mogthesprog / jwtauthenticator Goto Github PK

want to embed jupyterhub to my web application. I want single sign-in for my app as well as jupyterhub , my existing users are ldap users how can i use the same signin to log into jhub using jwt??

I try to use apache knox to establish a reverse proxy for jupyterhub. Therefore, I need to use jwtauthenticator so that jupyterhub can achieve jwt after get authenticated by knox sso. However, after authentication, I get redirected to https://ip:port/hub. Is there any way to get directed to http://ip:port/hub? Thanks!

Hi, I'm getting this error when trying to run JupyterHub, could it be a missing configuration step? or do you have any other idea? thanks...

JupyterHub application:91] The 'authenticator_class' trait of <jupyterhub.app.JupyterHub object at 0x7fb42aff2198> instance must be a type, but 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator' could not be imported

Trying to use this as a custom authenticator for Zero to JupyterHub with Kubernetes.

As mentioned in jupyterhub/zero-to-jupyterhub-k8s#1506, I cannot seem to get this class to be recognised by JupyterHub:

[C 2019-12-02 05:28:18.719 JupyterHub application:90] Bad config encountered during initialization:
[C 2019-12-02 05:28:18.719 JupyterHub application:91] The 'authenticator_class' trait of <jupyterhub.app.JupyterHub object at 0x7f346f7e50f0> instance must be a type, but 'jwtauthenticator.jwtauthenticator.JSONWebTokenLocalAuthenticator' could not be imported

Any suggestions?

I'm having a problem with jwtauthenticator. It seems to pull the user from the JWT token, but then suffers from too many redirects.

I've configured my JupyterHub like so:

c.JupyterHub.authenticator_class = 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator'
c.JSONWebTokenAuthenticator.signing_certificate = '/path/to/cert.pem'
c.JSONWebTokenAuthenticator.username_claim_field = 'sub'

I'm calling the hub like:

root@sandbox $ curl -L -k --header "Authorization: bearer JWTTOKEN" https://localhost:8443
curl: (47) Maximum (50) redirects followed

The logs show:

[I 2017-08-01 01:03:07.174 JupyterHub log:100] 302 GET /hub/login?next=%2Fhub%2Fhome (@::1) 4.61ms
[I 2017-08-01 01:03:07.177 JupyterHub log:100] 302 GET /hub/home (@::1) 0.74ms

Getting 401 Unauthorized error when i use jwtauthenticator.
domain.com/hub/login page shows "401 Unauthorized"

jupyterhub_config.py:
c.JupyterHub.authenticator_class = 'jwtauthenticator.jwtauthenticator.JSONWebTokenLocalAuthenticator'
c.JSONWebTokenAuthenticator.signing_certificate = '/opt/jupyterhub/auth.crt'
c.JSONWebTokenAuthenticator.username_claim_field = 'upn'
c.JSONWebTokenAuthenticator.expected_audience = ''
c.JSONWebTokenAuthenticator.header_name = 'Authorization'

Hi

I'm using the authenticator and the feature to create users dynamically, but when using Google IAP I'm getting the following error:

      File "/home/sa_124215213123/.local/lib/python3.8/site-packages/jupyterhub/auth.py", line 909, in add_system_user

       raise RuntimeError("Failed to create system user %s: %s" % (name, err))
    RuntimeError: Failed to create system user [email protected]: adduser: invalid option -- 'q'
    Usage: adduser [options] LOGIN
           adduser -D
           adduser -D [options]

Is there a way to normalize, strip of the domain name ?

c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
c.SystemdSpawner.dynamic_users = True
c.Spawner.notebook_dir = "notebooks"
c.Spawner.default_url = '/lab'

