search

jupyterhub / oauthenticator

OAuth + JupyterHub Authenticator = OAuthenticator
https://oauthenticator.readthedocs.io
BSD 3-Clause "New" or "Revised" License
410 stars 364 forks source link

[Auth0] Documentation missing, and requesting scope of ['openid', 'email'] is required #291

Open philvarner opened 4 years ago

philvarner commented 4 years ago

If I login to JH via Auth0, and then JH times out due to inactivity or I explicitly delete the JH auth cookies, I then get a login failures (500 Error) from JH after the "seamless" redirect to Auth0 and back to JH /oauth_callback endpoint. I have never seen this issue if I delete both the JH and Auth0 cookies, which causes Auth0 to explicitly prompt me for authentication.

The failure is in auth0.py on the line 'name': resp_json["email"],, but I suspect that the underlying problem is that the request to the userinfo endpoint returns a non-200 response, which isn't handled properly (maybe the token is bad?)

I have reproduced this both on a standalone TLJH installed directly on an EC2 instance and the latest K8s helm chart version.

Stack trace:

[E JupyterHub web:1788] Uncaught exception GET /hub/oauth_callback?code=RWGoXfq9Sbgmfe_W&state=eyJzdGF0ZV9pZCI6ICI1M2I5ODdjMDRiYzQ0OThiYWE2Yzk2N2I4M2JlYmI4YSIsICJuZXh0X3VybCI6IG51bGx9 (216.197.64.188)
python3[11886]:     HTTPServerRequest(protocol='https', host='<readacted>', method='GET', uri='/hub/oauth_callback?code=RWGoXfq9Sbgmfe_W&state=eyJzdGF0ZV9pZCI6ICI1M2I5ODdjMDRiYzQ0OThiYWE2Yzk2N2I4M2JlYmI4YSIsICJuZXh0X3VybCI6IG51bGx9', version='HTTP/1.1', remote_ip='216.197.64.188')
python3[11886]:     Traceback (most recent call last):
python3[11886]:       File "/opt/tljh/hub/lib/python3.6/site-packages/tornado/web.py", line 1699, in _execute
python3[11886]:         result = await result
python3[11886]:       File "/opt/tljh/hub/lib/python3.6/site-packages/oauthenticator/oauth2.py", line 209, in get
python3[11886]:         user = yield self.login_user()
python3[11886]:       File "/opt/tljh/hub/lib/python3.6/site-packages/jupyterhub/handlers/base.py", line 655, in login_user
python3[11886]:         authenticated = await self.authenticate(data)
python3[11886]:       File "/opt/tljh/hub/lib/python3.6/site-packages/jupyterhub/auth.py", line 383, in get_authenticated_user
python3[11886]:         authenticated = await maybe_future(self.authenticate(handler, data))
python3[11886]:       File "/opt/tljh/hub/lib/python3.6/site-packages/oauthenticator/auth0.py", line 99, in authenticate
python3[11886]:         'name': resp_json["email"],
python3[11886]:     KeyError: 'email'
philvarner commented 4 years ago

The fix for this seems to be explicitly setting: c.Auth0OAuthenticator.scope = ['openid', 'email'] I have no idea why the case when you're not logged in and when you are would give different results, but it does

metasim commented 4 years ago

Super helpful @philvarner! Thanks for figuring it out. I hope it's able to be fixed soon.