Jupyterhub Keycloak Authentication

Basically I’m trying to connect to my jupyterhub-ide using keycloak oidc using the groups method.
But I’m getting this error 500.
This is the conf I’m using:

  debug: true
      enable_auth_state: true
      client_id: jupyterhub
      client_secret: secret
      oauth_callback_url: https://jupyter.url/hub/oauth_callback
      authorize_url: https:/keycloak.url/realms/dataplatform/protocol/openid-connect/auth
      token_url: https:/keycloak.url/realms/dataplatform/protocol/openid-connect/token
      userdata_url: https:keycloak.url/realms/dataplatform/protocol/openid-connect/userinfo
      login_service: keycloak
      username_claim: CODEX-JUPYTERHUB-USERS-GROUP
      tls_verify: false
      enable_auth_state: true
      claim_groups_key: groups
        state: state
        - groups
        - openid
        - profile
      redirectToServer: true
      authenticator_class: generic-oauth
  concurrentSpawnLimit: 64
  consecutiveFailureLimit: 5

And this is the error I’m getting,

Traceback (most recent call last):
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/tornado/web.py", line 1786, in _execute
        result = await result
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 208, in get
        user = await self.login_user()
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/jupyterhub/handlers/base.py", line 828, in login_user
        authenticated = await self.authenticate(data)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/jupyterhub/auth.py", line 492, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 966, in authenticate
        username = self.user_info_to_username(user_info)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/generic.py", line 121, in user_info_to_username
        return super().user_info_to_username(user_info)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 768, in user_info_to_username
        raise ValueError(message)
    ValueError: ("No admin found in {'sub': '539a5aca-17df-4c3e-8c7d-eca06f6e8671', 'email_verified': True, 'groups': ['CODEX-AKHQ-ADMIN-GROUP', 'CODEX-AP  

I tried different tutorials on internet and using the preffered_username, I also looked on the code source but coudln’t get forward :frowning:
I appreciate all the critics and help, thank you !

It looks like you’re using Z2JH on Kubernetes- which version of the Helm chart are you using?

Does this work if you don’t use groups?

I’m using the bitnami 5.2.9 helm chart, I also added a mapper to my keycloak client with a user attribute: preffered_username it stopped giving me the error below. But i’m getting username & password wrongs (so I’m debugging in a keycloak side now)

I’m not familiar with the Binami Helm chart, only the official Z2JH one.

However, if it’s using the latest version of OAuthenticator the error

originates from

which means something is setting the claim name to admin. This isn’t in your config, so either the chart is doing something strange or there’s additional config somewhere.

Hello, thank you for response.
So can I verify the user_info informations, so instead of putting any info I can just use what I got on the Get Response.
I’m even thinking to go back to auth0 since the sso isn’t working that well…

For the helm chart, I didnt find any official one on the github repo that’s why I used the bitnami for their maintenance

This is the official Helm chart:

I managed to fix it with a new attribute instead of preferred_username.
I’m using email for the username_claim, but I also added the allowed_all: true to accept my new client.

I believe the parameter name is allow_all, not allowed_all ?
Worked for me:

      enable_auth_state: true
      allow_all: true
1 Like

But the problem isn’t the parameter, I want to restrict access with keycloak groups for security context…