Need Help Setting Up Okta oauth

Hey Guys, I would be appreciative if someone here could give me an example of an Okta OAuth script for JupyterHub? I didn’t actually set up our JupyterHub server myself but I have admin access to it. Basically, the original use case for the server was for some of our Finance people to learn Python but now we have a Financial Analysts using it for far more than that so I need to harden the server security-wise and migrate users from PAM authentication to preferably Okta. I am a System & Network Admin for my organization but this will be the first time that I will be setting up Okta OAuth on an app itself (and not just on the Okta’s end).

Jupyterhub_config.py:

import os

c.JupyterHub.authenticator_class = 'dummyauthenticator.DummyAuthenticator'
c.DummyAuthenticator.password = redacted
c.Authenticator.whitelist = { redacted }
c.Authenticator.admin_users = redacted

c.JupyterHub.hub_connect_ip = redacted
c.JupyterHub.spawner_class = 'dockerspawner.DockerSpawner'
c.DockerSpawner.image = redacted
c.DockerSpawner.use_internal_ip = True
c.JupyterHub.hub_ip = '0.0.0.0'
c.JupyterHub.hub_port = 8080

notebook_dir = os.environ.get('DOCKER_NOTEBOOK_DIR') or '/home/jovyan/'
c.DockerSpawner.notebook_dir = notebook_dir

# Mount the real user's Docker volume on the host to the notebook user's
# notebook directory in the container
c.DockerSpawner.volumes = { 'jupyterhub-user-{username}': notebook_dir }
c.DockerSpawner.extra_create_kwargs.update({ 'volume_driver': 'local' })

# Remove containers once they are stopped
c.DockerSpawner.remove_containers = True

# For debugging arguments passed to spawned containers
c.DockerSpawner.debug = True

Cheers,
@consideRatio

Hi thanks for posting the question on Discourse @XChainfireX!

I have not configured a the GenericOAuthenticator to use Okta before unless done from a Z2JH deployment. I’m first of all posting a reference example for that below.

Furthermore, in the Z2JH deployent I can easily set environment variables. Setting some environment variables needs to be done to configure everything correctly until this issue is resolved. How you would like to do this is not obvious to me, it depends on how your JupyterHub is running I guess.

I do not think you could add the environment variables from within the jupyterhub_config.py itself as by that time it may be to late to pass them along to the GenericOAuthenticator, but perhaps not, I’m not sure.

Attempted config for a JH with DockerSpawner (jupyterhub_config.py)

# See: https://example.okta.com/oauth2/.well-known/openid-configuration
# NOTE: USERDATA / USERINFO - same thing
# FIXME:
make_sure_that_these_environment_variables_are_available_somehow = {
    'OAUTH2_AUTHORIZE_URL': 'https://example.okta.com/oauth2/v1/authorize'
    'OAUTH2_USERDATA_URL':  'https://example.okta.com/oauth2/v1/userinfo'
    'OAUTH2_TOKEN_URL':     'https://example.okta.com/oauth2/v1/token'
    'OAUTH_CALLBACK_URL':   'https://jupyter.example.com/hub/oauth_callback'
}

c.JupyterHub.spawner_class = 'oauthenticator.generic.GenericOAuthenticator'

# See: https://developer.okta.com/docs/api/resources/oidc#userinfo
# See: https://developer.okta.com/docs/api/resources/oidc#scope-dependent-claims-not-always-returned
c.GenericOAuthenticator.update({
    'client_id': '<your-okta-application-client-id>',
    'client_secret': '<your-okta-application-client-secret>',
    'login_service': 'Okta',
    'username_key': 'preferred_username',
    'scope' = [
        'openid',
        'profile',
        'email',
        'offline_access',
    ]
})

A Z2JH config (config.yaml)

hub:
  extraEnv:
    # See: https://example.okta.com/oauth2/.well-known/openid-configuration
    OAUTH2_AUTHORIZE_URL: https://example.okta.com/oauth2/v1/authorize
    OAUTH2_USERDATA_URL:  https://example.okta.com/oauth2/v1/userinfo
    OAUTH2_TOKEN_URL:     https://example.okta.com/oauth2/v1/token
    OAUTH_CALLBACK_URL:   https://jupyter.example.com/hub/oauth_callback

auth:
  type: custom
  custom:
    className: oauthenticator.generic.GenericOAuthenticator
    config:
      client_id:     <your-okta-application-client-id>
      client_secret: <your-okta-application-client-secret>
      login_service: Okta
      username_key:  preferred_username
  scopes:
    # See: https://developer.okta.com/docs/api/resources/oidc#userinfo
    # See: https://developer.okta.com/docs/api/resources/oidc#scope-dependent-claims-not-always-returned
    - openid
    - profile
    - email
    - offline_access
  admin:
    access: false
    users:
      - erik.sundell@example.com

Using a social identity provider (IdP) like Google behind Okta bugs =/

If you let Okta redirect you to a social identity provider like Microsoft or Facebook, then when you return to JupyterHub all the information that were supposed to return in the query parameters like state=... have been lost. Instead, you get fromLogin=true. With that information, JupyterHub cannot know you have signed in. The workaround solution is to pass along a query parameter (idp=<your-social-idp-id>) in the initial authorize request to Okta. The crux of doing this is that then you have locked into a specific identity provider and also that is not something we currently can do from the OAuthenticator.

Okta is tracking this bug internally as OKTA-213686. And the issue of not being able to pass along extra parameters to the initial authorize request is described in this issue: