Is Jupyterhub RBAC groups the same as OAuth groups?

jrouly · November 16, 2023, 10:10pm

In case it’s useful, here’s a more complete copy of the code I ended up with. I wanted to keep my JH groups in sync with my AWS SSO groups, but you could use this pattern for any OAuth source.

class CustomOAuthenticator(GenericOAuthenticator):
    # Automatically send the user to the OIDC login page instead of prompting them to click a button.
    auto_login = True

    # Allow all AUTHENTICATED users to log in.
    allow_all = True

    # Authenticator class (this) is now responsible for managing groups.
    manage_groups = True

    login_service = ...
    username_claim = ...
    authorize_url = ...
    client_id = ...
    client_secret = ...
    oauth_callback_url ...
    token_url = ...
    userdata_url = ...

    async def update_auth_model(self, auth_model):
        """
        Because manage_groups is set to True, we need to include the user's groups in the returned auth model.
        Ref: https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authenticator-managed-group-membership
        """
        auth_model = await super().update_auth_model(auth_model)

        # Build the user's list of groups in the normal fashion. The parent class will do this automatically,
        # but only when checking for admin permissions. We want to do it for all users to return their groups!
        user_info = auth_model["auth_state"][self.user_auth_state_key]
        user_groups = self.get_user_groups(user_info)

        # Include the new "groups" key in the auth_model.
        auth_model["groups"] = user_groups

        return auth_model

    def claim_groups_key(self, user_info):
        """
        Return the JupyterHub groups a user should be associated with:
        - any AWS SSO group membership
        - global collab group
        """
        user_aws_sso_groups = aws_sso.user_groups.get(user_info['email'], [])
        return [shared_group] + list(user_aws_sso_groups)


c.JupyterHub.authenticator_class = CustomOAuthenticator

Once I started down the custom class path, a lot of cool functionality became possible One problem I did quickly encounter was limitations with the base JupyterHub docker image I was using (via Z2JH), specifically it not having boto3 installed. So, had to customize that as well.

But in the end it works beautifully!

Topic		Replies	Views
JupyterHub + KeyCloak auth and LDAP user groups JupyterHub	7	1273	October 13, 2024
OIDC RBAC - possible to map users to groups and groups to roles, where users and groups are defined by OIDC? JupyterHub jupyterhub , help-wanted	3	892	November 29, 2023
How to access user_data json from OAuthenticator? JupyterHub jupyterhub , help-wanted	5	814	September 27, 2021
Is it compulsory to have OAUTH2_USERDATA_URL and CLIENT_SECRET to use Generic Oauthenticator with jupyterhub? Zero to JupyterHub on Kubernetes community , how-to , help-wanted	0	458	July 14, 2020
[GenericOAuthenticator] Pulling `claim_groups_key` from another token than the one returned by `USERDATA_URL` for AWS Cognito JupyterHub jupyterhub , help-wanted	2	1253	May 30, 2022

Is Jupyterhub RBAC groups the same as OAuth groups?

Related topics