workaround suggested in the GitHub issue above won't work here because in Zero2JH there is no easy way to specify a bespoke ConfigurableHTTPProxy.command setting to the ['configurable-http-proxy', '--no-x-forward'] which we need, as noted recently here: jupyterhub/zero-to-jupyterhub-k8s#1302

Fixing the z2jh issue 1302 would be ideal in the short term. Using an alternative proxy (Traefik instead of the standard Configurable Http Proxy is supposed to be supported soon) might make this go away: jupyterhub/zero-to-jupyterhub-k8s#1162. Or trying a different https method could work - e.g. getting z2jh to do the https termination.

But all of these have too many moving parts - I will look at building a workaround into the jupyterhub code used by ContainDS Dashboards. I am away this week but should be able to take a look at the start of next. In the meantime, I'm hoping you can continue evaluation with https off or moved to z2jh (if that solves the problem).

This was reported here: https://gitter.im/ideonate/ContainDS?at=5f430cf0ec534f584fb8fd89

sid-marain commented 4 years ago

I've confirmed that using the letsencrypt method (let z2jh do https termination) is a viable workaround.

fredrik-sthlm commented 3 years ago

I've confirmed that using the letsencrypt method (let z2jh do https termination) is a viable workaround.

Hi, I'm experiencing the above issue for Z2JH using own built docker images. Can you provide more details on how to resolve this using the letsencrypt method?

fredrik-sthlm commented 3 years ago

This has been fixed upstream in JupyterHub 1.2 and above https://github.com/jupyterhub/jupyterhub/pull/3219