How to access user_data json from OAuthenticator?

tonyspizza · September 23, 2021, 12:35am

I’m using the GenericOAuthenticator from GitHub - jupyterhub/oauthenticator: OAuth + JupyterHub Authenticator = OAuthenticator
and I’d like to be able to access the groups within the user response json data.
In my jupyterhub_config.py, I got

    c.JupyterHub.authenticator_class = 'oauthenticator.generic.GenericOAuthenticator'

and for the claim groups key, I put in

c.GenericOAuthenticator.claim_groups_key = lambda r: r.get('mygroups')

as I would want it to be Callable so I can access the underlying dict of the response.
The resulting dict would look something like this:

{
    'name': 'Foo Bar',
    'family_name': 'Bar',
    'given_name': 'Foo',
    'mygroups': [
        'group1',
        'group2',
        'group3'
    ]
}

If I try to do c.GenericOAuthenticator.claim_groups_key(), it will give me an error complaining that it needs a parameter ‘r’. But I don’t know which variable should be used for r. I’m not sure if I’m going about this the wrong way, but all I want to do is to be able to get the value of “mygroups”.
When JupyterHub spins up and reads in all the data from jupyterhub_config.py, it runs that lambda function and inserts the user_data dict for r. But how would I be able to access the user_data dict from within c.GenericOAuthenticator? I need to be able to parse it to be able to send it to somewhere else.

Thanks!

tonyspizza · September 24, 2021, 3:42pm

Basically what I’m trying to do is to have a custom KubeSpawner be able to read the groups that the claim groups key is referring to and pass that to the c.KubeSpawner.profile_list. The custom spawner is included inside of the values.yaml file within the Helm chart.

Any ideas?

manics · September 25, 2021, 1:31pm

c.GenericOAuthenticator.claim_groups_key() won’t work if called manually, it’s designed to be called by the GenericOAuthenticator code when it’s running:

github.com

jupyterhub/oauthenticator/blob/93284e024c298bdff80d6e573361c33c1ed9cd21/oauthenticator/generic.py#L197-L198

    
      
          if callable(self.claim_groups_key):
              groups = self.claim_groups_key(user_data_resp_json)

As you can see user_data_resp_json is passed to your function.

tonyspizza · September 26, 2021, 5:37am

Ok, so trying to access that directly is a non-starter. I wonder if I can use the pre_spawn_start() method to pass the auth_state to the spawner via the environment variable as described here: Authenticators — JupyterHub 1.4.2 documentation

manics · September 27, 2021, 8:06pm

If the information you need can be obtained by the authenticate method then yes, you can save it auth_state and retrieve it in the pre_spawn_start hook.

authenticate returns a user_info object with auth_state which includes user_data_resp_json:

github.com

jupyterhub/oauthenticator/blob/93284e024c298bdff80d6e573361c33c1ed9cd21/oauthenticator/generic.py#L185-L188

    
      
          user_info = {
              'name': name,
              'auth_state': self._create_auth_state(token_resp_json, user_data_resp_json),
          }

github.com

jupyterhub/oauthenticator/blob/93284e024c298bdff80d6e573361c33c1ed9cd21/oauthenticator/generic.py#L149

    
      
          def _create_auth_state(token_response, user_data_response):
              access_token = token_response['access_token']
              refresh_token = token_response.get('refresh_token', None)
              scope = token_response.get('scope', '')
              if isinstance(scope, str):
                  scope = scope.split(' ')
          
          
    return {
                  'access_token': access_token,
                  'refresh_token': refresh_token,
                  'oauth_user': user_data_response,
                  'scope': scope,
              }
          
          
@staticmethod
          def check_user_in_groups(member_groups, allowed_groups):
              return bool(set(member_groups) & set(allowed_groups))
          
          
async def authenticate(self, handler, data=None):
              code = handler.get_argument("code")

so if the information you need is already in user_data_resp_json you shouldn’t need to override authenticate.

tonyspizza · September 27, 2021, 10:41pm

So it turns out that I didn’t need to override any of the Authenticator() logic.

I did have to enable my auth state in the OAuthenticator:

c.JupyterHub.authenticator_class = 'oauthenticator.generic.GenericOAuthenticator'
c.GenericOAuthenticator.enable_auth_state = True
os.environ['JUPYTERHUB_CRYPT_KEY'] = token_hex(32)

then had to create a userdata hook for the auth state as shown here:

github.com

jupyterhub/jupyterhub/blob/27908a8e1742e690e4dc7778900160e40b7bd815/jupyterhub/spawner.py#L720-L723

    
      
          def userdata_hook(spawner, auth_state):
              spawner.userdata = auth_state["userdata"]
          
          
c.Spawner.auth_state_hook = userdata_hook

if I do a self.log.debug(auth_state) inside the userdata hook method, then I can see the user_data_resp_json.

Topic		Replies	Views
[GenericOAuthenticator] Pulling `claim_groups_key` from another token than the one returned by `USERDATA_URL` for AWS Cognito JupyterHub jupyterhub , help-wanted	2	1265	May 30, 2022
GenericOAuthenticator - Restrict access using claims JupyterHub	2	1209	November 22, 2022
GenericAuthenticator with Cognito: how to check for department match The Littlest JupyterHub	5	581	February 27, 2023
Is it compulsory to have OAUTH2_USERDATA_URL and CLIENT_SECRET to use Generic Oauthenticator with jupyterhub? Zero to JupyterHub on Kubernetes community , how-to , help-wanted	0	459	July 14, 2020
Is Jupyterhub RBAC groups the same as OAuth groups? Zero to JupyterHub on Kubernetes jupyterhub , how-to , help-wanted	3	761	November 16, 2023

How to access user_data json from OAuthenticator?

Related topics