Hello,
I am using an external OIDC provider to authentify my users.
That provider communicates in its Authorization Http Header some values I would like to reuse during the authorization phase of Jupyterhub.
Currently my Jupyterhub use its internal http-proxy.
Jupyterhub is also configured with the GenericOAuthenticator to authorize the users.
I tried to override the “check_allowed” method to authorize users with my specific rules based on the content of the Authorization http header sent by my external OIDC provider.
However, the original Authorization http header doesn’t seem to be forwarded by the internal jupyterhub http-proxy.
Is there a specific configuration to implement to access the Authorization header sent by an external OIDC provider ?
Neither JupyterHub nor the proxy ought to interfere with the Authorization header sent by browsers (they rely on it for many requests). However, JupyterHub uses its own tokens in Authorization headers, and you cannot use externally-issued tokens to access JupyterHub or single-user server APIs.
You can use these or other headers to login to jupyterhub in the first place, though.
However, OAuth doesn’t (and can’t, as far as I can tell) set Authorization headers for requests from browsers, as communication only comes via the URL and GET parameters.
Can you share some more detail on which requests (between provider, browser, and jupyterhub) are expecting information that’s not being received?