GenericOAuthenticator - Restrict access using claims

adelisle · January 25, 2021, 10:34pm

Hello,

We are using GenericOAuthenticator configured to use a Keycloak Open ID client.
It works as expected, however it enables access to Jupyter Hub for the whole Keycloak Realm.

We would like to restrict access using claims, such as some claim must have some specified value.
That doesn’t seem presently possible.

Did I miss something or would that be a new feature?

Thank you for your time

fizdoonk · December 13, 2021, 1:00am

I’m yet to try this, but if we look at oauthenticator/generic.py at ccd58a6e125ae6c57d7e6df7a5b95178ac9435cb · jupyterhub/oauthenticator · GitHub

looks like we can specify:

GenericOAuthenticator:
   claim_groups_key: groups
   allowed_groups:
      - groupA
      - groupB

and make sure built-in mapper groups has been added to our client

slayernick · November 22, 2022, 12:24am

I am passing in role claims. so when I set claim_groups_key: roles … it is still not finding the role claim that is coming with my user as {‘sub’: user, ‘roles’: role1} … what am I missing here… and I am setting allowed_groups to role1

Topic		Replies	Views
[GenericOAuthenticator] Pulling `claim_groups_key` from another token than the one returned by `USERDATA_URL` for AWS Cognito JupyterHub jupyterhub , help-wanted	2	1265	May 30, 2022
JupyterHub + KeyCloak auth and LDAP user groups JupyterHub	7	1365	October 13, 2024
GenericAuthenticator with Cognito: how to check for department match The Littlest JupyterHub	5	581	February 27, 2023
Jupyterhub with keycloak:-claim_groups_key roles does not exist in the user token Zero to JupyterHub on Kubernetes help-wanted	1	80	September 18, 2024
How to access user_data json from OAuthenticator? JupyterHub jupyterhub , help-wanted	5	827	September 27, 2021

GenericOAuthenticator - Restrict access using claims

Related topics