Using GoogleOAuthenticator and allowed_groups on TLJH instance

JupyterHub The Littlest JupyterHub
1

I’ve been through the TLJH docs and can’t find how to configure the GoogleOAuthenticator to allow only certain Google groups. The auth section of /opt/tljh/config/config.yaml on my VM instance is as follows:

auth:
  type: oauthenticator.google.GoogleOAuthenticator
  GoogleOAuthenticator:
    login_service: Foo
    hosted_domain: foo.com
    client_id: *********************
    client_secret: **********
    oauth_callback_url: https://HUB.foo.com/hub/oauth_callback
    allowed_google_groups:
      foo.com:
        - GROUP_NAME
    google_service_account_keys:
      foo.com: '/usr/local/oauth_client_id.json'
    gsuite_administrator:
      foo.com: "__jupyterhub__"

There are two issues. One is that I had to manually edit /opt/tljh/config/config.yaml to add the foo.com references instead of using tljh-config since I couldn’t figure out how to use tljh-config to add keys with periods like foo.com. The other is that, once so configured (if the above is indeed correct), I get the following when I try to login to the instance:

Traceback (most recent call last):
  File "/opt/tljh/hub/lib/python3.10/site-packages/tornado/web.py", line 1786, in _execute
    result = await result
  File "/opt/tljh/hub/lib/python3.10/site-packages/oauthenticator/oauth2.py", line 231, in get
    user = await self.login_user()
  File "/opt/tljh/hub/lib/python3.10/site-packages/jupyterhub/handlers/base.py", line 760, in login_user
    authenticated = await self.authenticate(data)
  File "/opt/tljh/hub/lib/python3.10/site-packages/jupyterhub/auth.py", line 469, in get_authenticated_user
    authenticated = await maybe_future(self.authenticate(handler, data))
  File "/opt/tljh/hub/lib/python3.10/site-packages/oauthenticator/google.py", line 224, in authenticate
    user_info = await self._add_google_groups_info(user_info, google_groups)
  File "/opt/tljh/hub/lib/python3.10/site-packages/oauthenticator/google.py", line 293, in _add_google_groups_info
    credentials = self._service_client_credentials(
  File "/opt/tljh/hub/lib/python3.10/site-packages/oauthenticator/google.py", line 232, in _service_client_credentials
Could not import google.oauth2's service_account you may need to run pip install oauthenticator[googlegroups] or not declare google groups

oauthenticator[googlegroups] is indeed installed. On investigation I found the underlying error is ModuleNotFoundError: No module named 'google' when _service_client_credentials runs from google.oauth2 import service_account.

How do you setup groups-based Google auth?

2

I solved this by creating the directory /opt/tljh/config/jupyterhub_config.d and adding a .py file that included the following:

c.GoogleOAuthenticator.allowed_google_groups = {'foo.com': ['allowed_group_name', another_allowed_group_name]}

See the JupyterHub Google Oauthenticator docs for details.

Re the import error, this was resolved by adding the package to the hub .venv:

cd /opt/tljh/hub
source bin/activate
pip install oauthenticator[googlegroups]

I had tried this once, but only after running some other pip installs outside the environment which messed some things up.