JHub v3: Generate token fails to access read:hub scope (hub/api/info endpoint)

dmpe · October 12, 2022, 9:25am

Hello,

Attempting to update to JHub v3 (from v1), I am struggling to adjust the new RBAC configuration.

My goal is to enable admin users to generate JHub tokens which then can then use to query admin endpoints such as /api/info.

Specifically, my JHub uses GitHub - jupyterhub/zero-to-jupyterhub-k8s: Helm Chart & Documentation for deploying JupyterHub on Kubernetes helm chart and my users, admin users including, use selfhosted KeyCloak with OAuth authentication.

My current Keycloak configuration is simple:

hub:
  config:
    GenericOAuthenticator:
      authorize_url: https://keycloak/auth/realms/Jupyter/protocol/openid-connect/auth
      token_url: https://keycloak/auth/realms/Jupyter/protocol/openid-connect/token
      userdata_url: https://keycloak/auth/realms/Jupyter/protocol/openid-connect/userinfo
      enable_auth_state: true
      client_id: {{ .Values.jupyterhub.auth.generic.clientId }}
      client_secret: {{ .Values.jupyterhub.auth.generic.clientSecret }}
      oauth_callback_url: 'https://jupyter/hub/oauth_callback'
      login_service: Keycloak
      scope:
        - openid
        - profile
        - roles
      username_key: preferred_username
      userdata_params:
        state: state
      admin_users:
        - user1
    JupyterHub:
      authenticator_class: generic-oauth

What works in v1, is that user1 can login with keycloak, and being admin user, he can request JHub Token in the UI and uses that token to query hub/api/info endpoint.

My question is simple: How to do that in JHub v3?

i have already tried my different configurations and fail so far.

One of the last things I have tried is to remove user1 from admin_users above and then attempt to define a new role “morerights” which is assigned to specific users.

  loadRoles:
    morerights:
      scopes: ['admin-ui','admin:users','admin:servers','tokens','admin:groups','list:services','read:services','read:hub','proxy','shutdown','access:services','access:servers','read:roles','read:metrics']
      users: ['user1']

This however fails. Meaning, yes login via Keyclaok does work into JHub and I can request a new token in the UI, but when token is then used for curl commands, I always get

{"status": 403, "message": "Action is not authorized with current scopes; requires any of [read:hub]"}

Does anyone have some tips?
I have also tried to define a new service

  services:
    service-admin:
      api_token: "test123456789"

and then adding service to morerights role

services: [service-admin]

dmpe · October 12, 2022, 9:34am

Issue is/was incorrect curl command → big difference between -H und -u parameters for authentication…

Topic		Replies	Views
Jupyterhub with keycloak:-claim_groups_key roles does not exist in the user token Zero to JupyterHub on Kubernetes help-wanted	1	68	September 18, 2024
JupyterHub + KeyCloak auth and LDAP user groups JupyterHub	7	1276	October 13, 2024
RBAC on jupyterhub 3.0.0 with z2jhub helm 2.0.0 Zero to JupyterHub on Kubernetes jupyterhub , how-to , help-wanted	7	813	February 6, 2023
Binderhub oauth(keycloak) setup BinderHub	6	616	November 27, 2023
HTTP 403: Ip Forbidden error when authenticating against Keycloak server Zero to JupyterHub on Kubernetes help-wanted	1	1562	February 2, 2021

JHub v3: Generate token fails to access read:hub scope (hub/api/info endpoint)

Related topics