Jupyterhub try to make preflight request to Shibboleth IdP

guyq1997 · March 28, 2024, 3:10pm

Hallo everyone,

I am using Apache and Shibboleth for Proxy and Authentification.

Why Jupyterhub keeps sending prefilght request through Chrome to Shibboleth IdP? (Even after i logged in)
Is it trying to confirm the login status of current user?
Can I just disable this request? Because my Shibboleth IdP doesn´t allow this request. And my single user Server keeping restarting and crashing.

Browser Logs:

Access to fetch at 'https://saml.xxx/idp/profile/SAML2/Redirect/SSO?… (redirected from 'https://123.org/jupyterhub/) from origin ‘https://123.org’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled

manics · March 28, 2024, 3:18pm

Which authenticator are you using? Can you show us your full JupyterHub configuration and your debug logs?

guyq1997 · March 28, 2024, 3:27pm

My jupyterhub_config.py is as following. I used external package for shibboleth authentification from jhub_shibboleth_auth/jhub_shibboleth_auth/shibboleth_auth.py at 6c981d0d50b1891fe8f4055d4010450211c698a0 · gesiscss/jhub_shibboleth_auth · GitHub

c.Spawner.cmd = “jupyterhub-singleuser”

c.Spawner.debug = True
c.ConfigurableHTTPProxy.debug = True
c.DockerSpawmer.use_internal_ip = True

c.JupyterHub.spawner_class = DockerSpawner
c.DockerSpawner.image = “guyq1997/jupyterlab-dhbw”
c.JupyterHub.hub_ip = “jupyterhub”
c.JupyterHub.bind_url = ‘http://jupyterhub:8000/jupyterhub’

c.DockerSpawner.network_name = os.environ[“DOCKER_NETWORK_NAME”]
c.DockerSpawner.extra_host_config = { ‘network_mode’: os.environ[“DOCKER_NETWORK_NAME”] }
c.DockerSpawner.start_timeout = 120
c.DockerSpawner.remove = False
c.JupyterHub.authenticator_class = ShibbolethAuthenticator
c.ShibbolethAuthenticator.headers = [“Givenname”]
c.Authenticator.shibboleth_logout_url = “https://example.org/Shibboleth.sso/Logout”

Everything is normal according to Jupyterhub Logs:

[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/lab/api/settings to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/contents/funnel.ipynb to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/contents/Visualisierung_CO2_Konzentration.ipynb to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WS /jupyterhub/user/yuqiang/api/collaboration/room/json:notebook:c74cf284-1bbe-4e0b-8913-f09e4071e74a to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/sessions to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/kernels to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WS /jupyterhub/user/yuqiang/api/collaboration/room/json:notebook:21db2beb-075c-4755-a268-6e8e6214b79c to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/contents/Visualisierung_CO2_Konzentration.ipynb/checkpoints to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/contents/Visualisierung_CO2_Konzentration.ipynb/checkpoints to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/sessions to http://172.31.0.4:8888
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/kernelspecs to http://172.31.0.4:8888

I think the problem is at Jupyterhub or Browser, it keeps sending preflight request and want to make sure that Shibboleth IdP allows CORS from my Server.

guyq1997 · March 28, 2024, 3:57pm

I think the Error is from here:

All preflight request to SHibboleth IdP is from this origin:

‘https://s.org/jupyterhub/user/yuqiang/api/kernels?1711651794595’

This Error only occurs in my windows browser. There is no problem with my Iphone Browser (Chrome and Safari)

Why should this URL send this request? Is it trying to check the identity again?

Causes which are excluded:

Authenticator: I just used Dummy authenticator, this CORS error keeps occuring. So I think this has nothing to do with Authenticator.

MridulS · March 29, 2024, 3:34am

Also just FYI that repo isn’t maintained anymore (as mentioned in the README) GitHub - gesiscss/jhub_shibboleth_auth: Shibboleth authentication for JupyterHub - This repo is not maintained anymore. It hasn’t been updated in over 5 years.

guyq1997 · April 1, 2024, 4:28pm

Some new Discovery and Guess:

If i make a PUT or GET request to Single User Server (in the same origin), the Browser sometimes will make a preflight request to Shibboleth IdP firstly, to check the CORS premission. Requests will not be sent to Jupyterlab API directly. In this case, i do not have a CORS premission from Shibboleth IdP, So it just blocked my request, And Single User Server (Jupyterlab) can not hear my request either.

I guess this is because of my configuration in Apache (Jupyterhub and Jupyterlab is protected by Shibboleth SP):

RequestHeader unset Accept-Encoding
ProxyPreserveHost on
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
ShibUseHeaders On
ProxyPass        http://jupyterhub:8000/jupyterhub
ProxyPassReverse http://jupyterhub:8000/jupyterhub

So I tried, if i remove the Shibboleth Authentification function, there is no more problem.
How can i configure in this case, to send the PUT/GET request directly to my Single User Server?

guyq1997 · April 2, 2024, 8:56am

I found a not-so-great way to solve it, and it only works in Firefox.

Jupyterhub runs in /jupyterhub subpage. In /jupyterhub shibboleth session is deactivated, it only needs the user data/http headers for identifying Users. This means that /jupyterhub is not protected by Shibboleth. Shibboleth Headers come from /secure subpage. /secure is for user login. As long as user is logged into /secure, the user data is stored in browser. Subpath /jupyterhub can therefore also read the user data/http headers.

The requests (to GET or PUT data into Single User Server) can therefore be sent directly to the single user server (Jupyterlab). Without sending to Shibboleth and check CORS premission first. However, this approach only works with Firefox.

Here is Apache Configuration:

<Location /secure>
AuthType shibboleth
ShibRequireSession On
Require valid-user
ShibUseHeaders On

<Location /jupyterhub>
RewriteEngine On
ProxyPreserveHost on
AuthType shibboleth
Require valid-user
ShibRequestSetting requireSession off
ShibUseHeaders On

ProxyPass        http://jupyterhub:8000/jupyterhub
ProxyPassReverse http://jupyterhub:8000/jupyterhub

With Chrome, a 401 Unauthorized error occurs in Browser Log after spawning User Server.

Topic		Replies	Views
JupyterHub Apache Proxy Reverse not working JupyterHub help-wanted	2	900	May 3, 2021
JupyterHub / JupyterServerProxy 403 to OPTIONS request (CORS preflight) JupyterHub how-to , help-wanted	2	163	March 18, 2024
Jupyterhub with apache proxy / shibboleth / jhub_remote_user_authenticator JupyterHub	0	429	June 16, 2020
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at ***. (Reason: CORS request did not succeed) JupyterHub jupyterlab , jupyterhub , how-to , help-wanted	0	1841	January 11, 2021
Http Authorization header and external OIDC provider JupyterHub	2	392	September 4, 2023

Jupyterhub try to make preflight request to Shibboleth IdP

Related Topics