AzureAdOAuthenticator returning given name instead of username

ebeb · November 23, 2022, 2:06pm

After successful login using Azure AD Oauthenticator we are getting the full given name instead of the unique username so the local process spawner is failing to spawn with errors. How do we make the username as firstname.lastname so that the OS username will match for getpwnam() .:

[E 2022-11-23 05:04:19.937 JupyterHub user:832] Unhandled error starting xxxxxxx, xxxxxxx (xxxx)'s server: “getpwnam(): name not found: ‘xxxxxx, xxxxxx (xxxxx)’”
Traceback (most recent call last):
File “/data/opt/anaconda3/lib/python3.9/site-packages/jupyterhub/user.py”, line 747, in spawn
url = await gen.with_timeout(timedelta(seconds=spawner.start_timeout), f)
File “/data/opt/anaconda3/lib/python3.9/site-packages/jupyterhub/spawner.py”, line 1664, in start
env = self.get_env()
File “/data/opt/anaconda3/lib/python3.9/site-packages/jupyterhub/spawner.py”, line 1611, in get_env
env = self.user_env(env)
File “/data/opt/anaconda3/lib/python3.9/site-packages/jupyterhub/spawner.py”, line 1598, in user_env
home = pwd.getpwnam(self.user.name).pw_dir
KeyError: “getpwnam(): name not found: ‘xxxxx, xxxxxx (xxxxxx)’”

These are the parms we set in /etc/jupyterhub/jupyterhub_config.py

import os
from oauthenticator.azuread import AzureAdOAuthenticator

c.JupyterHub.authenticator_class = AzureAdOAuthenticator
c.Application.log_level = ‘DEBUG’
c.AzureAdOAuthenticator.tenant_id = os.environ.get(‘AAD_TENANT_ID’)
c.AzureAdOAuthenticator.client_id = ‘redacted’
c.AzureAdOAuthenticator.client_secret = ‘redacted’
c.AzureAdOAuthenticator.oauth_callback_url = ‘https://redacted:8000/hub/oauth_callback’
c.AzureAdOAuthenticator.scope = [‘openid’, ‘profile’, ‘email’]
c.AzureAdOAuthenticator.username_claim = unique_name

manics · November 23, 2022, 2:55pm

Is the required username already available in your response? If so you change the field used as the username.

If not you can write a custom function to generate your username base on the userinfo response:

github.com

jupyterhub/oauthenticator/blob/0a2f0d8c0a99469570b7c1168cec6dfcaf45ec5f/oauthenticator/generic.py#L54-L65


      
          username_claim = Union(
              [Unicode(os.environ.get('OAUTH2_USERNAME_KEY', 'username')), Callable()],
              config=True,
              help="""
              Userdata username key from returned json for USERDATA_URL.
          
          
    Can be a string key name or a callable that accepts the returned
              json (as a dict) and returns the username.  The callable is useful
              e.g. for extracting the username from a nested object in the
              response.
              """,
          )

github.com

jupyterhub/oauthenticator/blob/0a2f0d8c0a99469570b7c1168cec6dfcaf45ec5f/oauthenticator/generic.py#L88-L89


      
          if callable(self.username_claim):
              username = self.username_claim(user_info)

ebeb · November 23, 2022, 5:08pm

Thanks for the reply! How would you figure out the fields in the Azure AD response within the ssl payload. And how do you change the field used as the username.

“Is the required username already available in your response? If so you change the field used as the username.”

manics · November 24, 2022, 8:34pm

You can set c.GenericOAuthenticator.username_claim to the name of the field you want to use.

A bit of Googling brought up Microsoft identity platform UserInfo endpoint - Microsoft Entra | Microsoft Learn but I don’t know whether that applies to all AureAD servers, so you may have to add some debug logs or talk to your AzureAD administrator to work out what’s in the response.

ebeb · November 25, 2022, 8:07am

As given in example oauthenticator/sample_jupyter_config.py at 0a2f0d8c0a99469570b7c1168cec6dfcaf45ec5f · jupyterhub/oauthenticator · GitHub after changing in the config to:
c.AzureAdOAuthenticator.username_claim = ‘unique_name’

Now I get the email address returned so getting closer. Just need to figure out how to get the upn firstname.lastname or may need to change config to ignore the @xyz.com suffix in the email address. Which parameter in the config can be used to remove the @xyz.com suffix using some regular expression or other means?

manics · November 27, 2022, 6:24pm

username_claim can be a callable, which means it can be a function that manipulates the response. Something like this may work:

def get_username_from_userinfo(userinfo):
    return userinfo["email"].split("@")[0]

c.AzureAdOAuthenticator.username_claim = get_username_from_userinfo

ebeb · November 28, 2022, 4:32am

Hello @manics I tried above code but jupyterhub wont start and gave error below. Another other ideas?

  File "/data1r10/opt/anaconda3/lib/python3.9/site-packages/traitlets/traitlets.py", line 2190, in validate
    self.error(obj, value)
  File "/data1r10/opt/anaconda3/lib/python3.9/site-packages/traitlets/traitlets.py", line 692, in error
    raise TraitError(e)
traitlets.traitlets.TraitError: The 'username_claim' trait of an AzureAdOAuthenticator instance expected a unicode string, not the function 'get_username_from_userinfo'.

manics · November 28, 2022, 8:42pm

Apologies, that was only recently added to AzureAdOAuthenticator as part of a large refactoring so it’s not released yet:

github.com/jupyterhub/oauthenticator

Refactor oauthenticators

jupyterhub:main ← GeorgianaElena:refactor

opened 05:02PM - 07 Jul 22 UTC

GeorgianaElena

+810 -892

- Creates a base `authenticate` method that consists of: ```python async …def authenticate(self, handler, data=None): tokens_info = await self.get_tokens_info(handler) user_info = await self.token_to_user(tokens_info) auth_state = await self.create_auth_state(tokens_info, user_info) return auth_state ``` The scope is to also introduce `refresh_user` in this workflow - Implements genric `get_tokens_info` and `token_to_user` methods in `oauth2.py` and lets the oauthenticators only implement `create_auth_state` (this ca be further refactored into smaller pieces) - Moves some attributes from `generic` to `oauth2` The puropose of this refactoring is to make implementing https://github.com/jupyterhub/oauthenticator/issues/398 easier. - [X] oauthenticator.oauth2 - [X] oauthenticator.auth0 - [X] oauthenticator.azuread - [X] oauthenticator.bitbucket - [X] oauthenticator.cilogon - [X] oauthenticator.generic - [X] oauthenticator.github - [X] oauthenticator.gitlab - [x] oauthenticator.globus - [x] oauthenticator.google - [x] oauthenticator.okpy - [x] oauthenticator.openshift - [x] oauthenticator.mediawiki

Previously only some authenticators supported a callable username_claim, but hopefully it won’t be too long until it’s released.

ebeb · November 29, 2022, 8:11am

ok no problem, will try to see if can include the logic manually or wait until official release. I haven’t looked at the code much so if you can point me to the function to add some code for the simplest way to modify the email to remove the @xyz.com suffix that will be a great help.

Topic		Replies	Views
Customizing username by which pod is spawned after authentication Zero to JupyterHub on Kubernetes how-to	2	771	February 14, 2022
JupyterHub fails to spawn server using DummyAuthenticator JupyterHub jupyterhub , help-wanted	3	1990	March 27, 2021
AzureADAzureAdOAuthenticator JupyterHub	4	420	October 25, 2023
My JupyterHub with Azure AD Authentication Returned 403 Response Despite Successful AD Login JupyterHub how-to , help-wanted	1	444	January 3, 2024
DockerSpawner / SystemUserSpawner - manually set the user's home directory? JupyterHub jupyterhub , help-wanted	6	1053	September 25, 2023

AzureAdOAuthenticator returning given name instead of username

Related topics