How to get the id_token JWT from Google authenticator?

jhuylebroeck · February 22, 2023, 10:38pm

Hi,
we’ve been looking everywhere how to get the id_token JWT when using Google Authenticator in jupyterhub (on kubernetes).
We get the access_token and other user info, but not that one.

It seems the authenticator code is not requesting for it, and so it doesn’t end up in the auth_state.

Anybody doing SSO auth with google and setting an env variable to the JWT that could give us a hint by any chance?

Thanks for any clue you may have

jhuylebroeck · February 23, 2023, 1:43am

adding some context.

We tried to extend the GoogleOAuthenticator, and got it to call our authenticate method. Though the id_token is empty.

      from oauthenticator.google import GoogleOAuthenticator
      class UbyreGoogleOAuthenticator(GoogleOAuthenticator):
        async def authenticate(self, handler, data=None):
          print("authenticate")
          user = await super().authenticate(handler, data)
          user['id_token'] = handler.get_argument('id_token', '')
          print(user['id_token'])
          return user

It’s because the underlying code making the call to Google doesn’t request for the id_token.
That’s done in the code of the HubOAuth that creates the request with just the response_type set to code. What we would need is the response_type to be code id_token

See in the _login_url method
def _login_url(self):

Did we miss something somewhere that would allow to change this behavior without having to change the core code of JupyterHub?

manics · February 24, 2023, 12:57pm

HubOAuth is used for internal OAuth between JupyterHub components/services. User authentication is separate, and is completely handled by the Authenticator.
The source for the GoogleOAuthenticator is

github.com

jupyterhub/oauthenticator/blob/af9b395b5e6ec6a0ef3731142b16e4f1899cadfd/oauthenticator/google.py

"""
Custom Authenticator to use Google OAuth with JupyterHub.

Derived from the GitHub OAuth authenticator.
"""
import os
import urllib.parse

from jupyterhub.auth import LocalAuthenticator
from jupyterhub.crypto import EncryptionUnavailable, InvalidToken, decrypt
from tornado.auth import GoogleOAuth2Mixin
from tornado.httpclient import HTTPRequest
from tornado.httputil import url_concat
from tornado.web import HTTPError
from traitlets import Dict, List, Unicode, default, validate

from .oauth2 import OAuthenticator


def check_user_in_groups(member_groups, allowed_groups):

This file has been truncated. show original

jhuylebroeck · February 24, 2023, 8:08pm

Yes you can for sure say that I am confused between the HubOAuth role and the Authenticator role in all this. Thanks for pointing this out.

I’ve looked at this Google related code multiple times actually.
We couldn’t find a way to get the id_token by extending it.
The google authenticator code doesn’t have anything related to id_token either.
Our understanding is that the id_token is returned by Google when the openid scope is included, which it is by default in the code, and we add it also in our helm chart config for good measure.

We have a work around using just the access_token/refresh_token now, so it’s not blocking.
Would have been super nice if we had been able to get that id_token JWT instead for the integration with our own auth backend.

Topic		Replies	Views
How to get user jwt token JupyterHub	1	457	August 9, 2023
Google OAuthenticator extra security check JupyterHub	7	1363	August 19, 2019
how to get the authentication token current user JupyterHub how-to	1	2806	May 1, 2021
CustomAuthenticator JupyterHub help-wanted	4	490	August 22, 2023
Passing access_token to pod with custom Authenticator class Zero to JupyterHub on Kubernetes help-wanted	4	776	July 7, 2022

How to get the id_token JWT from Google authenticator?

Related topics