Cannot manage groups via API when using AzureAuthenticator

blinak · January 27, 2025, 12:07pm

I have deployed jupyterhub using the helmchart version 4.0.0. I am using azure as Authenticator and the config looks like this:

authenticator: |
                    import os
                    from oauthenticator.azuread import AzureAdOAuthenticator
    
                    c.AzureAdOAuthenticator.oauth_callback_url = "https://jupyterhub-test-dev/hub/oauth_callback"
                    c.AzureAdOAuthenticator.username_claim = "unique_name"
                    c.AzureAdOAuthenticator.enable_auth_state = True
                    c.AzureAdOAuthenticator.manage_groups = True
                    c.AzureAdOAuthenticator.auth_state_groups_key = "user.groups"
                    c.AzureAdOAuthenticator.allowed_groups = ["jupyterhub-test-admin", "jupyterhub-test-user"]
                    c.AzureAdOAuthenticator.admin_groups = ["jupyterhub-test-admin" ]
                    c.AzureAdOAuthenticator.scope =  ["GroupMember.Read.All", "User.Read", "User.Read.All", "email", "openid" ]

                    class subAzureAuthenticator(AzureAdOAuthenticator):
                    
                      def normalize_username(self, username):
 
                        username = username.lower().split('@')[0]
                        clean_username = username.replace('.', '')
                        clean_username =clean_username.replace('_', '')
                    
                        return clean_username
                    
                      
                    c.JupyterHub.authenticator_class = subAzureAuthenticator

The group sync works as expected. After I login, I can see the the groups created in the admin panel. However, as admin, I cannot delete or edit these groups.

logs from hub:

Checking access to /hub/api/groups/jupyterhub-test-admin via scope delete:groups!group=jupyterhub-test-admin
[W 2025-01-27 12:04:45.399 JupyterHub web:1873] 400 DELETE /hub/api/groups/jupyterhub-test-admin?_xsrf=token (95.90.206.235): Group management via API is disabled
[W 2025-01-27 12:04:45.399 JupyterHub log:192] 400 DELETE /hub/api/groups/jupyterhub-test-admin?_xsrf=[secret]

Is that the expected behaviour? I thought that having admin permission includes this role : ‘admin:groups!group=jupyterhub-test-admin’ and ‘admin:users!group=jupyterhub-test-admin’

I need to be able to delete the groups because sometimes we delete the user groups in azure app registration, but this is not synced in jupyterhub user management database. Even though the groups is delete in azure, it still remains in jupyterhub.

manics · January 27, 2025, 4:13pm

Currently the API for managing groups is disabled when manage_groups = True:

github.com/jupyterhub/jupyterhub

jupyterhub/apihandlers/groups.py

cddeeb9da


      
          def check_authenticator_managed_groups(self):
              """Raise error on group-management APIs if Authenticator is managing groups"""
              if self.authenticator.manage_groups:
                  raise web.HTTPError(400, "Group management via API is disabled")

Are the groups still present when you restart JupyterHub?

blinak · January 29, 2025, 12:21pm

yes, the group that is removed from azure app registration, is still appearing in group list.

blinak · February 3, 2025, 10:31am

Is there any flag that can be set to refresh the groups to match with the ones specified in the app registration in azure?

minrk · February 6, 2025, 9:54am

Unfortunately, there is currently no way to delete groups when the Authenticator is managing them. We set this up for roles to have the ability to re-initialize roles on startup, but haven’t done that for groups.

We’ll have to think about what that config should look like, but I think the simplest fix is to actually change the “Group management via API is disabled” condition to only apply to group membership, and still permit group creation and deletion via the API.

We could also reconsider blocking group-management via the API altogether. Admins will have to realize that any changes they make via the API will be overridden when users login again, but this would allow manual reconciliation like the deletion here without any unnecessary frustration. But it’s not inherently wrong to allow group management via the API. It just may lead to surprise that admin changes may get lost since the Authenticator has priority. But if the admin changes are manually reconciling with upstream as is the case here, then everything will be as the admin expects. I’m currently leaning toward this choice.

minrk · February 13, 2025, 12:08pm

allow group management API when managed_groups is True by minrk · Pull Request #5004 · jupyterhub/jupyterhub · GitHub removes the manage_groups check, allowing admins full access to group membership. There’s a caveat that managed groups means that any changes you make manually could be clobbered by an authentication event, but that doesn’t mean you shouldn’t be allowed to ever make them (especially those that can’t be done by authentication events, such as group deletion).

likku123 · March 3, 2025, 3:48am

@blinak

Is it possible to share the Azure side of AD things by masking the sensitive information.

I am pretty much stuck here c.AzureAdOAuthenticator.auth_state_groups_key = “user.groups”

Where in logs it says user.groups does not exists.

I would like to know how you have achieved it.

Thanks in advance.

blinak · May 21, 2025, 12:25pm

This response might be late but I will add it here is case it still helps someone:

it is required you add the groups claim so that you avoid the user.groups missing in the token.

Additionally enable the group API permissions in entraID app registration:
GroupMember.Read.All and User.Read.All
And make sure that in Manage → Manifest you have the following configuration



groups claim configuration : 
    "optionalClaims": {
        "accessToken": [
            {
                "additionalProperties": [
                    "cloud_displayname",
                    "sam_account_name"
                ],
                "essential": false,
                "name": "groups",
                "source": null
            }
        ],
        "idToken": [
            {
                "additionalProperties": [
                    "cloud_displayname",
                    "sam_account_name"
                ],
                "essential": false,
                "name": "groups",
                "source": null
            }
        ],
        "saml2Token": [
            {
                "additionalProperties": [
                    "cloud_displayname",
                    "sam_account_name"
                ],
                "essential": false,
                "name": "groups",
                "source": null
            }
        ]
    }

Topic		Replies	Views
How do Groups in JH work with the AzureAdOAuthenticator? JupyterHub help-wanted	1	364	June 12, 2024
Azure groups in sync with Jupyterhub groups Zero to JupyterHub on Kubernetes help-wanted	15	293	March 4, 2025
ZTJH settings for large Microsoft Azure AD groups JupyterHub	1	30	June 9, 2025
Admin Scopes Not Given to Users With Admin Role Zero to JupyterHub on Kubernetes jupyterhub , help-wanted	4	630	October 2, 2023
How to extract azure groups_id after login with AzureAdOAuthenticator? JupyterHub jupyterhub , how-to , help-wanted	2	88	January 20, 2025

Cannot manage groups via API when using AzureAuthenticator

Related topics