OAuth + Azure AD - 403 on login?

wesleyburr · September 6, 2023, 3:41pm

Formerly, I had a config.yaml for the jupyterhub setup, and it was working fine pre-2.0.0. It used Azure AD Oauth for user authentication, which linked in through my university’s service. As below.

hub:
  config:
    AzureAdOAuthenticator:
      client_id: your-client-id
      client_secret: your-client-secret
      oauth_callback_url: https://your-jupyterhub-domain/hub/oauth_callback
      tenant_id: your-tenant-id
    JupyterHub:
      authenticator_class: azuread

After some updating of both the helm chart and my AD OAuth (because it expired), this does run through authentication, but then redirects back to a 403 access forbidden. I’ve reverted to firstuseauthenticator.FirstUseAuthenticator, which is actually an ok solution for my use-case, but I’d prefer if Azure AD was reactivated, for long-term user tracking.

Any idea what to poke into to find out why the access is being forbidden once the login completes successfully?

cooliver · September 7, 2023, 1:04pm

Hi,

can you try the following:

hub:
  config:
    AzureAdOAuthenticator:
      client_id: your-client-id
      client_secret: your-client-secret
      oauth_callback_url: https://your-jupyterhub-domain/hub/oauth_callback
      tenant_id: your-tenant-id
      enable_auth_state: true
      username_claim: unique_name
    JupyterHub:
      authenticator_class: azuread

wesleyburr · September 11, 2023, 3:12am

Thanks for the suggestion. Unfortunately, same result, at least in my minimal testing. It’s possible there’s a unique_name mismatch (or actual match … ) between the different auth methods, so that a login via Azure AD actually is trying to access resources already allocated for the same user, but under the second login? That’s all I’ve got as an idea at this point. The 403 doesn’t seem to be tied to any errors I’m finding in the logs.

manics · September 11, 2023, 1:08pm

Do you have a list of allowed_users? Version 16+ of Oauthenticator improves the security of the default configuration by not allowing all users, but this is a breaking change which can be overridden:

github.com

jupyterhub/oauthenticator/blob/3eadab3ecba70fffac1d12529957df7d4f35b54e/docs/source/reference/changelog.md#breaking-changes

# Changelog

For detailed changes from the prior release, click on the version number, and
its link will bring up a GitHub listing of changes. Use `git log` on the
command line for details.

## [Unreleased]

## 16.0

### [16.0.7] - 2023-08-21

#### Bugs fixed

- [Google] admin_users should like before v16 list final usernames [#673](https://github.com/jupyterhub/oauthenticator/pull/673) ([@consideRatio](https://github.com/consideRatio), [@jinserk](https://github.com/jinserk), [@GeorgianaElena](https://github.com/GeorgianaElena))

#### Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See [our definition of contributors](https://github-activity.readthedocs.io/en/latest/#how-does-this-tool-define-contributions-in-the-reports).

This file has been truncated. show original