# Authentication

lib_dir = pjoin(os.path.dirname(this_dir), "lib")
sys.path.append(lib_dir)
c.JupyterHub.authenticator_class = 'jwtauthenticator.jwtauthenticator.JSONWebTokenLocalAuthenticator'
c.JSONWebTokenLocalAuthenticator.create_system_users = True
c.JSONWebTokenLocalAuthenticator.header_name = 'x-goog-iap-jwt-assertion'
#c.JSONWebTokenAuthenticator.header_is_authorization = False
c.JSONWebTokenLocalAuthenticator.expected_audience = '/projects/xxxxx/global/backendServices/xxxxx'
c.JSONWebTokenLocalAuthenticator.username_claim_field = 'email'
c.JSONWebTokenLocalAuthenticator.secret = request.urlopen('https://www.gstatic.com/iap/verify/public_key').read()

This should work:
https://github.com/mogthesprog/jwtauthenticator/blob/master/jwtauthenticator/jwtauthenticator.py#L86

So no idea.
Thanks for any advice.

Can someone provide an example payload for testing configs? For example, I have the following simple/scratch config:

c.JupyterHub.authenticator_class = 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator'
c.JSONWebTokenAuthenticator.secret = 'secret'
c.JSONWebTokenAuthenticator.username_claim_field = 'username'
c.JSONWebLocalTokenAuthenticator.create_system_users = False

I'm trying to generate a token with the following Python code:

import time                                                                                                                                    
import jwt
                                                                                                                                    
jup_payload = {
            "iat": int(time.time()),                                                                                                           
            "username": "testuser1",                                                                                                           
            }                                                                                                                                  
                                                                                                                                               
jup_jwt_token = 'secret'                                                                                                                                                             
jwt_string = jwt.encode(jup_payload, jup_jwt_token, "HS256")                                              
                                                                                                                                               
print(jwt_string)

We run JupyterHub, but I am struggling to understand the URL to which I would submit the token. If I simply attach the generated token to my normal server URL, like https://<hostname>:8443/hub/login?<token>, I always receive a 401 Unauthorized return. Given the general lack of logging output, I don't know where in the process I'm going wrong. Any tips here?

The Required Configuration section is a bit unclear. I think you might want to swap out c.LocalAuthenticator for c.JSONWebTokenLocalAuthenticator.

I am using AWS Cognito. It gives a JWK(JSON Web Key) to verify the JWT signature. Where can I specify the JWK in the jwtauthenticator config ? Should I specify a part of it ?

I've been troubleshooting this issue for days, and I've only just realized why my authentication isn't working.

In the auth_header_content section of code, you're explicitly requiring that the header contain the phrase "bearer" at the beginning. In IAP's case, I believe that the token is actually just passed as-is, without "bearer", through the x-goog-iap-jwt-assertion header. This results in very opaque 403 errors.

https://github.com/mogthesprog/jwtauthenticator/blob/master/jwtauthenticator/jwtauthenticator.py#L26-L29

There should either be a configuration option for this behaviour.

I'm having trouble setting up jwtauthenticator to authenticate my user. We simply want to allow the user to log into our web app, then be able to hit a link that takes them to Jupyterhub without having to log into there.

I've asked some questions on security.stackexchange asking what I need to do, but I don't seem to have any responses that help. For reference, here is that conversation: Understanding JWT and SSO

In a nutshell, here's what we've tried:

1. Submitting Authorization header with JWT token... Works in PostMan, but we can't open the Jupyter link in a new tab, as we can't submit headers.

2. GET request with JWT token as query param. This works, but I believe there are security issues.

3. POST equivalent of GET. I believe this would be secure, as the POST variables are encrypted when using HTTPS. However, it doesn't appear jwtauthenticator allows POST.

4. Set XSRF-TOKEN cookie with the value being the JWT token string. Both web app and Jupyterhub are subdomains of the same domain. Domain is set on the cookie, with path "/". Setting the cookie seems like the way to make this work, but it doesn't seem to be reading the cookie. DevTools shows the cookie is there when at the Jupyterhub site.

I was hoping this would be easier than it seems to be. All we are trying to do is provide our users a link to Jupyterhub that doesn't require login. Can someone tell me if I'm on the right track to implement that with the cookie option? And if so, what could be wrong. Thanks.

