Unable to start binder development environment with auth enabled

Binder
1

I am setting up a binder developement environement to work on BinderHub frontend redirects to non existing Jupyter server when a file path is given in the UI and JupyterHub is configured with allowNamedServers · Issue #2028 · jupyterhub/binderhub · GitHub, and following Contributing to BinderHub — BinderHub documentation for setting up the development env.

That page from the contributor guideline mentions

# Append --auth here if you want to develop against a non-public BinderHub
# that relies on JupyterHub's configured Authenticator to decide if the users
# are allowed access or not.
./testing/local-binder-k8s-hub/install-jupyterhub-chart

However setting the --auth switch breaks the binderhub and jupyterhub integration in a unexpected way:

this is what the jupyterhub log are showing:

I 260129 15:07:18 launcher:198] Creating user binder-examples-requirements-4ih08klp for image binder-2dexamples-2drequirements-55ab5c:bfb4f2602a3906795f6b23d6c43e22bf3326ef77
[I 260129 15:07:18 launcher:258] Starting server for user binder-examples-requirements-4ih08klp with image binder-2dexamples-2drequirements-55ab5c:bfb4f2602a3906795f6b23d6c43e22bf3326ef77
[D 260129 15:07:18 launcher:312] Requesting progress for binder-examples-requirements-4ih08klp: users/binder-examples-requirements-4ih08klp/server/progress
[E 260129 15:07:54 builder:749] Retrying launch of https://github.com/binder-examples/requirements after error (duration=37s, attempt=2): HTTPError()
[I 260129 15:08:02 launcher:198] Creating user binder-examples-requirements-c6b7yfl4 for image binder-2dexamples-2drequirements-55ab5c:bfb4f2602a3906795f6b23d6c43e22bf3326ef77
[I 260129 15:08:02 launcher:258] Starting server for user binder-examples-requirements-c6b7yfl4 with image binder-2dexamples-2drequirements-55ab5c:bfb4f2602a3906795f6b23d6c43e22bf3326ef77
[D 260129 15:08:02 launcher:312] Requesting progress for binder-examples-requirements-c6b7yfl4: users/binder-examples-requirements-c6b7yfl4/server/progress
[D 260129 15:08:05 rest:235] response body: {"kind":"PodList","apiVersion":"v1","metadata":{"resourceVersion":"3019610"},"items":[]

retrying launch seem to imply that the Pod was not created successfully, however from the Kubernetes point of view, the Pod ** is there** :slight_smile:

oc  get pod -l app.kubernetes.io/component=singleuser-server 
NAME                                            READY   STATUS    RESTARTS   AGE
jupyter-binder-examples-requirements-wj7dt03k   1/1     Running   0          7s

I don’t understand how this relates to authentication being activated with that --auth switch.
Could it be the development env with authentication activated is broken or I am missing something ?

Without the --auth flag the local dev env works perfect.

2

--auth is used to setup the environment in our tests:

but we only run the auth tests since most tests assume authentication is disabled

So it’s possible there’s a bug in the --auth flag.

How are you running BinderHub? Are you using the default config file, or binderhub/testing/local-binder-k8s-hub/binderhub_config_auth_additions.py at 8fa81d6ed9909f4a4ab71d2d8d93f13ab703e673 · jupyterhub/binderhub · GitHub ?

3

good catch ! I was not using that file. So now I am starting binderhub in the dev environment via:

python3 -m binderhub -f testing/local-binder-k8s-hub/binderhub_config_auth_additions.py

however I am still unable to log in graphically, I get a 403 throwned out immedialy when the redirect to jupyterhub happens from binder on the initial connection.

this is the binderhub log:

[D 260219 17:13:20 auth:835] No user identified
[D 260219 17:13:20 auth:1398] Redirecting to login url: http://192.168.49.2:30902/hub/api/oauth2/authorize?client_id=service-binder&redirect_uri=http%3A%2F%2F127.0.0.1%3A8585%2Foauth_callback&response_type=code
[W 260219 17:13:20 auth:1157] Detected unused OAuth state cookies
[I 260219 17:13:20 log:135] 302 GET / -> http://192.168.49.2:30902/hub/api/oauth2/authorize?client_id=service-binder&redirect_uri=http%3A%2F%2F127.0.0.1%3A8585%2Foauth_callback&response_type=code&state=[secret] (@127.0.0.1) 1.29ms

and the jupyter hub log

[I 2026-02-19 16:14:39.801 JupyterHub log:192] 302 GET /hub/api/oauth2/authorize?client_id=service-binder&redirect_uri=http%3A%2F%2F127.0.0.1%3A8585%2Foauth_callback&response_type=code&state=[secret] -> /hub/login?next=%2Fhub%2Fapi%2Foauth2%2Fauthorize%3Fclient_id%3Dservice-binder%26redirect_uri%3Dhttp%253A%252F%252F127.0.0.1%253A8585%252Foauth_callback%26response_type%3Dcode%26state%3DIDH0bbHmC3oP8MyUACRAYQ (@::ffff:10.244.0.1) 0.67ms
[W 2026-02-19 16:14:39.807 JupyterHub base:979] Failed login for unknown user
[D 2026-02-19 16:14:39.808 JupyterHub base:1542] Using default error template for 403
[W 2026-02-19 16:14:39.809 JupyterHub log:192] 403 GET /hub/login?next=%2Fhub%2Fapi%2Foauth2%2Fauthorize%3Fclient_id%3Dservice-binder%26redirect_uri%3Dhttp%253A%252F%252F127.0.0.1%253A8585%252Foauth_callback%26response_type%3Dcode%26state%3DIDH0bbHmC3oP8MyUACRAYQ (@::ffff:10.244.0.1) 1.80ms

I was expecing a login form when I could login via the dummy username/password

could it be that this problem is not surfaced in the CI tests because the CI tests would only access binder via API and not via web browser + redirect ?