403: Forbidden error when trying to authenticate users

Hi,

I’m trying to add GitHub authentication onto my BinderHub. It’s something I’ve successfully managed before, but for some reason it’s giving me difficulty this time around. <jupyterhub-ip>/hub/login keeps giving me a 403: Forbidden error. Config is below.

config:
  BinderHub:

    # connect image registry and set image prefix
    use_registry: true
    image_prefix: <docker-org>/<prefix>-

    # jupyterhub IP address
    hub_url: http://<jupyterhub-ip>

    # enable authentication
    auth_enabled: true

jupyterhub:

  hub:
    services:
      binder:
        oauth_redirect_uri: "http://<binder-ip>/oauth_callback"
        oauth_client_id: "binder-oauth-client-test"
    extraConfig:
      hub_extra: |
        c.JupyterHub.redirect_to_server = False

      binder: |
        from kubespawner import KubeSpawner

        class BinderSpawner(KubeSpawner):
          def start(self):
              if 'image' in self.user_options:
                # binder service sets the image spec via user options
                self.image = self.user_options['image']
              return super().start()
        c.JupyterHub.spawner_class = BinderSpawner

    singleuser:
      # to make notebook servers aware of hub
      cmd: jupyterhub-singleuser

    auth:
      type: github
      github:
        clientId: "xxxx"
        clientSecret: "xxxx"
        callbackUrl: "http://<jupyterhub-ip>/hub/oauth_callback"

I’m using BinderHub Helm Chart version 0.2.0-7b2c4f8. I tried to go back to version 0.2.0-3b53fce which was the last version I had authentication working on, but the JupyterHub pod kept giving CrashLoopBackOff. I’ve tried remaking the OAuth app on GitHub as well. The only other difference from the last time I had this working is that my Kubernetes cluster is now deployed onto an Azure Virtual Machine Scale Set (VMSS) which allows autoscaling, but it’s a “preview” feature.

Thanks in advance for any advice! It’s possible I’m a victim of copypasta and blind to the issue, so even just a fresh set of eyes on the config would be much appreciated.

I’ve managed to track this issue to the VMSS.

I deployed a test BinderHub following the standard Azure installation instructions in the BinderHub docs (i.e. not autoscaling) and the login redirect is fine for both versions 0.2.0-3b53fce and 0.2.0-7b2c4f8.

However, the “look” of the login page has changed. Instead of a “Sign in” button which redirects you to the GitHub sign in, the JupyterHub provides a login form and authorizes the GitHub OAuth app itself.

I guess for the time being I can either have a Hub with authentication or one that autoscales.

JupyterHub logs:

[I 2019-04-25 18:37:01.120 JupyterHub log:174] 302 GET /hub/api/oauth2/authorize?client_id=binder-oauth-client-test&redirect_uri=http%3A%2F%2Fxx.xx.xxx.xxx%2Foauth_callback&response_type=code&state=[secret] -> /hub/login?next=%2Fhub%2Fapi%2Foauth2%2Fauthorize%3Fclient_id%3Dbinder-oauth-client-test%26redirect_uri%3Dhttp%253A%252F%252Fxx.xx.xxx.xxx%252Foauth_callback%26response_type%3Dcode%26state%3DeyJ1dWlkIjogImQ3NDYzZTJkMDA4NTQzZjNhNWMxNTQyM2RlNmJiNWY0IiwgIm5leHRfdXJsIjogIi8ifQ (@xx.xxx.x.x) 1.09ms
[W 2019-04-25 18:37:01.261 JupyterHub base:670] Failed login for unknown user
[W 2019-04-25 18:37:01.262 JupyterHub log:174] 403 GET /hub/login?next=%2Fhub%2Fapi%2Foauth2%2Fauthorize%3Fclient_id%3Dbinder-oauth-client-test%26redirect_uri%3Dhttp%253A%252F%252Fxx.xx.xxx.xxx%252Foauth_callback%26response_type%3Dcode%26state%3DeyJ1dWlkIjogImQ3NDYzZTJkMDA4NTQzZjNhNWMxNTQyM2RlNmJiNWY0IiwgIm5leHRfdXJsIjogIi8ifQ (@xx.xxx.x.x) 1.52ms

This is the biggest copypasta mistake I’ve made since actually forgetting to update the config with the JupyterHub URL. singleuser and auth blocks are over-indented by 2 spaces. Everything works! Thank you for your patience