Hi.

I apologise for my beginner question. I configured my Jupyterhub installation to use the JWTAuthenticator. In my test, when I make a request to http://localhost:8000/hub/login, passing the token in the request header ("Authorization"), I get the following error:
Traceback (most recent call last):
File "/anaconda/lib/python3.6/site-packages/tornado/web.py", line 1509, in _execute
result = method(*self.path_args, **self.path_kwargs)
File "/anaconda/lib/python3.6/site-packages/jwtauthenticator/jwtauthenticator.py", line 22, in get
claims = self.verify_jwt_with_claims(auth_header_content, signing_certificate, audience)
File "/anaconda/lib/python3.6/site-packages/jwtauthenticator/jwtauthenticator.py", line 37, in verify_jwt_with_claims
with open(signing_certificate, 'r') as rsa_public_key_file:
FileNotFoundError: [Errno 2] No such file or directory: ''

I have set the configuration bellow in the jupyterhub_config.py:

c.JupyterHub.authenticator_class = 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator'
c.LocalAuthenticator.signing_certificate = 'public.pem'

Thanks for any help.

If I do the following:

Dockerfile:

FROM jupyterhub/k8s-hub:0.9.0

# The published version on pypi is ancient
# https://github.com/mogthesprog/jwtauthenticator/issues/27
RUN export VERSION=bc08e8c389c9ce41a920376d8c2b15af66d2be15 && \
  curl https://github.com/mogthesprog/jwtauthenticator/archive/$VERSION.tar.gz --output archive.tar.gz && \
  tar -xzvf archive.tar.gz && \
  cd jwtauthenticator-$VERSION && \
  pip install -e .

jupyterhub_config.py

c.JupyterHub.authenticator_class = 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator'

I receive this error:

The 'authenticator_class' trait of <jupyterhub.app.JupyterHub object at 0x7f6760385748> instance must be a type, but 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator' could not be imported

However, if I use this package: https://pypi.org/project/jupyterhub-jwtauthenticator-v2/
it does work in JupyterHub. This package is a forked and modified version of your package, I believe the fixes are related to the imports in __init__.py

As of 0.8, JupyterHub supports encrypted auth_state.

Ideally, JWT should just be entirely put into auth_state for possible use later.

I'll send in a PR shortly!

...maybe after Yuvi's suggestion of putting the whole JWT into auth_state.

Hi,
We are using an external server for Authentication and once the user is authenticated, JWT is received in the jhub, which contains the authenticated user and using this info user pod is spawned. User when trying to get authenticated with jhub fails to get authenticated as the request is getting forwarded to the external authentication server which should not happen and should get solved internally in the JHUB. Any hints or pointers to solve the issue?

curl http://0.0.0.0:8000/user/docker/tree? -v -L -H 'Authorization: bearer '
redirects to itself 50 times (curl limit) when authentication succeeds. I see that at the end of get() method there is a redirect that is supposed to work when there is a 'next' request argument. Surprisingly, there is a 'next' request argument, and it points to 'user/docker/tree' again, resulting in infinite redirects (limited by the browser)

What is the purpose of this redirect? When user is hitting a page while providing valid credentials, they should get that page directly

I am working off the docker image jupyterhub/jupyterhub:latest

Relevant parts of jupyterhub_config.py:
c.JupyterHub.authenticator_class = 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator'
c.JSONWebTokenAuthenticator.signing_certificate =
'/etc/jupyterhub/certificate.pem'
c.JSONWebTokenAuthenticator.username_claim_field = 'upn' # The claim field contianing the username/sAMAccountNAme/userPrincipalName
c.JSONWebTokenAuthenticator.expected_audience = ''
c.JSONWebLocalTokenAuthenticator.create_system_users = False
c.JSONWebTokenAuthenticator.header_name = 'Authorization' # default value