Zero-to-jupyterhub-k8s: azuread oauthenticator tenant_id never set
Hi guys
We are setting up JupyterLab for our team, and have run into a snag when attempting to set up an Azure AD autheticator.
In short, when clicking the login-button, the tenant ID is not set in the URL:
Notice the two brackets, which should surround the tenant ID.
From the logs we see the same issue:
[I 2019-05-13 07:01:48.199 JupyterHub log:158] 302 GET / -> /hub (@10.12.2.1) 1.08ms
[I 2019-05-13 07:01:48.328 JupyterHub log:158] 302 GET /hub -> /hub/ (@10.12.2.1) 1.70ms
[I 2019-05-13 07:01:48.595 JupyterHub log:158] 302 GET /hub/ -> /hub/login (@10.12.2.1) 1.21ms
[I 2019-05-13 07:02:03.442 JupyterHub log:158] 200 GET /hub/login (@10.12.2.1) 2.58ms
[I 2019-05-13 07:02:12.390 JupyterHub oauth2:82] OAuth redirect: 'http://MYHUB.DOMAIN/hub/oauth_callback'
[I 2019-05-13 07:02:12.391 JupyterHub log:158] 302 GET /hub/oauth_login?next= -> https://login.microsoftonline.com//oauth2/authorize?response_type=code&redirect_uri=http%3A%2F%2FMYHUB.DOMAIN%2Fhub%2Foauth_callback&client_id=CORRECT_CLIENT_ID&state=[secret] (@10.12.2.1) 1.77ms
The funny thing is that the client ID is set in the URL, but for whatever reason, the tenant ID is missing. When pasting the tenant ID between the brackets in the URL, the login succeeds, and we are taken to the expected screen for selecting user environment.
We have attempted several approaches, including setting the value in my config.yaml-file:
auth:
type: custom
custom:
className: "oauthenticator.azuread.AzureAdOAuthenticator"
config:
client_id: "${client_id}"
client_secret: "${client_secret}"
oauth_callback_url: "${callback_url}"
tenant_id: "${tenant_id}"
We have also attempted to pass the values to the hub.extraConfig.auth and hub.extraConfig.jupyterLab:
hub:
extraConfig:
auth: |
from oauthenticator.azuread import AzureAdOAuthenticator
c.JupyterHub.authenticator_class = AzureAdOAuthenticator
c.AzureAdOAuthenticator.oauth_callback_url = "https://${host}/hub/oauth_callback"
c.AzureAdOAuthenticator.client_id = "${client_id}"
c.AzureAdOAuthenticator.client_secret = "${client_secret}"
c.AzureAdOAuthenticator.tenant_id = "${tenant_id}"
jupyterlab: |
c.Spawner.cmd = ['jupyter-labhub']
Other things we have tried is creating a container-image based on jupyter/k8s-hub:0.8.2 for the hub-pod to run, which removes globus_sdk[jwt] and instead install PyJWT, with no luck.
Does anyone have any clue to what might be happening here?
thomafred
All 6 comments
the tenant ID needs to be set as an environment variable in the hub config:
extraEnv:
AAD_TENANT_ID: 'xxxxxxxxx-xxxxxx-xxxxx-xxx'
nhjiejan
on 15 May 2019
I tried setting the AAD_TENANT_ID as you say, however this did not make any difference. I also tried printing the c.JupyterHub.AzureAdOAuthenticator.__dict__ - which returned an empty dict.
thomafred
on 15 May 2019
Finally solved this, however solution was not obvious.
Using some hints from #348 and @nhjiejan above, I added the following lines to my config:
hub:
extraEnv:
AAD_TENANT_ID: "${tenant_id}"
image:
name: docker/image/path/k8s-hub
tag: latest
auth:
type: custom
custom:
className: "oauthenticator.azuread.AzureAdOAuthenticator"
config:
client_id: "${client_id}"
client_secret: "${client_secret}"
oauth_callback_url: "${callback_url}"
tenant_id: "${tenant_id}"
In order to make this work, I had to provid a custom docker-image which installed PyJWT:
FROM jupyterhub/k8s-hub:0.8.2
USER root
RUN pip3 install --no-cache-dir -U \
PyJWT
USER ${NB_USER}
Somewhere in my googling, not sure where, I read an advice to uninstall globus_sdk[jwt]. This is did not work and is not recommended.
thomafred
on 16 May 2019
I've been trying to get this nailed for several days and have finally cracked it but wanted to clarify what needs configuring and where to get this to actually work.
Firstly, if you modify your hub config to use a 9.x build of k8s-hub image, it has PyJWT pre-installed.
hub:
image:
name: jupyterhub/k8s-hub
tag: 0.9-17c3f1d
In your hub deployment config, you will need to set the environment variable for the AAD_TENANT_ID
spec:
env:
- name: AAD_TENANT_ID
value: <TENANT ID>
Setting it in the hub config under 'extraEnv' as suggested, does not seem to have any effect.
