All users are disallowed with empty allowed_users

jschwab · September 27, 2023, 8:31am

I have a JupyterHub following the Zero to JupyterHub with Kubernetes, using Keycloak for authentication.

Everything worked fine, until recently, when users were no authorized any more (they got 403 : Forbidden Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.). I can circumvent this by manually authorizing them through hub.config.Authenticator.allowed_users in the helm config, but as far as I understand, leaving allowed_user empty should also work and simply authorize all authenticated user (which it did until recently).

Has anybody an idea what might be the issue? I’m using Helm chart version 3.0.3 with JupyterHub version 4.0.2, but everything worked well with the same versions before. Thank you for your help!

manics · September 27, 2023, 9:04am

This was a breaking change to improve security in OAuthenticator- not everyone realised that for example using Github with no further restrictions would allow any GitHub user to log in by default
https://oauthenticator.readthedocs.io/en/stable/reference/changelog.html#breaking-changes
Setting OAuthenticator.allow_all to True should restore the old behaviour

jschwab · September 27, 2023, 9:26am

Thank you very much! That was indeed it.

asongent · August 24, 2024, 2:19pm

Hi @jschwab,
I have been facing this same issue for days now. Could you please share snippet of your values file where you fixed this issue?
Below if my config.

hub:
  config:
    Authenticator:
      enable_auth_state: true
      allowed_users: 
      - '*'
    GenericOAuthenticator:
      client_id: hub
      client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      oauth_callback_url: https://hub.mydomain.net/hub/oauth_callback
      authorize_url: https://keycloak.mydomain.net/auth/realms/myrealm/protocol/openid-connect/auth
      token_url: https://keycloak.mydomain.net/auth/realms/myrealm/protocol/openid-connect/token
      userdata_url: https://keycloak.mydomain.net/auth/realms/myrealm/protocol/openid-connect/userinfo
      login_service: keycloak
      username_claim: preferred_username
      userdata_params:
        state: state
      claim_groups_key: roles
      allowed_groups:
        - user
      admin_groups:
        - admin
    JupyterHub:
      authenticator_class: generic-oauth
      admin_access: true

asongent · August 24, 2024, 9:51pm

I finally got this working. See below config when integrating jupyterhub with keycloak for Authentication

hub:
  config:
    Authenticator:
      enable_auth_state: true
      allow_all: true   ## Add this to allow all users
    GenericOAuthenticator:
      client_id: hub
      client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      oauth_callback_url: https://hub.mydomain.net/hub/oauth_callback
      authorize_url: https://keycloak.mydomain.net/auth/realms/myrealm/protocol/openid-connect/auth
      token_url: https://keycloak.mydomain.net/auth/realms/myrealm/protocol/openid-connect/token
      userdata_url: https://keycloak.mydomain.net/auth/realms/myrealm/protocol/openid-connect/userinfo
      login_service: keycloak
      username_claim: preferred_username
    JupyterHub:
      authenticator_class: generic-oauth
      admin_access: true

Topic		Replies	Views
JupyterHub on K8s: 403 Forbidden for Users Added via Admin Page but not the Helm Chart Config Zero to JupyterHub on Kubernetes jupyterhub , help-wanted	4	325	June 24, 2024
Failed to access "/hub/authorize" with NativeAuthenticator Zero to JupyterHub on Kubernetes jupyterhub , help-wanted	3	75	July 9, 2024
Binderhub oauth(keycloak) setup BinderHub	6	616	November 27, 2023
How to use keycloak to sign into JupyterHub? Zero to JupyterHub on Kubernetes help-wanted	1	4859	February 7, 2021
HTTP 403: Ip Forbidden error when authenticating against Keycloak server Zero to JupyterHub on Kubernetes help-wanted	1	1562	February 2, 2021

All users are disallowed with empty allowed_users

Related topics