Jupyterhub to Github authentication using secrets

JupyterHub Zero to JupyterHub on Kubernetes
1

Hi Team,

I did a setup of Jupyrthub authentication with Github via hub.config. This was working perfect but due to secret protection we need to fetch client secret from ext secret manager here AWS secret manager. So I did created a k8s secret using external secret for the same but how can I pass it in config so that Jupyterhub gets it ? Any help is highly appreciated.

    jupyterhub:
      hub:
        config:
          GitHubOAuthenticator:
            client_id: xxx
            client_secret: yyy
            oauth_callback_url: https://<my-domain>hub/oauth_callback
2

Did you figure this out?

I have a similar setup:

    hub:
      config:
        GenericOAuthenticator:
          login_service: Okta
          client_id: XXXXXX
          client_secret: XXXXXX
          authorize_url: https://XXXXX.okta.com/oauth2/v1/authorize
          oauth_callback_url: https://jupyterhub-example.com/hub/oauth_callback
          token_url: https://XXXXX.okta.com/oauth2/v1/token
          userdata_url: https://XXXXX.okta.com/oauth2/v1/userinfo
          scope:
            - openid
            - profile
            - offline_access
          username_key: preferred_username
        JupyterHub:
          authenticator_class: generic-oauth

And have an external secret set up, but don’t want to directly add the secrets here as this is something I have to check in for FluxCD to pick up and deploy.

3

Figured this out with the following:

  values:
    hub:
      config:
        GenericOAuthenticator:
          login_service: Okta
          authorize_url: https://XXXXX.okta.com/oauth2/v1/authorize
          oauth_callback_url: https://jupyterhub-example.com/hub/oauth_callback
          token_url: https://XXXXX.okta.com/oauth2/v1/token
          userdata_url: https://XXXXX.okta.com/oauth2/v1/userinfo
          scope:
            - openid
            - profile
            - offline_access
          username_key: preferred_username
        JupyterHub:
          authenticator_class: generic-oauth
      extraEnv:
        OKTA_CLIENT_ID:
          valueFrom:
            secretKeyRef:
              name: jupyterhub
              key: OKTA_CLIENT_ID
        OKTA_CLIENT_SECRET:
          valueFrom:
            secretKeyRef:
              name: jupyterhub
              key: OKTA_CLIENT_SECRET
      extraConfig:
        authConfig: |
          import os
          c.GenericOAuthenticator.client_id = os.getenv("OKTA_CLIENT_ID")
          c.GenericOAuthenticator.client_secret = os.getenv("OKTA_CLIENT_SECRET")
4

Note that it would be sufficient to use OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET directly as they are respected by all oauthenticator based Authenticator classes.

See oauthenticator/oauthenticator/oauth2.py at 1f0cbc08d92a0bf22f35226122522b13f6a1774b · jupyterhub/oauthenticator · GitHub

1 Like
5

Great, just tried it successfully thanks! Is this in the z2jh docs anywhere? Might be helpful to add to the generic oauth docs .

6

I think adding it to the help string of OAuthenticator.client_id / client_secret would make sense, then it renders to the reference docs in that project as a starting point for other higher level docs (z2jh etc.) to reference.