Closed dmpe closed 1 year ago
After logging with keycloak, I am being redirected to Jupyterhub which shows 500 : Internal Server Error
What does the jupyterhub logs say? EDIT: ooops they are part of the issue!!!
Is it correct that your OAuth client id registered via keycloak is jupyterhub
?
I don't get why someting goes wrong yet, but its clear to me that it goes wrong quite early.
authorize_url
is successfully accessed, and the user who was redirected to it arrives back to the callback/redirect URL with a code
code
now meant to be used with client_id
in a request to token_url
to receive an access token, but this request fails with a JSON response like:{
"error": "invalid_client",
error_description": "Invalid client or Invalid client credentials"
}
@dmpe can you try configuring GenericOAuthenticator.basic_auth: true
?
Oh sorry, try it set to false
instead I think.
basic_auth
functionIn 15.1.0, only the GenericOAuthenticator had a config called basic_auth
, and it defaulted to True. When it was True, the client_id
and client_secret
was encoded in a HTTP header in the request to the token_url
.
basic_auth
moved to the OAuthenticator base classThe basic_auth
config was moved to the OAuthnticator base class. This change is probably entirely unrelated to the issue observed. In the base class it was disabled by default, and enabled by default specifically for GenericOAuthenticator.
There is one change for GenericOAuthenticator users that had basic_auth
enabled, which all GenericOAuthenticator users have unless they have it explicitly set to false. The change is to not post client_id
and client_secret
also in the post body, but only provide them via the HTTP Basic authentication header when that is done - as it is when basic_auth
is True.
In practice, 16.0.0 made GenericOAuthenticator stop using both HTTP Basic authentication and form based authentication, to only use one or the other as suggested in the OAuth2 specification:
Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).
I think that you should configure basic_auth
to False, and if you do, the client_id
and client_secret
will once again be passed in the request to token_url, this time without the HTTP Basic authentication header that probably wasn't used.
@dmpe could you verify that setting basic_auth
to False works for you? If you can, that is very valuable input to decide what we should do in the oauthenticator project. I figure we need to decide to either revert the previous behavior, document the changed behavior.
Is it correct that your OAuth client id registered via keycloak is jupyterhub?
that is correct, sorry my previous comment was not precise...
GenericOAuthenticator.basic_auth: true?
tried, does not work.
Tried false
and it works just great! Exactly what was missing.
I figure we need to decide to either revert the previous behavior, document the changed behavior.
Yes. either one of them would be welcome.
Thank you @dmpe for quickly testing and reporting back!!!
Thank you very much. Appreciate quick fixes! @consideRatio
Bug description
After trying
3.0.0-beta.2.git.6228.hfe344e7a
I am getting an issue whereby it is impossible to login into JHub using keycloak and get e.g. admin page properly displayed. It works great with2.0.0 - 09 September 2022 - 3.0.0
version of the helm chart and it works also when using3.0.0-beta.1
. But with recently releasedbeta 2
it has stopped working for me, at least.And unfortunately, keycloak is my only option to use.
Expected behaviour
Login with keycloak works again :)
Actual behaviour
After logging with keycloak, I am being redirected to Jupyterhub which shows
500 : Internal Server Error
How to reproduce
Following helm chart config is being used:
{{ .Values.jupyterhub.auth.generic.clientId }}
, etc. come from Mozilla SOPS and I have 100% verified that when deploying helm chart to k8s, the secrethub
contains correctclientID
andclientSecret
values, filled with secrets that are stored in SOPS file.Your personal set up
Logs
Jhub shows following ``` [D 2023-07-06 08:19:45.418 JupyterHub proxy:392] Checking routes [I 2023-07-06 08:19:45.418 JupyterHub proxy:477] Adding route for Hub: / => http://hub:8081 [D 2023-07-06 08:19:45.418 JupyterHub proxy:880] Proxy: Fetching POST http://proxy-api:8001/api/routes/ [I 2023-07-06 08:19:45.421 JupyterHub app:3247] JupyterHub is now running, internal Hub API at http://hub:8081/hub/ [D 2023-07-06 08:19:45.422 JupyterHub app:2852] It took 0.597 seconds for the Hub to start [D 2023-07-06 08:19:45.984 JupyterHub base:297] Recording first activity for