Jupyterhub Keycloak Authentication

Al4D1N · January 25, 2024, 2:36pm

Hello,
Basically I’m trying to connect to my jupyterhub-ide using keycloak oidc using the groups method.
But I’m getting this error 500.
This is the conf I’m using:

hub:
  debug: true
  config:
    Authenticator:
      enable_auth_state: true
    GenericOAuthenticator:
      client_id: jupyterhub
      client_secret: secret
      oauth_callback_url: https://jupyter.url/hub/oauth_callback
      authorize_url: https:/keycloak.url/realms/dataplatform/protocol/openid-connect/auth
      token_url: https:/keycloak.url/realms/dataplatform/protocol/openid-connect/token
      userdata_url: https:keycloak.url/realms/dataplatform/protocol/openid-connect/userinfo
      login_service: keycloak
      username_claim: CODEX-JUPYTERHUB-USERS-GROUP
      tls_verify: false
      enable_auth_state: true
      claim_groups_key: groups
      allowed_groups: 
        - CODEX-JUPYTERHUB-ADMIN-GROUP
      userdata_params:
        state: state
      scope:
        - groups
        - openid
        - profile
      redirectToServer: true
    JupyterHub:
      authenticator_class: generic-oauth
  concurrentSpawnLimit: 64
  consecutiveFailureLimit: 5

And this is the error I’m getting,

Traceback (most recent call last):
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/tornado/web.py", line 1786, in _execute
        result = await result
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 208, in get
        user = await self.login_user()
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/jupyterhub/handlers/base.py", line 828, in login_user
        authenticated = await self.authenticate(data)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/jupyterhub/auth.py", line 492, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 966, in authenticate
        username = self.user_info_to_username(user_info)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/generic.py", line 121, in user_info_to_username
        return super().user_info_to_username(user_info)
      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 768, in user_info_to_username
        raise ValueError(message)
    ValueError: ("No admin found in {'sub': '539a5aca-17df-4c3e-8c7d-eca06f6e8671', 'email_verified': True, 'groups': ['CODEX-AKHQ-ADMIN-GROUP', 'CODEX-AP

I tried different tutorials on internet and using the preffered_username, I also looked on the code source but coudln’t get forward
I appreciate all the critics and help, thank you !

manics · January 25, 2024, 3:08pm

It looks like you’re using Z2JH on Kubernetes- which version of the Helm chart are you using?

Does this work if you don’t use groups?

Al4D1N · January 25, 2024, 3:53pm

I’m using the bitnami 5.2.9 helm chart, I also added a mapper to my keycloak client with a user attribute: preffered_username it stopped giving me the error below. But i’m getting username & password wrongs (so I’m debugging in a keycloak side now)

manics · January 27, 2024, 12:22pm

I’m not familiar with the Binami Helm chart, only the official Z2JH one.

However, if it’s using the latest version of OAuthenticator the error

Al4D1N:

      File "/opt/bitnami/miniconda/lib/python3.8/site-packages/oauthenticator/oauth2.py", line 768, in user_info_to_username
        raise ValueError(message)
    ValueError: ("No admin found in {'sub': '539a5aca-17df-4c3e-8c7d-eca06f6e8671', 'email_verified': True, 'groups': ['CODEX-AKHQ-ADMIN-GROUP', 'CODEX-AP

originates from

github.com

jupyterhub/oauthenticator/blob/3db8afa6a54666dfddc758fe8f2e5fa58d4093ea/oauthenticator/oauth2.py#L771-L777


      
          username = user_info.get(self.username_claim, None)
          if not username:
              message = (f"No {self.username_claim} found in {user_info}",)
              self.log.error(message)
              raise ValueError(message)
          
          return username

which means something is setting the claim name to admin. This isn’t in your config, so either the chart is doing something strange or there’s additional config somewhere.

Al4D1N · January 29, 2024, 7:49am

Hello, thank you for response.
So can I verify the user_info informations, so instead of putting any info I can just use what I got on the Get Response.
I’m even thinking to go back to auth0 since the sso isn’t working that well…

For the helm chart, I didnt find any official one on the github repo that’s why I used the bitnami for their maintenance

manics · January 29, 2024, 12:23pm

This is the official Helm chart:

Al4D1N · January 30, 2024, 8:16am

I managed to fix it with a new attribute instead of preferred_username.
I’m using email for the username_claim, but I also added the allowed_all: true to accept my new client.

MrCr00k · March 23, 2024, 10:30am

I believe the parameter name is allow_all, not allowed_all ?
Worked for me:

hub:
  config:
    Authenticator:
      enable_auth_state: true
      allow_all: true

Al4D1N · March 26, 2024, 10:00am

But the problem isn’t the parameter, I want to restrict access with keycloak groups for security context…

aradhya_dimri · September 18, 2024, 9:49am

@Al4D1N Did you find any soln for this problem? I have the same use case.

Topic		Replies	Views
KeyCloak integration is giving 500 internal error, how to solve JupyterHub jupyterlab , jupyterhub , how-to	3	69	October 13, 2024
Keycloak identity management: 500 : Internal Server Error Zero to JupyterHub on Kubernetes	8	10846	December 24, 2021
JupyterHub + KeyCloak auth and LDAP user groups JupyterHub	7	1273	October 13, 2024
Kecloak authentication with jupyterhub failed - 500 internal server error Zero to JupyterHub on Kubernetes jupyterhub , help-wanted	1	173	June 20, 2024
JupyterHub Keycloak integration error JupyterHub community , jupyterlab , jupyterhub , help-wanted	1	34	October 15, 2024

Jupyterhub Keycloak Authentication

Related topics