403: Forbidden error when trying to authenticate users

#1

Hi,

I’m trying to add GitHub authentication onto my BinderHub. It’s something I’ve successfully managed before, but for some reason it’s giving me difficulty this time around. <jupyterhub-ip>/hub/login keeps giving me a 403: Forbidden error. Config is below.

config:
  BinderHub:

    # connect image registry and set image prefix
    use_registry: true
    image_prefix: <docker-org>/<prefix>-

    # jupyterhub IP address
    hub_url: http://<jupyterhub-ip>

    # enable authentication
    auth_enabled: true

jupyterhub:

  hub:
    services:
      binder:
        oauth_redirect_uri: "http://<binder-ip>/oauth_callback"
        oauth_client_id: "binder-oauth-client-test"
    extraConfig:
      hub_extra: |
        c.JupyterHub.redirect_to_server = False

      binder: |
        from kubespawner import KubeSpawner

        class BinderSpawner(KubeSpawner):
          def start(self):
              if 'image' in self.user_options:
                # binder service sets the image spec via user options
                self.image = self.user_options['image']
              return super().start()
        c.JupyterHub.spawner_class = BinderSpawner

    singleuser:
      # to make notebook servers aware of hub
      cmd: jupyterhub-singleuser

    auth:
      type: github
      github:
        clientId: "xxxx"
        clientSecret: "xxxx"
        callbackUrl: "http://<jupyterhub-ip>/hub/oauth_callback"

I’m using BinderHub Helm Chart version 0.2.0-7b2c4f8. I tried to go back to version 0.2.0-3b53fce which was the last version I had authentication working on, but the JupyterHub pod kept giving CrashLoopBackOff. I’ve tried remaking the OAuth app on GitHub as well. The only other difference from the last time I had this working is that my Kubernetes cluster is now deployed onto an Azure Virtual Machine Scale Set (VMSS) which allows autoscaling, but it’s a “preview” feature.

Thanks in advance for any advice! It’s possible I’m a victim of copypasta and blind to the issue, so even just a fresh set of eyes on the config would be much appreciated.

#2

I’ve managed to track this issue to the VMSS.

I deployed a test BinderHub following the standard Azure installation instructions in the BinderHub docs (i.e. not autoscaling) and the login redirect is fine for both versions 0.2.0-3b53fce and 0.2.0-7b2c4f8.

However, the “look” of the login page has changed. Instead of a “Sign in” button which redirects you to the GitHub sign in, the JupyterHub provides a login form and authorizes the GitHub OAuth app itself.

I guess for the time being I can either have a Hub with authentication or one that autoscales.

1 Like
#3

JupyterHub logs:

[I 2019-04-25 18:37:01.120 JupyterHub log:174] 302 GET /hub/api/oauth2/authorize?client_id=binder-oauth-client-test&redirect_uri=http%3A%2F%2Fxx.xx.xxx.xxx%2Foauth_callback&response_type=code&state=[secret] -> /hub/login?next=%2Fhub%2Fapi%2Foauth2%2Fauthorize%3Fclient_id%3Dbinder-oauth-client-test%26redirect_uri%3Dhttp%253A%252F%252Fxx.xx.xxx.xxx%252Foauth_callback%26response_type%3Dcode%26state%3DeyJ1dWlkIjogImQ3NDYzZTJkMDA4NTQzZjNhNWMxNTQyM2RlNmJiNWY0IiwgIm5leHRfdXJsIjogIi8ifQ (@xx.xxx.x.x) 1.09ms
[W 2019-04-25 18:37:01.261 JupyterHub base:670] Failed login for unknown user
[W 2019-04-25 18:37:01.262 JupyterHub log:174] 403 GET /hub/login?next=%2Fhub%2Fapi%2Foauth2%2Fauthorize%3Fclient_id%3Dbinder-oauth-client-test%26redirect_uri%3Dhttp%253A%252F%252Fxx.xx.xxx.xxx%252Foauth_callback%26response_type%3Dcode%26state%3DeyJ1dWlkIjogImQ3NDYzZTJkMDA4NTQzZjNhNWMxNTQyM2RlNmJiNWY0IiwgIm5leHRfdXJsIjogIi8ifQ (@xx.xxx.x.x) 1.52ms
#4

This is the biggest copypasta mistake I’ve made since actually forgetting to update the config with the JupyterHub URL. singleuser and auth blocks are over-indented by 2 spaces. Everything works! Thank you for your patience :smile:

1 Like