JHub v3: Generate token fails to access read:hub scope (hub/api/info endpoint)

Hello,

Attempting to update to JHub v3 (from v1), I am struggling to adjust the new RBAC configuration.

My goal is to enable admin users to generate JHub tokens which then can then use to query admin endpoints such as /api/info.

Specifically, my JHub uses GitHub - jupyterhub/zero-to-jupyterhub-k8s: Helm Chart & Documentation for deploying JupyterHub on Kubernetes helm chart and my users, admin users including, use selfhosted KeyCloak with OAuth authentication.

My current Keycloak configuration is simple:

hub:
  config:
    GenericOAuthenticator:
      authorize_url: https://keycloak/auth/realms/Jupyter/protocol/openid-connect/auth
      token_url: https://keycloak/auth/realms/Jupyter/protocol/openid-connect/token
      userdata_url: https://keycloak/auth/realms/Jupyter/protocol/openid-connect/userinfo
      enable_auth_state: true
      client_id: {{ .Values.jupyterhub.auth.generic.clientId }}
      client_secret: {{ .Values.jupyterhub.auth.generic.clientSecret }}
      oauth_callback_url: 'https://jupyter/hub/oauth_callback'
      login_service: Keycloak
      scope:
        - openid
        - profile
        - roles
      username_key: preferred_username
      userdata_params:
        state: state
      admin_users:
        - user1
    JupyterHub:
      authenticator_class: generic-oauth

What works in v1, is that user1 can login with keycloak, and being admin user, he can request JHub Token in the UI and uses that token to query hub/api/info endpoint.

My question is simple: How to do that in JHub v3?

i have already tried my different configurations and fail so far.

One of the last things I have tried is to remove user1 from admin_users above and then attempt to define a new role “morerights” which is assigned to specific users.

  loadRoles:
    morerights:
      scopes: ['admin-ui','admin:users','admin:servers','tokens','admin:groups','list:services','read:services','read:hub','proxy','shutdown','access:services','access:servers','read:roles','read:metrics']
      users: ['user1']

This however fails. Meaning, yes login via Keyclaok does work into JHub and I can request a new token in the UI, but when token is then used for curl commands, I always get

{"status": 403, "message": "Action is not authorized with current scopes; requires any of [read:hub]"}

Does anyone have some tips?
I have also tried to define a new service

  services:
    service-admin:
      api_token: "test123456789"

and then adding service to morerights role

services: [service-admin]

Issue is/was incorrect curl command → big difference between -H und -u parameters for authentication…