Finally, in the hub config configure as suggested in previous posts:
auth:
type: custom
custom:
className: "oauthenticator.azuread.AzureAdOAuthenticator"
config:
client_id: "<CLIENT ID>"
client_secret: "<CLIENT SECRET>"
oauth_callback_url: "https://<YOURDOMAIN>/hub/oauth_call_back"
tenant_id: "<TENANT ID>"
I hope the above saves you folks a few days experimenting!
chrisillapacloud
on 9 Sep 2019
I've been trying to get this nailed for several days and have finally cracked it but wanted to clarify what needs configuring and where to get this to actually work.
Firstly, if you modify your hub config to use a 9.x build of k8s-hub image, it has PyJWT pre-installed.
hub: image: name: jupyterhub/k8s-hub tag: 0.9-17c3f1dIn your hub deployment config, you will need to set the environment variable for the AAD_TENANT_ID
spec: env: - name: AAD_TENANT_ID value: <TENANT ID>Setting it in the hub config under 'extraEnv' as suggested, does not seem to have any effect.
Finally, in the hub config configure as suggested in previous posts:
auth: type: custom custom: className: "oauthenticator.azuread.AzureAdOAuthenticator" config: client_id: "<CLIENT ID>" client_secret: "<CLIENT SECRET>" oauth_callback_url: "https://<YOURDOMAIN>/hub/oauth_call_back" tenant_id: "<TENANT ID>"I hope the above saves you folks a few days experimenting!
I'm using this exact set up and when the Azure Oauth redirects I get a "500 Internal Server Error", did you have to add anything else to get this working?
kramstrom
on 14 Oct 2019
Hi Kasper,
From the JupyterHub config, no, nothing more added anywhere.
Have you double-checked the Application you created in Azure AD has the correct callback URL configured?
It should all work as long as you have all the pieces in place.
I tried to make sure it is obvious that all values in between < > are replaced with your values and the < > omitted as that’s what caught me out with quotes in the the wrong places or places they didn’t need to be!
Chris
From: Kasper Ramström notifications@github.com
Reply to: jupyterhub/zero-to-jupyterhub-k8s reply@reply.github.com
Date: Monday, 14 October 2019 at 13:41
To: jupyterhub/zero-to-jupyterhub-k8s zero-to-jupyterhub-k8s@noreply.github.com
Cc: Chris Bowles chris@illapa.cloud, Comment comment@noreply.github.com
Subject: Re: [jupyterhub/zero-to-jupyterhub-k8s] azuread oauthenticator tenant_id never set (#1281)
I've been trying to get this nailed for several days and have finally cracked it but wanted to clarify what needs configuring and where to get this to actually work.
Firstly, if you modify your hub config to use a 9.x build of k8s-hub image, it has PyJWT pre-installed.
hub:
image:
name: jupyterhub/k8s-hub
tag: 0.9-17c3f1d
In your hub deployment config, you will need to set the environment variable for the AAD_TENANT_ID
spec:
env:
- name: AAD_TENANT_ID
value: <TENANT ID>
Setting it in the hub config under 'extraEnv' as suggested, does not seem to have any effect.
Finally, in the hub config configure as suggested in previous posts:
auth:
type: custom
custom:
className: "oauthenticator.azuread.AzureAdOAuthenticator"
config:
client_id: "<CLIENT ID>"
client_secret: "<CLIENT SECRET>"
oauth_callback_url: "https://<YOURDOMAIN>/hub/oauth_call_back"
tenant_id: "<TENANT ID>"
I hope the above saves you folks a few days experimenting!
I'm using this exact set up and when the Azure Oauth redirects I get a "500 Internal Server Error", did you have to add anything else to get this working?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues/1281?email_source=notifications&email_token=AMA5X2WE3EHP26W56DSOR3DQORSIZA5CNFSM4HMNEOC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBEP5IA#issuecomment-541654688, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMA5X2XVCS5EM7JRHLJYRFTQORSIZANCNFSM4HMNEOCQ.
chrisillapacloud
on 15 Oct 2019
Related issues
consideRatio
·
3Comments
ToniChaz
·
4Comments
consideRatio
·
3Comments
consideRatio
·
3Comments
tylere
·
4Comments
Most helpful comment
I've been trying to get this nailed for several days and have finally cracked it but wanted to clarify what needs configuring and where to get this to actually work.
Firstly, if you modify your hub config to use a 9.x build of k8s-hub image, it has PyJWT pre-installed.
In your hub deployment config, you will need to set the environment variable for the AAD_TENANT_ID
Setting it in the hub config under 'extraEnv' as suggested, does not seem to have any effect.
Finally, in the hub config configure as suggested in previous posts:
I hope the above saves you folks a few days experimenting!