search

jupyterhub / oauthenticator

OAuth + JupyterHub Authenticator = OAuthenticator
https://oauthenticator.readthedocs.io
BSD 3-Clause "New" or "Revised" License
415 stars 366 forks source link

[Generic] KeyCloak integration is giving 500 internal error, how to solve #770

Closed Najafov007 closed 1 month ago

Najafov007 commented 1 month ago

Bug description

So we're trying to sign and use login through keycloak, but somehow cant configure right configuration This is our config file ( deploying using bitnami helm chart and on Openshift)

hub: config: JupyterHub: admin_access: true authenticator_class: generic-oauth GenericOAuthenticator: client_id: jupyterhub client_secret: oauth_callback_url: http://our-site.com/hub/oauth_callback authorize_url: http://our-site.com/hub/oauth_callback/realms/jupyterhub/protocol/openid-connect/auth token_url: http://our-site.com/hub/oauth_callback/realms/jupyterhub/protocol/openid-connect/token userdata_url: http://our-site.com/hub/oauth_callback/realms/jupyterhub/protocol/openid-connect/userinfo username_claim: nijat tls_verify: false enable_auth_state: true login_service: 'Keycloak' redirectToServer: true

Before that we've created a client in keycloak and showed url's in there Root URL - http://our-jupyter.com/ Home URL - http://our-jupyter.com/ Valid redirect URIs - http://our-jupyter.com/hub/oauth_callback

this is our logs in hub-pod [I 2024-10-11 11:06:00.383 JupyterHub log:192] 302 GET / -> /hub/ (@::ffff:10.135.0.2) 0.72ms [I 2024-10-11 11:06:00.410 JupyterHub log:192] 302 GET /hub/ -> /hub/login?next=%2Fhub%2F (@::ffff:10.135.0.2) 0.62ms [I 2024-10-11 11:06:09.558 JupyterHub oauth2:113] OAuth redirect: http://test-jupyterhub.apps.data-ocp.abb-bank.az/hub/oauth_callback [E 2024-10-11 11:06:09.662 JupyterHub oauth2:782] Error fetching 599 POST https://idp-auth.abb-bank.az/realms/jupyterhub/protocol/openid-connect/token: HTTP 599: error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

[E 2024-10-11 11:06:09.665 JupyterHub log:184] { "X-Forwarded-For": "172.31.110.44,::ffff:10.135.0.2", "Forwarded": "for=172.31.110.44;host=our-jupyter.com;proto=http", "X-Forwarded-Proto": "http,http", "X-Forwarded-Port": "80,80", "X-Forwarded-Host": "our-jupyter.com", "Host": "our-jupyter.com", "Cookie": "_xsrf=[secret]; _ga=[secret]; ajs_anonymous_id=[secret]; ajs_user_id=[secret]; _ga_LSLMBCECFZ=[secret]; analytics_session_id=[secret]; analytics_session_id.last_access=[secret]; oauthenticator-state=[secret]", "Accept-Language": "en-US,en;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36", "Upgrade-Insecure-Requests": "1", "Connection": "keep-alive" } [E 2024-10-11 11:06:09.665 JupyterHub log:192] 500 GET /hub/oauth_callback?state=[secret]&session_state=[secret]&iss=https%3A%2F%2Fidp-keycloak.az%2Frealms%2Fjupyterhub&code=[secret] (@::ffff:10.135.0.2) 15.03ms

manics commented 1 month ago

Since this is likely a config problem please could you start a topic on Discourse instead? https://discourse.jupyter.org/ When you do please turn on debug logging, and show us the full hub logs since often the preceding logs may contain useful information. Thanks!