New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decide how to Authenticate Users of the Turing BinderHub #290
Comments
I think the Github organisation member check is good enough for an initial MVP. It sounds like we stand a decent chance of getting this working for the Build a BinderHub workshop, which is not possible for the Azure Active Directory option. I vote yes for Github membership check. |
If we get it working in time for the workshop, can we make creation of a GittHub organisation to use for membership control part of the demo? Not all attendees will have an existing Github org and it would be great to let people spin up all the required pieces from scratch to demo this "back at the ranch". |
I think both Github organisation and Active Directory authentication and membership restrictions are valuable contributions to make easy to set up, so let's not lose the one we don't pick for the MVP. Let's spin out an issue for both once we pick. |
I can absolutely try. But I have just broken it... 😞 |
Anything I can help with? |
Not sure yet. I didn't get the webpage redirection I was expecting after I added the |
I would like to get this working with HTTPS connection as well. |
If we want to really control who we allow access the BinderHub, we could change This is potentially overkill, but just documenting that it's an option. |
Updated
Experiments:
|
Useful commands for accessing the JupyterHub logs:
Output of JupyterHub logs for a failed authentication using
|
On the advice of the Binder team, tried switching People who accessed the binder page after the app was granted access by the alan-turing-instute organisation were me, @LouiseABowler and @KirstieJane. Whereas @r-j-arnold was denied access. So it seems that the filtering of membership is working as expected. I think further exploration is required into exactly what permissions are being granted here. The approval email from
What does organization resources mean here? The authorisation step from my end read:
Documentation for GitHub OAuth scopes here. |
Doing sone digging on the Github users API, I feel we should be able to read a user's org memberships using |
Tried to write an access token to my GitHub user account using the following:
Result:
|
These two discussions on GitHub org scopes might be helpful: |
Test ran with @nbarlowATI : What are the downsides of asking users who wish to use the BinderHub to have their membership be public? What reasons would they not want their membership to be public? (I feel like there are good ones, they're just not coming to me.) The token, once granted to the user, remains so long as neither the user revokes the access of the app and the owner of the app doesn't revoke all user access tokens (i.e. forcing the authentication flow again). So a user would only need to have their membership be public the first time they log on to the BinderHub and could be reverted afterwards. |
I did this with a publicly accessible jupyterhub, the biggest problem was ensuring people could find the relevant setting to switch to public, it's not very intuitive: https://help.github.com/en/articles/publicizing-or-hiding-organization-membership |
Yes, it is awkward to find. I'm just struggling to find a reasonable middle-ground between "read:user" not working for private memberships and the private/Third party access requirements for "read:org". |
(I haven't read this whole issue, I'm just swinging by in the middle of a slack meeting to say that I think having public membership is a fine price to pay for accessing Hub23!) |
This is interesting jupyterhub/zero-to-jupyterhub-k8s#886 |
|
Plan is to transform the current Turing BinderHub into a JupyterHub, since that is probably more useful to a research community than a BinderHub, and it will use Azure Active Directory authentication so auth will be provided via a turing.ac.uk account, rather than relying on the GitHub org membership model which has dodgy permission scopes. |
Summary
Decide on the most appropriate method of authenticating users of the Turing BinderHub.
Currently have GitHub authentication working with the following config:
Adapted from these docs:
And with the addition of the following config, GitHub users would need to be a member of the Alan Turing Institute organisation on GitHub to gain access (not tested yet). Adapted from here: https://zero-to-jupyterhub.readthedocs.io/en/latest/authentication.html#giving-access-to-organizations-on-github
This would allow any member of the Turing GitHub organisation to access the BinderHub and launch any public repo.
However, there is also the option to authenticate using Active Directory, see the following link:
What needs to be done?
Who can help?
Updates
07/03/2019 - Successfully got organisational authentication for BinderHub working using
auth: scopes: read:org
. Some reading to convince ourselves this is only accessing organisation/team memberships is required. Docs here.The text was updated successfully, but these errors were encountered: