Jupyterhub Keycloak Authentication

Al4D1N · January 25, 2024, 2:36pm

Hello,
Basically I’m trying to connect to my jupyterhub-ide using keycloak oidc using the groups method.
But I’m getting this error 500.
This is the conf I’m using:

hub:
  debug: true
  config:
    Authenticator:
      enable_auth_state: true
    GenericOAuthenticator:
      client_id: jupyterhub
      client_secret: secret
      oauth_callback_url: https://jupyter.url/hub/oauth_callback
      authorize_url: https:/keycloak.url/realms/dataplatform/protocol/openid-connect/auth
      token_url: https:/keycloak.url/realms/dataplatform/protocol/openid-connect/token
      userdata_url: https:keycloak.url/realms/dataplatform/protocol/openid-connect/userinfo
      login_service: keycloak
      username_claim: CODEX-JUPYTERHUB-USERS-GROUP
      tls_verify: false
      enable_auth_state: true
      claim_groups_key: groups
      allowed_groups: 
        - CODEX-JUPYTERHUB-ADMIN-GROUP
      userdata_params:
        state: state
      scope:
        - groups
        - openid
        - profile
      redirectToServer: true
    JupyterHub:
      authenticator_class: generic-oauth
  concurrentSpawnLimit: 64
  consecutiveFailureLimit: 5

And this is the error I’m getting,

Traceback (most recent call last):
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/tornado/web.py", line 1786, in _execute
        result = await result
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 208, in get
        user = await self.login_user()
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/jupyterhub/handlers/base.py", line 828, in login_user
        authenticated = await self.authenticate(data)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/jupyterhub/auth.py", line 492, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 966, in authenticate
        username = self.user_info_to_username(user_info)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/generic.py", line 121, in user_info_to_username
        return super().user_info_to_username(user_info)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 768, in user_info_to_username
        raise ValueError(message)
    ValueError: ("No admin found in {'sub': '539a5aca-17df-4c3e-8c7d-eca06f6e8671', 'email_verified': True, 'groups': ['CODEX-AKHQ-ADMIN-GROUP', 'CODEX-AP

I tried different tutorials on internet and using the preffered_username, I also looked on the code source but coudln’t get forward
I appreciate all the critics and help, thank you !

manics · January 25, 2024, 3:08pm

It looks like you’re using Z2JH on Kubernetes- which version of the Helm chart are you using?

Does this work if you don’t use groups?

Al4D1N · January 25, 2024, 3:53pm

I’m using the bitnami 5.2.9 helm chart, I also added a mapper to my keycloak client with a user attribute: preffered_username it stopped giving me the error below. But i’m getting username & password wrongs (so I’m debugging in a keycloak side now)

manics · January 27, 2024, 12:22pm

I’m not familiar with the Binami Helm chart, only the official Z2JH one.

However, if it’s using the latest version of OAuthenticator the error

Al4D1N:

      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 768, in user_info_to_username
        raise ValueError(message)
    ValueError: ("No admin found in {'sub': '539a5aca-17df-4c3e-8c7d-eca06f6e8671', 'email_verified': True, 'groups': ['CODEX-AKHQ-ADMIN-GROUP', 'CODEX-AP

originates from

github.com

jupyterhub/oauthenticator/blob/3db8afa6a54666dfddc758fe8f2e5fa58d4093ea/oauthenticator/oauth2.py#L771-L777


      
          username = user_info.get(self.username_claim, None)
          if not username:
              message = (f"No {self.username_claim} found in {user_info}",)
              self.log.error(message)
              raise ValueError(message)
          
          return username

which means something is setting the claim name to admin. This isn’t in your config, so either the chart is doing something strange or there’s additional config somewhere.

Al4D1N · January 29, 2024, 7:49am

Hello, thank you for response.
So can I verify the user_info informations, so instead of putting any info I can just use what I got on the Get Response.
I’m even thinking to go back to auth0 since the sso isn’t working that well…

For the helm chart, I didnt find any official one on the github repo that’s why I used the bitnami for their maintenance

manics · January 29, 2024, 12:23pm

This is the official Helm chart:

Al4D1N · January 30, 2024, 8:16am

I managed to fix it with a new attribute instead of preferred_username.
I’m using email for the username_claim, but I also added the allowed_all: true to accept my new client.

MrCr00k · March 23, 2024, 10:30am

I believe the parameter name is allow_all, not allowed_all ?
Worked for me:

hub:
  config:
    Authenticator:
      enable_auth_state: true
      allow_all: true

Al4D1N · March 26, 2024, 10:00am

But the problem isn’t the parameter, I want to restrict access with keycloak groups for security context…

Topic		Replies	Views
Keycloak identity management: 500 : Internal Server Error Zero to JupyterHub on Kubernetes	8	8306	December 24, 2021
Setup OAuth2 locally - tornado.curl_httpclient.CurlError: HTTP 599: server certificate verification failed. CAfile: none CRLfile: none JupyterHub help-wanted	6	4950	January 21, 2021
HTTP 403: Ip Forbidden error when authenticating against Keycloak server Zero to JupyterHub on Kubernetes help-wanted	1	1320	February 2, 2021
JupyterHub + KeyCloak auth and LDAP user groups JupyterHub	5	566	January 3, 2024
Jupyterhub authorisation with Azure Authentication is failing JupyterHub jupyterhub , help-wanted	4	631	March 15, 2023

Jupyterhub Keycloak Authentication

Related Topics