Hi,
I have Keycloak and JupyterHub running in a Kubernetes cluster. When I log in to JupyterHub using Keycloak, I receive error:
400 : Bad Request
OAuth state missing from cookies
Here’s my configuration:
hub:
cookieSecret: 0e832f94c0b947516be269d893d96b82de4f763d600f94420b230d28dde7133b
db:
upgrade: true
pvc:
storage: 50Gi
storageClassName: gp3
authenticatePrometheus: false
config:
GenericOAuthenticator:
client_id: jupyter
client_secret: e6YPgXsMdTLofyGBiXabAykMrSxwRkzE
oauth_callback_url: https://jhubnlb.company.com/hub/oauth_callback
authorize_url: https://platform.company.com/realms/master/protocol/openid-connect/auth
token_url: https://platform.company.com/realms/master/protocol/openid-connect/token
userdata_url: https://platform.company.com/realms/master/protocol/openid-connect/userinfo
logout_redirect_url: https://platform.company.com/realms/master/protocol/openid-connect/logout?redirect_uri=https://jhubnlb.company.com
login_service: keycloak
username_claim: preferred_username
tls_verify: false
enable_auth_state: true
claim_groups_key: roles
userdata_params:
state: state
JupyterHub:
authenticator_class: generic-oauth
extraConfig:
jupyterhub_config.py: |-
c.KubeSpawner.start_timeout = 1200
c.Authenticator.enable_auth_state = True
c.GenericOAuthenticator.enable_auth_state = True
c.JupyterHub.tornado_settings = {"cookie_options": {"SameSite": "None", "Secure": True}}
proxy:
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <>
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
https:
enabled: true
type: offload
When I log in to JupyterHub, I don’t see it setting a cookie:
