At our JupyterHub deployment (https://notebooks.egi.eu) we want users to be able to interact with the JupyterHub API using JWT OAuth2 tokens from our IAM system. The way we are managing this is by:
- extending our oauthenticator to exchange the jwt tokens to jupyterhub tokens. We create them on the fly with a dedicated handler to avoid changing the overall oauthenticator functionality (see egi-notebooks-hub/egi_notebooks_hub/egiauthenticator.py at main · EGI-Federation/egi-notebooks-hub · GitHub )
- creating a very simple API wrapper service that calls the exchange mentioned above for getting a valid JupyterHub token and with that one call the actual JupyterHub API (egi-notebooks-hub/egi_notebooks_hub/services/api_wrapper.py at main · EGI-Federation/egi-notebooks-hub · GitHub)
I would like to get some feedback from the community about this approach, are we doing the right thing? Maybe we have missed some functionality in the hub that could simplify our current implementation, and related to that - is this something interesting to support upstream to some extent?
Thanks!
Enol