How to use certificate authentication with AAD (for oauth) instead of client secret

We are deploying JupyterHub on AKS & today we have to provide the client secret of our AAD App to enable authentication with Azure AD. And when the secret expires, its an upgrade ideally. But what we want to do is to use the certificate authentication instead of secret. The certificate stays in our KeyVault & it autorotates every 3 months. We pull the same certificate inside our AKS cluster as a secret (which auto renews every time it rotates in KV with help of Azure Key Vault Provider for Secrets Store CSI Driver). So we want to get rid of this dependency on app secret & the cost to manage it over time. Is it possible today? If not is there a feature request for the same that I can look at?

      client_id: <<aad-app-id>>
      client_secret: "<<aad-app-secret>>"
      oauth_callback_url: https://<<your-domain-name>>/hub/oauth_callback
      tenant_id: <<tenant-id>>
        - openid
        - email
      authenticator_class: azuread

It’s not supported.

The code for AzureAdOAuthenticator is in

which inherits from

I think your best option is to subclass either AzureAdOAuthenticator or OAuthenticator in a new spawner to implement the certificate handling and integration with Kubernetes secrets, and share it with everyone here.

1 Like