GenericOAuthenticator - Restrict access using claims


We are using GenericOAuthenticator configured to use a Keycloak Open ID client.
It works as expected, however it enables access to Jupyter Hub for the whole Keycloak Realm.

We would like to restrict access using claims, such as some claim must have some specified value.
That doesn’t seem presently possible.

Did I miss something or would that be a new feature?

Thank you for your time

I’m yet to try this, but if we look at oauthenticator/ at ccd58a6e125ae6c57d7e6df7a5b95178ac9435cb · jupyterhub/oauthenticator · GitHub

looks like we can specify:

   claim_groups_key: groups
      - groupA
      - groupB

and make sure built-in mapper groups has been added to our client

1 Like

I am passing in role claims. so when I set claim_groups_key: roles … it is still not finding the role claim that is coming with my user as {‘sub’: user, ‘roles’: role1} … what am I missing here… and I am setting allowed_groups to role1