Hello
I’ve used the " Zero to JupyterHub with Kubernetes" guide to setup JupyterHub on our k8s cluster.
For dev I’ve used the dummy auth with a generalized password.
We are using OneLogin as the authentication and portal to all our web tools (superset, prometheus UI, grafana, AWS, etc.).
I’ve tried to configure the GenericOAuthenticator to work with OneLogin using OpenID, but I get either a 500 or a 561 error, depending on configuration.
Any ideas/suggestions/guides as to how I may implement this? I want users to login to jupyterhub via onelogin.
My helm’s values configuration:
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/group.name: apps-group
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/healthcheck-path: /health
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
alb.ingress.kubernetes.io/auth-type: oidc
alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://<name>.onelogin.com/oidc/2","authorizationEndpoint":"https://<name>.onelogin.com/oidc/2/auth","tokenEndpoint":"https://<name>.onelogin.com/oidc/2/token","userInfoEndpoint":"https://<name>.onelogin.com/oidc/2/me","secretName":"jupyterhub-env"}'
alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
hub:
config:
Authenticator:
enable_auth_state: true
GenericOAuthenticator:
client_id: <my-client-id>
client_secret: <my-client-secret>
oauth_callback_url: https://<HOST_URL>/hub/oauth_callback
authorize_url: https://<name>.onelogin.com/oidc/2/auth
token_url: https://<name>.onelogin.com/oidc/2/token
userdata_url: https://<name>.onelogin.com/oidc/2/me
scope:
- openid
- name
- profile
- email
username_key: email
JupyterHub:
authenticator_class: generic-oauth
MYURL is well established and used for other OpenID apps, ll endpoints checked.
Ingress works well with the dummy authenticator, so people can only access the jupyter url from onelogin, but the dummy isn’t good for us.
Endpoints are tested