Jupyterhub try to make preflight request to Shibboleth IdP

Hallo everyone,

I am using Apache and Shibboleth for Proxy and Authentification.

Why Jupyterhub keeps sending prefilght request through Chrome to Shibboleth IdP? (Even after i logged in)
Is it trying to confirm the login status of current user?
Can I just disable this request? Because my Shibboleth IdP doesn´t allow this request. And my single user Server keeping restarting and crashing.

Browser Logs:

Access to fetch at 'https://saml.xxx/idp/profile/SAML2/Redirect/SSO?… (redirected from 'https://123.org/jupyterhub/) from origin ‘https://123.org’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled

Which authenticator are you using? Can you show us your full JupyterHub configuration and your debug logs?

1 Like

My jupyterhub_config.py is as following. I used external package for shibboleth authentification from jhub_shibboleth_auth/jhub_shibboleth_auth/shibboleth_auth.py at 6c981d0d50b1891fe8f4055d4010450211c698a0 · gesiscss/jhub_shibboleth_auth · GitHub

c.Spawner.cmd = “jupyterhub-singleuser”

c.Spawner.debug = True
c.ConfigurableHTTPProxy.debug = True
c.DockerSpawmer.use_internal_ip = True

c.JupyterHub.spawner_class = DockerSpawner
c.DockerSpawner.image = “guyq1997/jupyterlab-dhbw”
c.JupyterHub.hub_ip = “jupyterhub”
c.JupyterHub.bind_url = ‘http://jupyterhub:8000/jupyterhub

c.DockerSpawner.network_name = os.environ[“DOCKER_NETWORK_NAME”]
c.DockerSpawner.extra_host_config = { ‘network_mode’: os.environ[“DOCKER_NETWORK_NAME”] }
c.DockerSpawner.start_timeout = 120
c.DockerSpawner.remove = False
c.JupyterHub.authenticator_class = ShibbolethAuthenticator
c.ShibbolethAuthenticator.headers = [“Givenname”]
c.Authenticator.shibboleth_logout_url = “https://example.org/Shibboleth.sso/Logout

Everything is normal according to Jupyterhub Logs:

[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/lab/api/settings to
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/contents/funnel.ipynb to
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/contents/Visualisierung_CO2_Konzentration.ipynb to
[ConfigProxy] debug: PROXY WS /jupyterhub/user/yuqiang/api/collaboration/room/json:notebook:c74cf284-1bbe-4e0b-8913-f09e4071e74a to
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/sessions to
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/kernels to
[ConfigProxy] debug: PROXY WS /jupyterhub/user/yuqiang/api/collaboration/room/json:notebook:21db2beb-075c-4755-a268-6e8e6214b79c to
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/contents/Visualisierung_CO2_Konzentration.ipynb/checkpoints to
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/contents/Visualisierung_CO2_Konzentration.ipynb/checkpoints to
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/sessions to
[ConfigProxy] debug: PROXY WEB /jupyterhub/user/yuqiang/api/kernelspecs to

I think the problem is at Jupyterhub or Browser, it keeps sending preflight request and want to make sure that Shibboleth IdP allows CORS from my Server.

I think the Error is from here:

All preflight request to SHibboleth IdP is from this origin:


This Error only occurs in my windows browser. There is no problem with my Iphone Browser (Chrome and Safari)

Why should this URL send this request? Is it trying to check the identity again?

Causes which are excluded:

Authenticator: I just used Dummy authenticator, this CORS error keeps occuring. So I think this has nothing to do with Authenticator.

Also just FYI that repo isn’t maintained anymore (as mentioned in the README) GitHub - gesiscss/jhub_shibboleth_auth: Shibboleth authentication for JupyterHub - This repo is not maintained anymore. It hasn’t been updated in over 5 years.

1 Like

Some new Discovery and Guess:

If i make a PUT or GET request to Single User Server (in the same origin), the Browser sometimes will make a preflight request to Shibboleth IdP firstly, to check the CORS premission. Requests will not be sent to Jupyterlab API directly. In this case, i do not have a CORS premission from Shibboleth IdP, So it just blocked my request, And Single User Server (Jupyterlab) can not hear my request either.

I guess this is because of my configuration in Apache (Jupyterhub and Jupyterlab is protected by Shibboleth SP):

<Location /jupyterhub>

RequestHeader unset Accept-Encoding
ProxyPreserveHost on
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
ShibUseHeaders On
ProxyPass        http://jupyterhub:8000/jupyterhub
ProxyPassReverse http://jupyterhub:8000/jupyterhub

So I tried, if i remove the Shibboleth Authentification function, there is no more problem.
How can i configure in this case, to send the PUT/GET request directly to my Single User Server?

I found a not-so-great way to solve it, and it only works in Firefox.

Jupyterhub runs in /jupyterhub subpage. In /jupyterhub shibboleth session is deactivated, it only needs the user data/http headers for identifying Users. This means that /jupyterhub is not protected by Shibboleth. Shibboleth Headers come from /secure subpage. /secure is for user login. As long as user is logged into /secure, the user data is stored in browser. Subpath /jupyterhub can therefore also read the user data/http headers.

The requests (to GET or PUT data into Single User Server) can therefore be sent directly to the single user server (Jupyterlab). Without sending to Shibboleth and check CORS premission first. However, this approach only works with Firefox.

Here is Apache Configuration:

<Location /secure>
AuthType shibboleth
ShibRequireSession On
Require valid-user
ShibUseHeaders On

<Location /jupyterhub>

RewriteEngine On
ProxyPreserveHost on
AuthType shibboleth
Require valid-user
ShibRequestSetting requireSession off
ShibUseHeaders On

ProxyPass        http://jupyterhub:8000/jupyterhub
ProxyPassReverse http://jupyterhub:8000/jupyterhub

With Chrome, a 401 Unauthorized error occurs in Browser Log after spawning User Server.