search

jupyterhub / oauthenticator

OAuth + JupyterHub Authenticator = OAuthenticator
https://oauthenticator.readthedocs.io
BSD 3-Clause "New" or "Revised" License
416 stars 366 forks source link

[AzureAD] "/" as part of the username. #529

Open vwoloszyn opened 2 years ago

vwoloszyn commented 2 years ago

Hello, I would like to report a bug about AzureAdOAuthenticator

[W 2022-08-01 09:22:21.101 JupyterHub auth:486] Disallowing invalid username 'woloszyn vinicius (xc-dx/epe4)'. [W 2022-08-01 09:22:21.101 JupyterHub base:768] Failed login for unknown user [W 2022-08-01 09:22:21.124 JupyterHub log:189] 403 GET /hub/oauth_callback?code=[secret]&state=[secret]&session_state=[secret] (@10.224.0.5) 295.68ms [I 2022-08-01 09:22:50.209 JupyterHub proxy:347] Checking routes

Bug description

Expected behaviour

My username is correct, but jupyterhub does not accept "'/'" as part of the username, as described here: https://github.com/jupyterhub/jupyterhub/blob/28b11d2165801ea252a88e73779223084ade5b7d/jupyterhub/auth.py#L248

Actual behaviour

Receive the following error log:

[W 2022-08-01 09:22:21.101 JupyterHub auth:486] Disallowing invalid username 'woloszyn vinicius (xxx-xxx/xxxx)'.
[W 2022-08-01 09:22:21.101 JupyterHub base:768] Failed login for unknown user
[W 2022-08-01 09:22:21.124 JupyterHub log:189] 403 GET /hub/oauth_callback?code=[secret]&state=[secret]&session_state=[secret] (@10.224.0.5) 295.68ms
[I 2022-08-01 09:22:50.209 JupyterHub proxy:347] Checking routes

How to reproduce

This is the 

hub:
  config:
    AzureAdOAuthenticator:
      client_id: your-client-id
      client_secret: your-client-secret
      oauth_callback_url: https://your-jupyterhub-domain/hub/oauth_callback
      tenant_id: your-tenant-id
    JupyterHub:
      authenticator_class: azuread

Your personal setup

I guess the problem is that the user name is correct, but the jupyterhub does not accept usernames containing the char "/"

I guess, instead of allowing or disallowing users, the best would be to parse (or accept) the current username (which is correct).

Thanks!

welcome[bot] commented 2 years ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

welcome[bot] commented 2 years ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

VolkerFelix commented 1 year ago

I solved it in the following way: The 'unique_name' is the email address of the user in my case

from oauthenticator.azuread import LocalAzureAdOAuthenticator
from traitlets import default

# Override username claim
class CustomAzureAdOAuth(LocalAzureAdOAuthenticator):

    @default('username_claim')
    def _username_claim_default(self):
        return 'unique_name'

    def normalize_username(self, username):
        return username.split("@")[0]

c.JupyterHub.authenticator_class = CustomAzureAdOAuth