Authorization form must be sent from authorization page

I’ve set up Jupyterhub behind an apache reverse proxy, using letsencrypt and following instructions in the official docs -> Using a reverse proxy.

It works fine until I try to access a service set up as described in nbgrader doc for jupyterhub multiple courses.

I get the “Authorization form must be sent from authorization page”

Looking at the logs I see that the problem probably comes from a difference between the outter referer scheme (https) and the inner one (http).

OAuth POST from https://jupyter.myhost.be/hub/api/oauth2/authorize?client_id=service-progsoir&redirect_uri=%2Fservices%2Fprogsoir%2Foauth_callback&response_type=code&state=eyJ1...ZGVyIn0 != http://jupyter.myhost.be/hub/api/oauth2/authorize?client_id=service-progsoir&redirect_uri=%2Fservices%2Fprogsoir%2Foauth_callback&response_type=code&state=eyJ1...ZGVyIn0

I’ve tried what is mentionned there, but without success (https is rewrited to http, but querystring is not rewrited)

Any help is welcome :smile:

EDIT : continuing my investigations, I found that new option in JupyterHub 1.1.0 which solved my issue : service.oauth_no_confirm. As OAuth authentication is bypassed, the problem doesn’t arise anymore

1 Like

I finally found another way to achieve this without having to bypass oauth confirmation.

Based on the apache configuration mentionned here, I just had to add a RequestHeader edit directive :

<Location "/">
    # preserve Host header to avoid cross-origin problems
    ProxyPreserveHost on
    
    # Modify referer to http in case of oauth2 
    RequestHeader edit referer "https://(.*/hub/api/oauth2/.*)" http://$1
    
    # proxy to JupyterHub
    ProxyPass         http://127.0.0.1:8000/
    ProxyPassReverse  http://127.0.0.1:8000/
</Location>
1 Like