JupyterHub + KeyCloak auth and LDAP user groups

Hi, I’ve successfully set up JupyterHub to login via KeyCloak and now it uses internal users and access (ie I create user from admin panel). My KeyCloak uses LDAP (FreeIPA) as user federation, so I want to create LDAP groups for users to access my JupyterHub service. I want users with jupyterhub_user groups to be able to login and have access to their personal instances of jupyter notebooks, users with jupyterhub_admin to have admin access and the rest not being able to login at all. There are plenty of examples online to setup JupyterHub with KeyCloak authentication and authorisation but I could find anything for the case where KeyCloak would use user groups from LDAP. Any help or insight would be much appreciated. Thank you.

You’ll need to extend the GenericAuthenticator to define the JupyterHub groups. See these two topics:

Okay, that was simple enough. I just needed to add allowed_groups and admin_groups to my config. Also claim_groups_key.
However, during testing I found out if user was previously in hub database (showed in admin panel) and then deleted, even if I granted an appropriate group to access the hub, it would still return 403 unless I restarted my docker container. Could someone help me? Here is my config:

import os
import sys

c.Spawner.default_url = "/lab"

from oauthenticator.generic import GenericOAuthenticator

c.JupyterHub.authenticator_class = GenericOAuthenticator
c.GenericOAuthenticator.client_id = "jupyterhub.my.domain"
c.GenericOAuthenticator.client_secret = "12345678910"
c.GenericOAuthenticator.token_url = (
c.GenericOAuthenticator.userdata_url = (
c.GenericOAuthenticator.oauth_callback_url = (
c.GenericOAuthenticator.userdata_params = {"state": "state"}
c.GenericOAuthenticator.username_key = "preferred_username"
c.GenericOAuthenticator.login_service = "Keycloak"
c.GenericOAuthenticator.scope = ["openid", "profile", "groups"]
c.GenericOAuthenticator.claim_groups_key = "groups"
c.GenericOAuthenticator.allowed_groups = {"jupyterhub-user"}
c.GenericOAuthenticator.admin_groups = {"jupyterhub-admin"}

c.GenericOAuthenticator.admin_users = { '' }

c.GenericOAuthenticator.allow_existing_users = True

# c.JupyterHub.internal_ssl = True

c.JupyterHub.spawner_class = "dockerspawner.DockerSpawner"
c.DockerSpawner.image = os.environ["DOCKER_JUPYTER_IMAGE"]
c.DockerSpawner.network_name = os.environ["DOCKER_NETWORK_NAME"]
c.JupyterHub.hub_ip = os.environ["HUB_IP"]

notebook_dir = os.environ.get("DOCKER_NOTEBOOK_DIR") or "/home/jovyan"
c.DockerSpawner.notebook_dir = notebook_dir
c.DockerSpawner.volumes = {
    "jupyterhub-user-{username}": notebook_dir,
    "jupyterhub-shared": "/home/jovyan/shared",

c.JupyterHub.services = [
        "name": "idle-culler",
        "admin": True,
        "command": [sys.executable, "-m", "jupyterhub_idle_culler", "--timeout=3600"],

Also, if I have allow_existing_users = True, this means that even if I remove LDAP groups from a user, they still will be able to login unless I delete user from the hun admin panel. Is there a way to disable user just by revoking their LDAP groups?

It sounds like you want to simultaneously control users through the admin interface, and also have the authenticator control which users have access. I don’t think there’s an easy way to do this, there are too many ambiguities and edge cases.

I want the opposite. I want only authenticator and user groups to control who has access. Sorry if I wasn’t clear

c.GenericOAuthenticator.allow_existing_users = True implies you want to manage users yourself. Can you change it to False?

I wrote some code to support Keycloak and based the username to set the uid of user because I also mount users’ home(NFS) .

The user group syncs from keycloak.