Error 500 when trying to authenticate through AD FS

JupyterHub Zero to JupyterHub on Kubernetes
1

I’m trying to make JupyterHub work alongside AD FS. There is no specific documentation on how to do this, so I’m trying to use the GenericOAuthenticator:

hub:
  config:
    GenericOAuthenticator:
      client_id: [REDACTED]
      client_secret: [REDACTED]
      oauth_callback_url: https://my-jupyterhub-domain/hub/oauth_callback
      authorize_url: https://my-adfs-domain/adfs/oauth2/authorize
      token_url: https://my-adfs-domain/adfs/oauth2/token
      userdata_url: https://my-adfs-domain/userinfo
      scope:
        - openid
        - name
        - profile
        - email
      username_key: name
    JupyterHub:
      authenticator_class: generic-oauth

With the above configuration, I was able to obtain the temporary code from the external OAuth provider, but when the request with the code was made by the browser to JupyterHub (/hub/oauth_callback?code=[CODE]), I got an Error 500.

I can see in the AD FS logs that the token was generated.

Any hints?

2

Can you turn on debug logging and show us your logs for the full authentication attempt?

3

Totally novice here. Is there a way to turn the debug mode using the YAML file (I’m using the k8s setup)?

Edit: nevermind

4

@manics here is what I found in the logs:

Uncaught exception GET /hub/oauth_callback?code=[REDACTED_CODE] ([REDACTED_IP])
    HTTPServerRequest(protocol='http', host='my-jupyterhub-domain', method='GET', uri='/hub/oauth_callback?code=[REDACTED_CODE]', version='HTTP/1.1', remote_ip='[REDACTED_IP]')
    Traceback (most recent call last):
      File "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in _execute
        result = await result
      File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 224, in get
        user = await self.login_user()
      File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line 749, in login_user
        authenticated = await self.authenticate(data)
      File "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 462, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line 157, in authenticate
        user_data_resp_json = await self._get_user_data(http_client, token_resp_json)
      File "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line 123, in _get_user_data
        resp = await http_client.fetch(req)
    tornado.httpclient.HTTPClientError: HTTP 405: Method Not Allowed
5

It sounds like JupyterHub is making an invalid request to your authentication provider. You’ve only included the final error log, can you include the logs for the entire authentication process, starting from when the JupyterHub login page is loaded?

6

Thank you. It was indeed an invalid request. The userdata_url was wrongly set to https://my-adfs-domain/oauth2/userinfo. The correct URL is https://my-adfs-domain/userinfo, as shown in the original post.

But now I’m getting a 403 error. I’ve just created a new post about it.