3

We have managed to setup our jupyterhub environment (z2jh) to use Keycloak as an authentication server and users are given a enter password screen when they try and access the jupyterhub website. The configuration used for this is below.

The question we have is how do we auto sign in users to the jupyterhub server from another website. We are not using keycloak to authenticate on the other website. So the login process we assume would be along the following lines

  • User logs into primary website (no keycloak)
  • The user goes to a webpage where we should a link to the jupyterhub notebook
  • We generate a JWT token using a post request to keycloak server.
  • We somehow use the token to sign the user into the jupyterhub server.

We have managed to successfully create a web token using postman to make a post request using the client_id, secret, username and password.

Our question is how do we use this token to log the user in?

We can see during the manual login process the call back but we are unsure how to we generate the 'state'. We assume something has been set in the my-jhub cookie but any feedback or links to guide us would be much appreciated.

https://my-jhub.xxx.net/hub/api/oauth2/authorize?client_id=jupyterhub-user-user_a&redirect_uri=%2Fuser%2Fuser_a%2Foauth_callback&response_type=code&state=eyJ1dwLkIjogImU2ZWY3ZDYyZWMzZTQ3ZmY5Nzg4ODJkOTkxMTcxYjdmIiwgIm5leHRfdXJsIjogIi91c2oyL3BhZHJhaWMvdHJlZT9yZWRpcmVjdHM9MSJ9

  auth:
       type: custom
  className: oauthenticator.generic.GenericOAuthenticator
  config:
    login_service: 'keycloak'
    client_id: 'kubernetes-cluster-dev'
    client_secret: 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy'
    token_url: https://keycloak.xxx.net/auth/realms/test_realm/protocol/openid-connect/token
    userdata_url: https://keycloak.xxx.net/auth/realms/test_realm/protocol/openid-connect/userinfo
    userdata_method: GET
    userdata_params: {‘state’: ‘state’}
    username_key: preferred_username

hub
  extraEnv: 
    OAUTH2_AUTHORIZE_URL: https://keycloak.xxx.net/auth/realms/test_realm/protocol/openid-connect/auth
    OAUTH2_TOKEN_URL: https://keycloak.xxx.net/auth/realms/test_realm/protocol/openid-connect/token
    OAUTH_CALLBACK_URL: http://my-jhub.xxx.net/hub/oauth_callback
user495732 Why Me
  • 541
  • 5
  • 10

1 Answers1

1

In order to do what you describe, you'll want to configure Keycloak as an Identity Broker here. It sounds like you've configured JupyterHub to be a client to Keycloak. What I mean by this is that JupyterHub uses and trusts tokens issued by Keycloak.

If you use the Identity Brokering feature of Keycloak, and configure your "another website" as an Identity Provider in Keycloak, then you'll be able to log in to your "another website" and then use that identity via Keycloak in JupyterHub. What happens in this scenario is that Keycloak acts as an intermediary between your "another website" and your JupyterHub client. If Keycloak detects that your user has logged in via "another website", it will issue its own token based on this, and then your JupyterHub will be able to use this Keycloak token since it's already configured to use Keycloak for identity.

Have a look here for how this works: https://www.keycloak.org/docs/6.0/server_admin/index.html#_identity_broker

Mark
  • 4,970
  • 5
  • 42
  • 66
  • I have spent some time thinking about your response and some clarifications would be greatly appreciated. I assumed identity brokers should be used when you wish to integrate with third-party providers like GitHub etc. But I think what you are advising is for us to build a custom identity provider that will integrate to our "another website" so when someone logs into our "another website" it generated a keycloak session an associated token which our JupyterHub website will see and log the user in automatically. – user495732 Why Me Jul 25 '19 at 08:24
  • Can you advise how this is different from the simple examples on the web where you integrate keycloak into a website and then configure JupyterHub to use the same keycloak client? In these examples you use keycloak on website A to log and when you go to website B the loging using keycloak button appears and when clicked you are immediately logged in without username or password. – user495732 Why Me Jul 25 '19 at 08:34
  • In essence, I am really asking given I can create a keycloak session using Postman why or what is missing from issuing the same POST request from the "another website" creating the keycloak session and then simply displaying the link to the JupyterHub website and the user just has to click the login button with no requirement for the username or password? – user495732 Why Me Jul 25 '19 at 08:35