Jupyterhub Remote user local authentication

I am using Jupyterhub Remote user local authenticator. I have configured Azure AD authentication in AWS ELB after successful authentication I am getting three headers as returned by AWS (x-amzn-oidc-accesstoken, x-amzn-oidc-data, x-amazn-oidc-identity). But none of them have desired value directly in headers as we have users created in Jupyterhub using (e.g emp code). I wrote custom authenticator extending RemoteUserLocalAuthenticator which uses access token and make calls to Graph microsoft API to fetch Emp code. But its not working as expected. Any suggestions would be highly appreciated ?

below is my jupyter config.py file:

from jhub_remote_user_authenticator.remote_user_auth import RemoteUserLocalAuthenticator
import syslog
import sys
import os, pwd
import logging
import requests,json

class CustomAuthenticator(RemoteUserLocalAuthenticator):
async def authenticate(self, handler, data=None):
# Extract the custom authentication header
identity_header = handler.request.headers.get(‘x-amzn-oidc-accesstoken’)

    # Process the identity header to obtain the username
    if identity_header:
        # Extract the username from the identity header
        response=requests.get('https://graph.microsoft.com/v1.0/me?$select=Department,onPremisesSamAccountName,displayName,givenName,surname,mail', headers={'Authorization': identity_header})
        if response.status_code==200:
            response=response.json()
            GID=response.get("onPremisesSamAccountName")
            #redirect_url = '/user/'+GID+'/lab'  # Replace with your desired URL
           # handler.redirect(redirect_url)
            return {'name':GID}

    # If the header is missing or doesn't contain the necessary information, return None
    return None

c.JupyterHub.authenticator_class = CustomAuthenticator

c.JupyterHub.hub_ip = ‘0.0.0.0’
c.JupyterHub.admin_access = True
c.JupyterHub.ssl_key = ‘/etc/jupyter/server.key’
c.JupyterHub.ssl_cert = ‘/etc/jupyter/server.crt’
c.JupyterHub.port = 443
c.LocalAuthenticator.create_system_users = True

#c.RemoteUserLocalAuthenticator.header_name = ‘x-amzn-oidc-identity’
#c.JupyterHub.authenticator_class = ‘jhub_remote_user_authenticator.remote_user_auth.RemoteUserLocalAuthenticator’

c.Spawner.default_url = ‘/lab’
c.Spawner.mem_limit = None
c.Spawner.http_timeout = 60
c.Spawner.start_timeout = 60
c.Spawner.debug = True
c.JupyterHub.file_path_template = “{path}”

What isn’t working? Have you tried adding some logging statements to your custom authenticator?

It says 401 unauthorized. I added custom logger but it’s not printing anything in syslog. I am using juoyterhub version 1.4.2

I am using following config in jupyter config file for logging. Is it correct ?

c.Application.log_level = ‘DEBUG’
c.Application.log_format = ‘[%(asctime)s] [%(levelname)s] %(message)s’
c.Application.log_datefmt = ‘%Y-%m-%d %H:%M:%S’
c.Application.log_file = ‘/var/log/jupyterhub.log’
logger = logging.getLogger(‘mylogger’)
logger.debug(“custom logger”)

Any help or suggestion how I can extend RemoteUserlocalAuthenticator and override its REMOT_USER header ?

The logs should be in the same place as the rest of your JupyterHub logs.

My suggestion was toi add some additional logging statements so you can verify what data is being sent and received, e.g. by adding statements like

self.log.info(....)

In your custom authenticator.

Is jhub_remote_user_authenticator/jhub_remote_user_authenticator/remote_user_auth.py at fb5a7ec8c1b567917b4dabab1d9167e499ea2c8a · cwaldbieser/jhub_remote_user_authenticator · GitHub what you’re using? It looks small enough that you could override/copy the whole of it for debugging purposes.

Thank you for your response. Yes I am using the same authenticator as you mentioned. The issue is sorted now I added custom logic in the base file and re-installed post that. This solves the problem.