search

jupyter-on-openshift / jupyterhub-quickstart

OpenShift compatible version of the JupyterHub application.
Apache License 2.0
101 stars 107 forks source link

Any Luck With the OpenShift OAuth Authenticator? #1

Closed sherl0cks closed 6 years ago

sherl0cks commented 6 years ago

https://github.com/jupyterhub/oauthenticator#openshift-setup

I've been tacking the ServiceAccount approach since I don't want my set up to require cluster admin. But I just can't seem to get working

GrahamDumpleton commented 6 years ago

I haven't tried and it wasn't high on the list or priorities because if users had access to an OpenShift installation already, then you likely wouldn't need to use JupyterHub as they could log in to OpenShift itself and deploy a notebook from the service catalog using a template. The reason for running JupyterHub is you don't want users to have to have access to the underlying infrastructure it runs on, eg. OpenShift. So linking to OpenShift authentication maybe of academic interest, but don't see it as particularly useful in the bigger scheme of things.

sherl0cks commented 6 years ago

That's fair. In the University deployment you mentioned, which authentication mechanism are you planning to use?

GrahamDumpleton commented 6 years ago

@sherl0cks Did you by chance work out anything yourself about how to a use service account in a project as OAuth provider. I have tried some things and it flows through to login if necessary, but then on subsequent step OpenShift claims an authentication error. I am using OpenShift Pro though, which could well prohibit this sort of use.

sherl0cks commented 6 years ago

Openshift pro?

I have not tried any other oauth providers but OpenShift. I tried using both a SA and the cluster level oauth client. Both approaches failed with some weird failure with the oauth server.

sherl0cks commented 6 years ago

Fwiw i also found the openshift docs just to be lacking here in general, so its possible I just was doing it wrong...

GrahamDumpleton commented 6 years ago

OpenShift Online Pro. I will try with oc cluster up later.

sherl0cks commented 6 years ago

Ahh. This was openshift on openstack. Good luck. Let me know how it goes

vpavlin commented 6 years ago

Hi I've tried OpenShift OAuth with our internal cluster and hit an issue, which I filed against Jupyterhub Oauth - https://github.com/jupyterhub/oauthenticator/issues/162

It's missing a CORS header, but it also might be that I misconfigured something - any ideas?

GrahamDumpleton commented 6 years ago

I encountered the X-CSRF-Token error as well, but figured that maybe I wasn't meant to enable the WWW-Authenticate challenges since wasn't mentioned in oauthenticator setup instructions.

vpavlin commented 6 years ago

Good point..so I turned challenges off and got a bit further

400 : Bad Request
OAuth callback made without a code

callback URL says error=access_denied&error_description=scope+denied%3A+user%3Afull

So it seems like jupyterhub is going for scope:full rather than scope:info as it defines in https://github.com/jupyterhub/oauthenticator/blob/master/oauthenticator/openshift.py#L31

GrahamDumpleton commented 6 years ago

What are you suggesting, the authenticator should use scope:full to match?

One could test that theory by adding to the jupyterhub_config.py file:

from oauthenticator.openshift import OpenShiftLoginHandler
OpenShiftLoginHandler.scope = ['user:full]
vpavlin commented 6 years ago

No, I am saying the opposite - it seems like oauthenticator tries to get user:full although it should get user:info

GrahamDumpleton commented 6 years ago

Should it matter. OpenShift returns:

{
  "issuer": "https://api.pro-us-east-1.openshift.com",
  "authorization_endpoint": "https://api.pro-us-east-1.openshift.com/oauth/authorize",
  "token_endpoint": "https://api.pro-us-east-1.openshift.com/oauth/token",
  "scopes_supported": [
    "user:check-access",
    "user:full",
    "user:info",
    "user:list-projects",
    "user:list-scoped-projects"
  ],
  "response_types_supported": [
    "code",
    "token"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}

https://docs.openshift.org/latest/architecture/additional_concepts/authentication.html#oauth-server-metadata

GrahamDumpleton commented 6 years ago

Okay, see what you mean now.

error=access_denied&error_description=scope+denied%3A+user%3Afull

The code says should be user:info, but that seems to be ignored.

vpavlin commented 6 years ago

Just to be clear - I am trying to use service accounts for OAuth - which are a bit limited in scopes

GrahamDumpleton commented 6 years ago

I realise that.

Try this. I think the scopemight be defined on the wrong class. So bug in code.

from oauthenticator.openshift import OpenShiftOAuthenticator
OpenShiftOAuthenticator.scope = ['user:info']
vpavlin commented 6 years ago

Beautiful! Works like a charm!

GrahamDumpleton commented 6 years ago

Okay, I will verify tomorrow and submit a issue/PR against oauthenticator.

GrahamDumpleton commented 6 years ago

Confirmed that trick works for me as well. :-)

GrahamDumpleton commented 6 years ago

Closing this. See https://github.com/jupyter-on-openshift/jupyterhub-ocp-oauth for a working example.