GenericAuthenticator with Cognito: how to check for department match


I just set up TLJH and I like it :slight_smile:
We are using AWS Cognito to federate our PingID based SSO solution. There is a custom claim custom:department that contains the user’s department as a string.

I cant wrap my head around it - it does not work like this because I think the code expects a list/array.

c.GenericOAuthenticator.claim_groups_key = "custom:department"
c.GenericOAuthenticator.allowed_groups = ["A B CC D"]

How can I configure the “callable” that converts the single string in the custom:department claim into the needed structure so that I can work with allowed_groups and add the permitted departments in that list?

Thanks :slight_smile:

That looks right to me, it should lookup the custom:department and only members of the group A B CC D are allowed to login.

What behaviour are you expecting?

Yes I expected the same but I get a 403 forbidden when configuring the settings like that - but I am in that department.
So I wanted to play around with the ‚callable‘ but have no clue.

Try something like

def claim_groups_key_func(user_data_resp_json):
    # Do something with user_data_resp_json
    return groups

c.GenericOAuthenticator.claim_groups_key = claim_groups_key_func

This is where it’s called:

Turns out if you are doing it right, it works. Indeed the code was expecting a list and the department in my token is stored as a string.


def claim_groups_key_func(user_data_resp_json):
    return [user_data_resp_json['custom:department']]

c.GenericOAuthenticator.claim_groups_key = claim_groups_key_func
c.GenericOAuthenticator.allowed_groups = ["AA BB C", "BB CC D"]

Added docs(awscognito): add custom claims example by nodomain · Pull Request #854 · jupyterhub/the-littlest-jupyterhub · GitHub to improve the docs.