OIDC RBAC - possible to map users to groups and groups to roles, where users and groups are defined by OIDC?

jrouly · November 16, 2023, 2:16pm

Hello!

Is it possible to leverage both OIDC (via GenericOAuthenticator) and RBAC at the same time?

And, specifically, is it possible to use RBAC to map groups to roles, and then OIDC (GenericOAuthenticator) to map users to groups?

Here’s what I would expect to accomplish the job:

# Define roles and assign them to groups.
c.JupyterHub.load_roles.append(...)

# Allow OIDC to define user groups.
def compute_groups(claims):
    pass
c.GenericOAuthenticator.claim_groups_key = compute_groups
c.GenericOAuthenticator.manage_groups = True

However as far as I can tell, claim_groups_key is only ever read by get_user_groups, which is only ever read in two scenarios:

in check_allowed, if allowed_groups is set to a static list of groups that are allowed in, and
in update_auth_model, if a specific set of admin_groups are defined

and both of those scenarios seem to violate the basic principles of RBAC. I’d want my group’s role to be consulted for permissions, not the simple fact of role membership.

And, since I’m not setting allowed_groups or admin_groups, I’m not ever seeing my compute_groups function getting called.

What’s the magic incantation to allow OIDC to define user groups, map groups to roles, and use roles to define permissions?

Edit:

I’ve also tried specifying load_groups and disabling manage_groups. That definitely loads a static group membership map into the database, but then the OIDC GenericOAuthenticator still doesn’t seem to pick up user groups or even invoke claim_groups_key.

# Define roles and assign them to groups.
c.JupyterHub.load_roles.append(...)

# Define static group mapping.
c.JupyterHub.load_groups.append(...)

# Allow OIDC to define user groups.
def compute_groups(claims):
    pass
c.GenericOAuthenticator.claim_groups_key = compute_groups

jrouly · November 16, 2023, 4:00pm

I’m beginning to think this simply isn’t possible with the current GenericOAuthenticator implementation.

Per these jupyterhub docs, when manage_groups is enabled the authenticator needs to include a groups key in the dictionary returned by authenticate() and refresh_user().

I had to provide a custom GenericOAuthenticator subclass that implemented this behavior.

    async def update_auth_model(self, auth_model):
        auth_model = await super().update_auth_model(auth_model)
        user_info = auth_model["auth_state"][self.user_auth_state_key]
        user_groups = self.get_user_groups(user_info)
        auth_model["groups"] = user_groups
        return auth_model

This works, assuming get_user_groups (via claim_groups_key) behaves as expected!

manics · November 16, 2023, 7:38pm

As you’ve found out OAuthenticator only uses the external group membership to make a binary decision on whether to authorise a user, since this is all that was supported by JupyterHub prior to RBAC. At first glance what you’ve done above looks like the right approach to using OIDC groups in JupyterHub!

benjimin · November 29, 2023, 7:45am

I was also trying to customise JupyterHub based on group membership defined by OIDC. Raised issue here:

github.com/jupyterhub/oauthenticator

GenericOAuthenticator should populate groups if `claim_groups_key` is set

opened 11:29AM - 28 Nov 23 UTC

benjimin

enhancement

### Proposal If an administrator chooses to configure `c.GenericOAuthenticato…r.claim_groups_key`, then the list of groups (from the OAuth token claim) should be made readily available in `auth_state`. Setting `c.Authenticator.manage_groups = True` should also cause `spawner.user.groups` to be populated with the same list. ### Use-case This is so administrators can configure an OAuth provider to manage authentication _and_ group membership, for example to customise the Jupyterhub server profile list based on (externally managed) group memberships. This idea is explicitly [mentioned](https://z2jh.jupyter.org/en/latest/jupyterhub/customizing/user-environment.html#user-dependent-profile-options) in the Z2JH customisation guide (using OAuth group membership to decide whether to offer GPUs). ### Is this a bug? Or a feature request? At present `claim_groups_key` seems to have no effect unless `admin_groups` or `allowed_groups` are set. (The `claim_groups_key` [docs](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.generic.html#oauthenticator.generic.LocalGenericOAuthenticator.claim_groups_key) give little indication if its purpose were intended to be so narrow.) The [docs](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.generic.html#oauthenticator.generic.GenericOAuthenticator.manage_groups) for `manage_groups` lead one to expect that the authenticator should assign a list of group names to the user. 🐜 ### Alternative options I think it is pragmatic to only make changes to `GenericOAuthenticator` at this stage. An alternative would be to make the changes somewhere deeper in the class hierarchy (potentially adjusting the interfaces), because administrators are likely to want other varieties of authenticator to also have similar functionality (of populating groups from externally-managed sources), and it would be advantageous if the expected behaviour and configuration was made consistent. (For example, `GitHubOAuthenticator` and `GlobusOAuthenticator` currently each implement their own peculiar class methods for configuring group management.) A workaround I've seen deployed (similar example [here](https://discourse.jupyter.org/t/spawner-default-url-is-not-working-anymore/20042/13)) is to do a pip install of `cognitojwt` into the container image at runtime, to use to decode and verify an OAuth token (e.g., to extract the `"cognito:groups"` [claim](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html) expressing AWS Cognito user-pool group-memberships). But this breaks containerisation (risking abrupt failure of the hub if a shared dependency releases a breaking change upstream on PyPI) and requires injecting a substantial amount of code in Z2JH config (where it is difficult to version control and distribute patches); it is far better if the authenticator class itself handles decoding and verifying the tokens as appropriate (facilitating a simpler API, the `user.groups` property, for customisations to work with). ### Suggested solution @jrouly has [suggested](https://discourse.jupyter.org/t/oidc-rbac-possible-to-map-users-to-groups-and-groups-to-roles-where-users-and-groups-are-defined-by-oidc/22426/2) that [`update_auth_model`](https://github.com/jupyterhub/oauthenticator/blob/f3cc7393fdb38a2d56d374efaebe6b4d19b041cb/oauthenticator/generic.py#L147-L164) needs to _unconditionally_ assign to `auth_model["groups"]`. This should ensure the `groups` field is returned by `Authenticator.authenticate` ([per spec](https://github.com/jupyterhub/jupyterhub/blob/main/jupyterhub/auth.py#L631)), and so it can be [transferred](https://github.com/jupyterhub/jupyterhub/blob/7000cea8ec25717bda26ca953fbecb7f22c37649/jupyterhub/handlers/base.py#L821-L825) to the user object during login handling.

Topic		Replies	Views
Is Jupyterhub RBAC groups the same as OAuth groups? Zero to JupyterHub on Kubernetes jupyterhub , how-to , help-wanted	3	761	November 16, 2023
GenericOAuthenticator - Restrict access using claims JupyterHub	2	1209	November 22, 2022
JupyterHub + KeyCloak auth and LDAP user groups JupyterHub	7	1364	October 13, 2024
How to assign roles/scopes in the post_auth_hook JupyterHub	3	171	May 16, 2024
I hope to be able to dynamically configure load_roles in jupyterhub through api Zero to JupyterHub on Kubernetes how-to , help-wanted	2	350	September 21, 2023

OIDC RBAC - possible to map users to groups and groups to roles, where users and groups are defined by OIDC?

Related topics