Variable with username for c.Spawner.auth_state_hook

Hi!

My config use JupyterHub+KeyCloak, where users are created in KeyCloak admin GUI. For now new user successfully authenticating by KeyCloak, but than I get 500 error in JupyterHub, because there are not linux user yet.

So I need to do some job (create linux user if not exist and prepare his catalog) between authenticate user and spawning JupyterLab.

I found ‘c.Spawner.auth_state_hook’.
Dumb question - what variable consists username of just authenticated user?

I assume you are using GenericOAuthenticator for KeyCloak integration. In that case you can LocalGenericOAuthenticator which will create system users upon first login.

1 Like

For now i use this config
(A wild mix of examples from net and attempts to select the right parameters)

c.JupyterHub.authenticator_class = 'generic-oauth'

c.GenericOAuthenticator.client_id = 'jupyter'

c.GenericOAuthenticator.client_secret = '12345IzIl9t2TtphiQ9cFOndAn15q9f3'

c.GenericOAuthenticator.oauth_callback_url =  'https://juhub.dl.example.com/hub/oauth_callback'
c.GenericOAuthenticator.authorize_url = 'https://keycloak.dl.example.com/realms/JupyterRealm/protocol/openid-connect/auth'
c.GenericOAuthenticator.token_url = 'https://keycloak.dl.example.com/realms/JupyterRealm/protocol/openid-connect/token'
c.GenericOAuthenticator.userdata_url = 'https://keycloak.dl.example.com/realms/JupyterRealm/protocol/openid-connect/userinfo'
c.GenericOAuthenticator.logout_redirect_url = 'https://keycloak.dl.example.com/realms/JupyterRealm/protocol/openid-connect/logout?post_logout_redirect_uri=https://juhub.dl.example.com&client_id=jupyter'

c.GenericOAuthenticator.login_service = 'keycloak'
c.GenericOAuthenticator.username_claim = 'preferred_username'
c.GenericOAuthenticator.auto_login = False
c.GenericOAuthenticator.userdata_params.state = {"state": "state"}
c.GenericOAuthenticator.scope = ['openid']

Non ideal, but working with existing linux users.

Am I using the right authenticator or not?

Yes, your config seems to be fine (Redact the secrets when you post on public forums). Instead of generic-ouath use local-generic-oauth and ensure to run JupyterHub with sudo (as creating system users needs privileges). This will create linux users upon first login when they are not present on JupyterHub server.

Wow!
It’s working! :slight_smile:

1 Like