Authenticating via REST API

[wudstrand]

Bug description

I am trying to use the hubs REST API from a custom UI and wanted to avoid using an API token and instead use the custom keycloak OAuth authenticator I have setup. Currently the authenticator works when using the provided hub UI, but I cannot figure out how to authenticate with it via the REST API. After combing through the documentation, I've only been able to find information on using API keys to authenticate the REST API.

I have added some links to forum posts I thought might be the right direction, but I am still struggling to find an answer.

• Forward authentication to other services - JupyterHub - Jupyter Community Forum
• Access user defined api by jupyter-server-proxy through curl - JupyterHub - Jupyter Community Forum

Expected behavior

If the API supports this functionality add documentation describing the flow of API calls needed to authenticate through the REST API. If the API doesn't support this, add in support on the REST API to utilize the configured authenticators to authenticate.

Actual behavior

Custom authenticator authenticates users correctly when using the provide hub UI, but all requests to the API via postman receive a 4xx error. The API errors are caused because I am not sure how to authenticate via the REST API.

How to reproduce

I am running jupyterhub via kubernetes and helm following the zero-to-jupyterhub guide. I have outlined the steps below to reproduce my environment and see the bug/issue I am seeing.

values-local.yaml

hub:
  config:
    Authenticator:
      enable_auth_state: true
      auto_login: true 
    GenericOAuthenticator:
      client_id: <keycloak client_id>
      client_secret: <keycloak client_secret>
      oauth_callback_url: http://localhost:80/hub/oauth_callback
      authorize_url: https://<keycloak_uri>/auth/realms/<realm>/protocol/openid-connect/auth
      token_url: https://<keycloak_uri>/auth/realms/<realm>/protocol/openid-connect/token
      userdata_url: https://<keycloak_uri>/auth/realms/<realm>/protocol/openid-connect/userinfo
      login_service: Keycloak
      username_key: sub
      userdata_params:
        state: state
    JupyterHub:
      authenticator_class: generic-oauth 

debug:
  enabled: true

1. Create Namespace

kubectl create namespace jupyterhub

2. Run Helm Chart

helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
helm repo update
helm upgrade --install jupyterhub jupyterhub/jupyterhub --cleanup-on-fail --namespace jupyterhub --create-namespace --version=2.0.0 --values values-local.yaml

3. Visit http://localhost:80 and sign-in to see the hub UI authentication work.

4. Attempt some of the hub API calls to see 400 error.

Your personal set up
OS: mac OS

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[wudstrand]

Forum Post

[consideRatio]

I'll close this as resolved by my reply in jupyterhub/zero-to-jupyterhub-k8s#2926

[github-actions]

Hi there @wudstrand 👋!

I closed this issue because it was labelled as a support question.

Please help us organize discussion by posting this on the http://discourse.jupyter.org/ forum.

Our goal is to sustain a positive experience for both users and developers. We use GitHub issues for specific discussions related to changing a repository's content, and let the forum be where we can more generally help and inspire each other.

Thanks you for being an active member of our community! ❤️

[wudstrand]

I'll close this as resolved by my reply in jupyterhub/zero-to-jupyterhub-k8s#2926

@consideRatio I am trying to follow your suggested workaround and I am running into some issues. Since I am not running the jupyterhub UI I cannot access the api token page referenced in your link, and without the code from the /hub/api/oauth/authorize endpoint I cannot request an API token via the /hub/api/oauth/token endpoint. So here are my following questions.

• How are you supposed to use the /hub/api/oauth/token endpoint if you cannot generate the code from the /hub/api/oauth/authorize? Is there another way to get that code value?
• Can I configure jupyterhub to allow me to use a token from keycloak to use the API and bypass getting a token from the hub?

[wudstrand]

Related Github Issue

[github-actions]

Hi there @wudstrand 👋!

I closed this issue because it was labelled as a support question.

Please help us organize discussion by posting this on the http://discourse.jupyter.org/ forum.

Our goal is to sustain a positive experience for both users and developers. We use GitHub issues for specific discussions related to changing a repository's content, and let the forum be where we can more generally help and inspire each other.

Thanks you for being an active member of our community! ❤️

[wudstrand]

I ended up using a service to handle api calls and interaction with the jupyterhub and jupyter-server. We are leaving the auth to our company api-gateway.