-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication system #5
Comments
Leah needs to ask CS about this info:
OK @betatim i got half of this. i just need the callbackURL to get the other half. Is the callback associated with the domain? I"m guessing it is. |
ok @betatim slowly but surely i'm making progress. they can provide an Id and secret. But they need the following - (i've literally copied the email that i got so as not to confusing anything)
if you sent me that callback info - they can get us the rest! |
Cool. Let's get the domain name sorted, then we will know what the value of |
I think we can ask for the auth system for the first hub using https://hub.earthdatascience.org/earthhub/hub/oauth_callback as the callbackUrl |
@lwasser @betatim
|
@lwasser @betatim I can answer any questions .. |
hey @kevinfoote is this related to the IT request email that i think i just got. I will need @betatim input here ! thank you for your help! |
@lwasser Yep internal [GREQ0172580] 👍 |
@kevinfoote wonderful. thank you so much for finding us on GH! i'm going to let @betatim respond to this suggestion as he is our technical ninja!! |
@lwasser sounds good .. I don't know if he is attached to that internal ticket as well. You might want to forward that infrastructure question along as well. |
@kevinfoote he's not but i did just forward the email to him. THANK YOU very much!! we are pretty excited to get this setup! |
Hi Kevin! I can't see the internal ticket. From the comment above I thought we could have a OAuth based setup. The hub(s) are deployed on Google's cloud and we currently use nginx-ingress to play the role of the reverse proxy. So the proxy doesn't add the REMOTE_USER header. As I don't know anything about the IT setup at CU could you point me at a guide for what kind of authentication systems/options there are? |
Just to make sure we are all talking about the same thing when we use the same words :) |
Makes perfect sense.. We do have another nginx integration that gets lots of use. They based their ingress r-proxy off of this build shibboleth-nginx Not sure if you all can make use of this. |
I will investigate the docker container. Will have to do a bit of thinking and poking around tomorrow. Is posting here a good way to reach you? |
Sure .. that works. @lwasser should be looped in here also so thats good. |
hey @kevinfoote i'll circle back with @betatim there are a few technical details here that i don't fully understand enough to be able to respond. tim and I are going to try to connect early next week to chat a bit more and then we will get back to you! thank you for the ping!! |
For now we will use a Google OAuth application where people can auth with their colorado.edu account. When the user returns to the hub we check that their identity ends in This is the oauthenticator: https://github.com/jupyterhub/oauthenticator/blob/master/oauthenticator/google.py To do Shibboleth properly there is https://github.com/gesiscss/orc/tree/master/nginx_shibboleth which is in use at an institute in Germany together with a JupyterHub deployed using kubernetes. It is significantly more complex to setup, so I'd keep it in our back pocket for when we need it but see how far we can go with the OAuth setup. |
@betatim I'm not sure of your complexity comment above but, you are putting an nginx node ahead of your stuff anyway. The SAML stuff is not hard that is why we (OIT-IAM) are here. As far as I can tell ... while OAuth via the colorado.edu google realm is do able ymmv as to its future availability. I'm leaning toward the ORC deploy model.. |
Connect to Google cloud auth.
The config details we need are listed here: https://zero-to-jupyterhub.readthedocs.io/en/latest/authentication.html#google
The text was updated successfully, but these errors were encountered: