How to use certificate authentication with AAD (for oauth) instead of client secret

sanjaydebnath · November 27, 2022, 12:55am

We are deploying JupyterHub on AKS & today we have to provide the client secret of our AAD App to enable authentication with Azure AD. And when the secret expires, its an upgrade ideally. But what we want to do is to use the certificate authentication instead of secret. The certificate stays in our KeyVault & it autorotates every 3 months. We pull the same certificate inside our AKS cluster as a secret (which auto renews every time it rotates in KV with help of Azure Key Vault Provider for Secrets Store CSI Driver). So we want to get rid of this dependency on app secret & the cost to manage it over time. Is it possible today? If not is there a feature request for the same that I can look at?

hub:
  config:
    AzureAdOAuthenticator:
      client_id: <<aad-app-id>>
      client_secret: "<<aad-app-secret>>"
      oauth_callback_url: https://<<your-domain-name>>/hub/oauth_callback
      tenant_id: <<tenant-id>>
      scope:
        - openid
        - email
    JupyterHub:
      authenticator_class: azuread

manics · November 27, 2022, 5:11pm

It’s not supported.

The code for AzureAdOAuthenticator is in

github.com

jupyterhub/oauthenticator/blob/e6a3d89d382cab607ccf15547e790e73108f169b/oauthenticator/azuread.py

"""
Custom Authenticator to use Azure AD with JupyterHub
"""
import os

import jwt
from jupyterhub.auth import LocalAuthenticator
from traitlets import Unicode, default

from .oauth2 import OAuthenticator


class AzureAdOAuthenticator(OAuthenticator):
    login_service = Unicode(
        os.environ.get('LOGIN_SERVICE', 'Azure AD'),
        config=True,
        help="""Azure AD domain name string, e.g. My College""",
    )

    tenant_id = Unicode(config=True, help="The Azure Active Directory Tenant ID")

This file has been truncated. show original

which inherits from

github.com

jupyterhub/oauthenticator/blob/e6a3d89d382cab607ccf15547e790e73108f169b/oauthenticator/oauth2.py#L241-L783


      
          class OAuthenticator(Authenticator):
              """Base class for OAuthenticators
          
          
    Subclasses must override:
          
          
    login_service (string identifying the service provider)
              authenticate (method takes one arg - the request handler handling the oauth callback)
              """
          
          
    login_handler = OAuthLoginHandler
              callback_handler = OAuthCallbackHandler
              logout_handler = OAuthLogoutHandler
          
          
    user_auth_state_key = Unicode(
                  "oauth_user",
                  config=True,
                  help="""The name of the user key expected to be present in `auth_state`.""",
              )
          
          
    authorize_url = Unicode(

This file has been truncated. show original

I think your best option is to subclass either AzureAdOAuthenticator or OAuthenticator in a new spawner to implement the certificate handling and integration with Kubernetes secrets, and share it with everyone here.

Topic		Replies	Views
The little jupyter hub OAuthenticator by AzureAD The Littlest JupyterHub how-to	2	1267	December 14, 2023
How am I supposed to use `existingSecret` Zero to JupyterHub on Kubernetes jupyterhub , how-to , help-wanted	12	3872	May 30, 2024
Kubernetes python module not found in custom jupyterhub container for custom authentication Zero to JupyterHub on Kubernetes help-wanted	4	2418	November 5, 2020
OAuth + Azure AD - 403 on login? JupyterHub	4	590	September 15, 2024
Azure AD Conditional Access Not Applying Zero to JupyterHub on Kubernetes	2	869	March 11, 2022

How to use certificate authentication with AAD (for oauth) instead of client secret

Related topics