Get updated Access Token in Notebook Container

[mfruhner]

Hello, I found your great Keycloak Authenticator and implemented it to work with our project. It works nicely for Login, but I have trouble getting it to work properly with additional services.

In our project we use Minio S3 to store datasets and models, which I want to load and save via Jupyter Notebooks. Therefore I created a Minio Client in a notebook with the ACCESS_TOKEN from the ENV (set in pre spawn hook). This works for a few minutes after Notebook startup.

However, the token expires fairly quickly. The README mentions a refresh mechanism, but I am not quite sure, how I would get the refreshed token inside the notebook. Is it possible to store the new access token in the env to be used by Minio again?

I am using your default config from the README so far.

Thanks for your work and help, Maik

[diocas]

Hi @mfruhner,

Unfortunately, env variables are set on the spawn, so they cannot be updated. What we do is to expose the user up to date auth state via JH API and then retrieve it from the container into a file.

By default, the auth state is/was removed from the API response (if you are not admin), so we replaced the hander: https://github.com/swan-cern/jupyterhub-extensions/blob/master/SwanHub/swanhub/userapi_handler.py#L7

We haven't migrate to the newer versions of JH, but when we asked for this functionality, they said it was going to be possible with the new RBAC system (meaning that we would not need to replace the handler, and just use a config to expose the auth state). We are looking into the update in the coming weeks so this should become clearer to us.

To retrieve the updated tokens and put them inside the container, we use this: https://github.com/swan-cern/jupyter-extensions/tree/master/SwanOauthRenew This process will fetch the tokens (refreshed, including exchanged ones, using the previously exposed endpoint) and store them in a file. Maybe you could use the file directly or wrap the commands in a way that it reads the file, puts them in an ENV variable, and then executes the command.

Does this sound feasible?

Cheers, Diogo

[mfruhner]

Hello Diogo, thanks for the insights. I just found this answer, which makes it possible to expose the auth_state to the user with the new RBAC system. It works great in the way that I can now query the access_token and see how it is automatically refreshed when making a request to /users/.

My config looks like this now:

# Override Server Rules to allow a user to read their own auth_state
c.JupyterHub.load_roles = [
    {
        'name': 'user',
        'scopes': ["self", "admin:auth_state!user"],
    },
    {
        'name': 'server',
        'scopes': ["access:servers!user", "read:users:activity!user", "users:activity!user", "admin:auth_state!user"],
    }
]

However, Minio is still not quite happy, but this might be an unrelated issue or a config issue.

[diocas]

Exactly, this is what they promised would come (already did a long time ago), I just didn't know how to configure it yet. This helps me as well, thanks!

[diocas]

I think we can close this, but feel free to re-open! Thanks again.

[hevara247]

I'm trying to retrieve an up-to-date access token with the above load_roles config through the /users/ API endpoint in JupyterHub 4.1.5 and LocalAzureAdOAuthenticator.

The token does not seem to refresh after expiry. Is there anything else needed for that to happen?