OneLogin OpenID as login management

JupyterHub discuss
1

Hello
I’ve used the " Zero to JupyterHub with Kubernetes" guide to setup JupyterHub on our k8s cluster.
For dev I’ve used the dummy auth with a generalized password.

We are using OneLogin as the authentication and portal to all our web tools (superset, prometheus UI, grafana, AWS, etc.).
I’ve tried to configure the GenericOAuthenticator to work with OneLogin using OpenID, but I get either a 500 or a 561 error, depending on configuration.

Any ideas/suggestions/guides as to how I may implement this? I want users to login to jupyterhub via onelogin.

My helm’s values configuration:

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/group.name: apps-group
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    alb.ingress.kubernetes.io/auth-type: oidc
    alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://<name>.onelogin.com/oidc/2","authorizationEndpoint":"https://<name>.onelogin.com/oidc/2/auth","tokenEndpoint":"https://<name>.onelogin.com/oidc/2/token","userInfoEndpoint":"https://<name>.onelogin.com/oidc/2/me","secretName":"jupyterhub-env"}'
    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
hub:
  config:
    Authenticator:
      enable_auth_state: true
    GenericOAuthenticator:
      client_id: <my-client-id>
      client_secret: <my-client-secret>
      oauth_callback_url: https://<HOST_URL>/hub/oauth_callback
      authorize_url: https://<name>.onelogin.com/oidc/2/auth
      token_url: https://<name>.onelogin.com/oidc/2/token
      userdata_url: https://<name>.onelogin.com/oidc/2/me
      scope:
        - openid
        - name
        - profile
        - email
      username_key: email
    JupyterHub:
      authenticator_class: generic-oauth

MYURL is well established and used for other OpenID apps, ll endpoints checked.

Ingress works well with the dummy authenticator, so people can only access the jupyter url from onelogin, but the dummy isn’t good for us.
Endpoints are tested

2

Unfortunately debugging external authentication providers can be very tricky. Have you tried turning on debug logging? That will show you all internal and external requests to onelogin, and might help you, or someone else on this forum if you share the logs, identity the problem.

Another thing you could try is to setup your own OIDC provider such as Keycloak. If that work you’ll know that any problems are specific to onelogin.

1 Like
3

Thanks for the reply, I will try both things and be back if I have more detils/questions.

4

Just in case anyone gets here by Google like me, you need to add the basic_auth option which changes the way the token is provided to onelogin on the token_url.

hub:
  config:
    Authenticator:
      enable_auth_state: true
    GenericOAuthenticator:
      client_id: <my-client-id>
      client_secret: <my-client-secret>
      oauth_callback_url: https://<HOST_URL>/hub/oauth_callback
      authorize_url: https://<name>.onelogin.com/oidc/2/auth
      token_url: https://<name>.onelogin.com/oidc/2/token
      userdata_url: https://<name>.onelogin.com/oidc/2/me
      basic_auth: true
      username_key: email
      claim_groups_key: groups
      scope:
        - openid
        - profile
        - groups
    JupyterHub:
      authenticator_class: generic-oauth
1 Like