Authentication system

[betatim]

Connect to Google cloud auth.

The config details we need are listed here: https://zero-to-jupyterhub.readthedocs.io/en/latest/authentication.html#google

[lwasser]

Leah needs to ask CS about this info:

auth:
  type: google
  google:
    clientId: "yourlongclientidstring.apps.googleusercontent.com"
    clientSecret: "adifferentlongstring"
    callbackUrl: "http://<your_jupyterhub_host>/hub/oauth_callback" <- we define this
    hostedDomain: "colorado.edu"
    loginService: "University of Colorado Boulder"

OK @betatim i got half of this. i just need the callbackURL to get the other half. Is the callback associated with the domain? I"m guessing it is.

[lwasser]

ok @betatim slowly but surely i'm making progress. they can provide an Id and secret. But they need the following - (i've literally copied the email that i got so as not to confusing anything)

We can create a client ID and Secret, but will first need the following information from the jupyterhub_conf.py file . 
 
c.LocalGoogleOAuthenticator.oauth_callback_url

if you sent me that callback info - they can get us the rest!

[betatim]

Cool. Let's get the domain name sorted, then we will know what the value of c.LocalGoogleOAuthenticator.oauth_callback_url will be.

[betatim]

I think we can ask for the auth system for the first hub using https://hub.earthdatascience.org/earthhub/hub/oauth_callback as the callbackUrl

[kevinfoote]

@lwasser @betatim
For CU does the Jupyter hub / stack make use of SAML (via omniauth-saml something maybe?)
This is how we should do this from the CU-IAM standpoint..

Just realized this was PY rather than Ruby.. :)

[kevinfoote]

@lwasser @betatim
Recommending you all pursuing REMOTE_USER via jhub_remote_user_authenticator
see ... authenticators

I can answer any questions ..

[lwasser]

hey @kevinfoote is this related to the IT request email that i think i just got. I will need @betatim input here ! thank you for your help!

[kevinfoote]

@lwasser Yep internal [GREQ0172580] 👍

[lwasser]

@kevinfoote wonderful. thank you so much for finding us on GH! i'm going to let @betatim respond to this suggestion as he is our technical ninja!!

[kevinfoote]

@lwasser sounds good .. I don't know if he is attached to that internal ticket as well. You might want to forward that infrastructure question along as well.

[lwasser]

@kevinfoote he's not but i did just forward the email to him. THANK YOU very much!! we are pretty excited to get this setup!

[betatim]

Hi Kevin! I can't see the internal ticket.

From the comment above I thought we could have a OAuth based setup.

The hub(s) are deployed on Google's cloud and we currently use nginx-ingress to play the role of the reverse proxy. So the proxy doesn't add the REMOTE_USER header.

As I don't know anything about the IT setup at CU could you point me at a guide for what kind of authentication systems/options there are?

[betatim]

Just to make sure we are all talking about the same thing when we use the same words :)

[kevinfoote]

Makes perfect sense..
I was hoping for an Apache r-proxy :( (makes things simple)
At CUBoulder we push people to use our SAML IdP.. we are not quite there yet with OAuth delivered from the IdP unfortunately.

We do have another nginx integration that gets lots of use. They based their ingress r-proxy off of this build shibboleth-nginx

Not sure if you all can make use of this.
Again I'm happy to help here .. just let me know

[betatim]

I will investigate the docker container.

Will have to do a bit of thinking and poking around tomorrow. Is posting here a good way to reach you?

[kevinfoote]

Sure .. that works. @lwasser should be looped in here also so thats good.

[kevinfoote]

@lwasser @betatim quick checkin to see if any progress. here to help

[lwasser]

hey @kevinfoote i'll circle back with @betatim there are a few technical details here that i don't fully understand enough to be able to respond. tim and I are going to try to connect early next week to chat a bit more and then we will get back to you! thank you for the ping!!

[betatim]

For now we will use a Google OAuth application where people can auth with their colorado.edu account. When the user returns to the hub we check that their identity ends in @colorado.edu to stop people from other domains.

This is the oauthenticator: https://github.com/jupyterhub/oauthenticator/blob/master/oauthenticator/google.py

---

To do Shibboleth properly there is https://github.com/gesiscss/orc/tree/master/nginx_shibboleth which is in use at an institute in Germany together with a JupyterHub deployed using kubernetes. It is significantly more complex to setup, so I'd keep it in our back pocket for when we need it but see how far we can go with the OAuth setup.

[kevinfoote]

@betatim I'm not sure of your complexity comment above but, you are putting an nginx node ahead of your stuff anyway. The SAML stuff is not hard that is why we (OIT-IAM) are here.

As far as I can tell ... while OAuth via the colorado.edu google realm is do able ymmv as to its future availability.

I'm leaning toward the ORC deploy model..