JupyterHub and Keycloak on localhost?

Hello friends, I have a perfectly working installation running on a public url. For local development I try to use localhost but the authentication fails because of DNS problems. I tried a rewrite rule in coredns without luck.

I use the official configuration

Do you have advice for local development in Kubernetes or a local example for JupyterHub and Keycloak? Is there another IAM like Keycloak that works with JupyterHub locally?

What are your IAM requirements for development? If it’s just to login to JupyterHub you could use the dummy authenticator which is built in

Yeah thank you, I like to keep dev/prod as similar as possible.

When I clear the cookies I can login to JupyterHub with Keycloak!
When I logout of JupyterHub I get logged out of Keycloak.
I can login again with Keycloak but JupyterHub reports 500 : Internal Server Error and tornado.httpclient.HTTPClientError: HTTP 401: Unauthorized.

Keycloak logs type=USER_INFO_REQUEST_ERROR, error=invalid_token, auth_method=validate_access_token.

Now I have to clear the cookies again for JupyterHub to work.
The logout_redirect_url works correctly, but I don’t know why JupyterHub can’t logout, do you?

Which cookies are you clearing, JupyterHub’s or Keycloak’s?

I clear all cookies in the browser so I can visit JupyterHub again. It forwards to Keycloak and after the Keycloak login a JupyterLab is launched.

I found a log saying that my JupyterLab expects JuypterHub 3.0.0 but I use JupyterHub 3.1.1. Could this be the cause of this problem?

Can you turn on debug logging in JupyterHub, and show us the full logs for logout and login, along with the Keycloak logs?

It might be useful to see your full config too.

I tried some more things and noticed that the logout problem has nothing to do with browser cookies.
The workaround is not about clearing all cookies (Keycloak and JupyterHub) but all browsing data. My browser probably stores some additional information.

Kubernetes on localhost is difficult because all internal communication urls need to be rewritten in coredns, otherwise they will point to a containers own loopback device.

I come to the conclusion that my issue is not related to JupyterHub. Thank you for the support.

I need help. My JupyterHub config

  client_id: []
  client_secret: []
  oauth_callback_url: http://jupyter.localhost/hub/oauth_callback
  authorize_url: http://keycloak.localhost/realms/local/protocol/openid-connect/auth
  token_url: http://keycloak.localhost/realms/local/protocol/openid-connect/token
  userdata_url: http://keycloak.localhost/realms/local/protocol/openid-connect/userinfo
  logout_redirect_url: https://keycloak.localhost/realms/local/protocol/openid-connect/logout?post_logout_redirect_uri=https://localhost&client_id=[]
  login_service: 'keycloak'
  username_key: 'preferred_username'
    state: state
  scope: ['openid']

This is Keycloak

[org.keycloak.events] (executor-thread-171) type=USER_INFO_REQUEST_ERROR, realmId=[], clientId=null, userId=null, ipAddress=, error=invalid_token, auth_method=validate_access_token

That is JupyterHub

[I JupyterHub oauth2:102] OAuth redirect: 'http://jupyter.localhost/hub/oauth_callback'
[D JupyterHub base:559] Setting cookie oauthenticator-state: {'httponly': True, 'expires_days': 1}
[I JupyterHub log:186] 302 GET /hub/oauth_login?next=%2Fhub%2F -> http://keycloak.localhost/realms/local/protocol/openid-connect/auth?response_type=code&redirect_uri=http%3A%2F2Fjupyter.localhost%2Fhub%2Foauth_callback&client_id=[]&state=[secret]&scope=openid (@ 1.46ms
[D JupyterHub log:186] 200 GET /hub/health (@ 1.51ms
[D JupyterHub log:186] 200 GET /hub/health (@ 1.53ms
[D JupyterHub reflector:362] pods watcher timeout
[D JupyterHub reflector:281] Connecting pods watcher
[D JupyterHub reflector:362] events watcher timeout
[D JupyterHub reflector:281] Connecting events watcher
[E JupyterHub oauth2:386] Error fetching user data 401 GET http://keycloak.localhost/realms/local/protocol/openid-connect/userinfo:
[E JupyterHub web:1798] Uncaught exception GET /hub/oauth_callback?state=[]&session_state=[]&code=[] (
    HTTPServerRequest(protocol='http', host='jupyter.localhost', method='GET', uri='/hub/oauth_callbackstate=[]&session_state=[]&code=[]', version='HTTP/1.1', remot
    Traceback (most recent call last):
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/tornado/web.py", line 1713, in _execute
        result = await result
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 222, in get
        user = await self.login_user()
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/jupyterhub/handlers/base.py", line 801, in login_user
        authenticated = await self.authenticate(data)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/jupyterhub/auth.py", line 491, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/generic.py", line 165, in authenticate
        user_data_resp_json = await self._get_user_data(token_resp_json)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 387, in fetch
        raise e
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 366, in fetch
        resp = await self.http_client.fetch(req, **kwargs)
    tornado.httpclient.HTTPClientError: HTTP 401: Unauthorized

[D 33.112 JupyterHub base:1342] No template for 500

This only occurs after the second Login and is not related to cookies.

Can you tell which parts of the login flow involve cluster interal communication and which external? I probably forgot a forwarding rule?

If you have a working localhost solution, please share.

I’ve got an example in

running everything on a single node K8s cluster using the external IP of the host.