Hi, I posted this on Github first but was asked to move it here:
We have installed Jupyterhub into our on-prem Kubernetes cluster using the Helm chart (version 1.2.0). The values file has been modified to enable HTTPS and Authenticate with Azure AD. Our AD configuration also required MFA. For some reason this triggers a server side error in the hub when a user logs in.
The config file:
hub:
config:
AzureAdOAuthenticator:
client_id: "REDACTED"
client_secret: "REDACTED"
oauth_callback_url: "https://jupyterhub.myhost.com/hub/oauth_callback"
tenant_id: "REDACTED"
JupyterHub:
authenticator_class: azuread
proxy:
https:
enabled: true
hosts:
- https://jupyterhub.myhost.com
type: secret
secret:
name: jupyterhub-tls
The “sign in with Azure AD” button appears in Jupyterhub, but after logging in to AD the following error appears in the logs (and “500 : Internal Server Error” appears on the page):
[I 2022-01-06 20:25:01.505 JupyterHub oauth2:111] OAuth redirect: 'https://jupyterhub.myhost.com/hub/oauth_callback'
[I 2022-01-06 20:25:01.506 JupyterHub log:189] 302 GET /hub/oauth_login?next=%2Fhub%2F -> https://login.microsoftonline.com/$TENANT_ID/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fjupyterhub.myhost.com
[E 2022-01-06 20:25:16.581 JupyterHub oauth2:389] Error fetching 400 POST https://login.microsoftonline.com/$TENAND_ID/oauth2/token: {
"claims": "{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"REDACTED\"]}}}",
"correlation_id": "REDACTED",
"error": "interaction_required",
"error_codes": [
50076
],
"error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.\r\nTrace ID: 11ecc9d4-34b
"error_uri": "https://login.microsoftonline.com/error?code=50076",
"suberror": "basic_action",
"timestamp": "2022-01-06 20:25:16Z",
"trace_id": "REDACTED"
}
[E 2022-01-06 20:25:16.581 JupyterHub web:1789] Uncaught exception GET /hub/oauth_callback?code=REDACTED
HTTPServerRequest(protocol='https', host='jupyterhub.myhost.com', method='GET', uri='/hub/oauth_callback?code=REDACTED
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in _execute
result = await result
File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 231, in get
user = await self.login_user()
File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line 754, in login_user
authenticated = await self.authenticate(data)
File "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in get_authenticated_user
authenticated = await maybe_future(self.authenticate(handler, data))
File "/usr/local/lib/python3.8/dist-packages/oauthenticator/azuread.py", line 76, in authenticate
resp_json = await self.fetch(req)
File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 390, in fetch
raise e
File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 369, in fetch
resp = await self.http_client.fetch(req, **kwargs)
tornado.httpclient.HTTPClientError: HTTP 400: Bad Request
[E 2022-01-06 20:25:16.582 JupyterHub log:181] { "X-Forwarded-Host": "jupyterhub.myhost.com",
"X-Forwarded-Proto": "https",
"X-Forwarded-Port": "443",
"X-Forwarded-For": "::ffff:10.17.132.1",
"Sec-Fetch-User": "?1",
"Sec-Fetch-Site": "cross-site",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Dest": "document",
"Upgrade-Insecure-Requests": "1",
"Cookie": "oauthenticator-state=[secret]",
"Connection": "close",
"Dnt": "1",
"Referer": "https://login.microsoftonline.com/",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "en-US,en;q=0.5",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0",
"Host": "jupyterhub.myhost.com"
}
[E 2022-01-06 20:25:16.582 JupyterHub log:189] 500 GET /hub/oauth_callback?code=[secret]&state=[secret]&session_state=[secret] (@::ffff:10.17.132.1) 233.58ms