Hi!
My config use JupyterHub+KeyCloak, where users are created in KeyCloak admin GUI. For now new user successfully authenticating by KeyCloak, but than I get 500 error in JupyterHub, because there are not linux user yet.
So I need to do some job (create linux user if not exist and prepare his catalog) between authenticate user and spawning JupyterLab.
I found ‘c.Spawner.auth_state_hook’.
Dumb question - what variable consists username of just authenticated user?
I assume you are using GenericOAuthenticator
for KeyCloak integration. In that case you can LocalGenericOAuthenticator
which will create system users upon first login.
1 Like
For now i use this config
(A wild mix of examples from net and attempts to select the right parameters)
c.JupyterHub.authenticator_class = 'generic-oauth'
c.GenericOAuthenticator.client_id = 'jupyter'
c.GenericOAuthenticator.client_secret = '12345IzIl9t2TtphiQ9cFOndAn15q9f3'
c.GenericOAuthenticator.oauth_callback_url = 'https://juhub.dl.example.com/hub/oauth_callback'
c.GenericOAuthenticator.authorize_url = 'https://keycloak.dl.example.com/realms/JupyterRealm/protocol/openid-connect/auth'
c.GenericOAuthenticator.token_url = 'https://keycloak.dl.example.com/realms/JupyterRealm/protocol/openid-connect/token'
c.GenericOAuthenticator.userdata_url = 'https://keycloak.dl.example.com/realms/JupyterRealm/protocol/openid-connect/userinfo'
c.GenericOAuthenticator.logout_redirect_url = 'https://keycloak.dl.example.com/realms/JupyterRealm/protocol/openid-connect/logout?post_logout_redirect_uri=https://juhub.dl.example.com&client_id=jupyter'
c.GenericOAuthenticator.login_service = 'keycloak'
c.GenericOAuthenticator.username_claim = 'preferred_username'
c.GenericOAuthenticator.auto_login = False
c.GenericOAuthenticator.userdata_params.state = {"state": "state"}
c.GenericOAuthenticator.scope = ['openid']
Non ideal, but working with existing linux users.
Am I using the right authenticator or not?
Yes, your config seems to be fine (Redact the secrets when you post on public forums). Instead of generic-ouath
use local-generic-oauth
and ensure to run JupyterHub with sudo
(as creating system users needs privileges). This will create linux users upon first login when they are not present on JupyterHub server.