Forward authentication to other services

Hi there!

We are looking for a way to forward authentication tokens to our APIs.

In essence - we don’t want users to have to juggle multiple sets of credentials when accessing our JupyterHub environment. Users logged in and running a personal JupyterLab instance should ideally be able to access our APIs directly without having to request a new API token or hard-code credentials directly in the notebook.

We are using Azure B2C as our primary authentication provider, and of course the AzureAdOAuthenticator in JupyterHub.

Is this possible to achieve? For example - is it possible to obtain the OAUTH access token from the server environmen or cookies? Could the JupyterHub proxy be used for this?

You can use auth_state and override Authenticator.pre_spawn_start to do this, see for example:
https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#using-auth-state

I had success by porting the same authenticator class I a was using in my Jupyterhub deployment. Basically I followed the “Who am I” example but added an extra step at the beginning of the decorated method here that runs authenticator.authenticate() against the request.

Cool! How about token refresh though? It seems like the user would have to respawn the notebook server every time the token expires?

If you pass the refresh token to the notebook environment, the notebook can then exchange that for an access token each time it runs.

Thanks @minrk, refresh tokens seems like the way to go. However, how would one go about storing the refresh token securely? Having the refresh token in the environment would leave it completely exposed to the user.

If you want to hide the token from the user you could consider writing a JupyterHub service to act as an intermediary.

You could override your authenticator to store the refresh token in a shared location accessible by the new service, and have your notebook connect to that service.