Name: oauthenticator
Owner: Data Science 8
Description: OAuth + JupyterHub Authenticator = OAuthenticator
Forked from: jupyterhub/oauthenticator
Created: 2017-03-14 00:24:28.0
Updated: 2017-03-14 00:24:30.0
Pushed: 2017-05-02 13:31:24.0
Size: 144
Language: Python
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
OAuth + JupyterHub Authenticator = OAuthenticator
For an example docker image using OAuthenticator, see the example directory.
There is another example for using GitHub OAuth to spawn each user's server in a separate docker container.
Install with pip:
pip3 install oauthenticator
Or clone the repo and do a dev install:
git clone https://github.com/jupyterhub/oauthenticator.git
cd oauthenticator
pip3 install -e .
First, you'll need to create a GitHub OAuth application. Make sure the callback URL is:
http[s]://[your-host]/hub/oauth_callback
Where [your-host]
is where your server will be running. Such as
example.com:8000
.
Then, add the following to your jupyterhub_config.py
file:
c.JupyterHub.authenticator_class = 'oauthenticator.GitHubOAuthenticator'
(you can also use LocalGitHubOAuthenticator
to handle both local and GitHub
auth).
You will additionally need to specify the OAuth callback URL, the client ID, and
the client secret (you should have gotten these when you created your OAuth app
on GitHub). For example, if these values are in the environment variables
$OAUTH_CALLBACK_URL
, $GITHUB_CLIENT_ID
and $GITHUB_CLIENT_SECRET
, you
should add the following to your jupyterhub_config.py
:
c.GitHubOAuthenticator.oauth_callback_url = os.environ['OAUTH_CALLBACK_URL']
c.GitHubOAuthenticator.client_id = os.environ['GITHUB_CLIENT_ID']
c.GitHubOAuthenticator.client_secret = os.environ['GITHUB_CLIENT_SECRET']
You can use your own Github Enterprise instance by setting the GITHUB_HOST
environment
flag.
First, you'll need to create a GitLab OAuth application. Make sure the callback URL is:
http[s]://[your-host]/hub/oauth_callback
Where [your-host]
is where your server will be running. Such as
example.com:8000
.
Then, add the following to your jupyterhub_config.py
file:
c.JupyterHub.authenticator_class = 'oauthenticator.gitlab.GitLabOAuthenticator'
(you can also use LocalGitLabOAuthenticator
to handle both local and GitLab
auth).
You will additionally need to specify the OAuth callback URL, the client ID, and
the client secret (you should have gotten these when you created your OAuth app
on GitLab). For example, if these values are in the environment variables
$OAUTH_CALLBACK_URL
, $GITLAB_CLIENT_ID
and $GITLAB_CLIENT_SECRET
, you
should add the following to your jupyterhub_config.py
:
c.GitLabOAuthenticator.oauth_callback_url = os.environ['OAUTH_CALLBACK_URL']
c.GitLabOAuthenticator.client_id = os.environ['GITLAB_CLIENT_ID']
c.GitLabOAuthenticator.client_secret = os.environ['GITLAB_CLIENT_SECRET']
You can use your own GitLab CE/EE instance by setting the GITLAB_HOST
environment
flag.
Visit https://console.developers.google.com to set up an OAuth client ID and secret. See Google's documentation on how to create OAUth 2.0 client credentials. The Authorized JavaScript origins
should be set to to your hub's public address while Authorized redirect URIs
should be set to the same but followed by /hub/oauth_callback
.
Set the generated client ID and secret in your jupyterhub_config
:
c.GoogleOAuthenticator.client_id = os.environ['OAUTH_CLIENT_ID']
c.GoogleOAuthenticator.client_secret = os.environ['OAUTH_CLIENT_SECRET']
c.GoogleOAuthenticator.oauth_callback_url = os.environ['OAUTH_CALLBACK_URL']
For a Google Apps domain you can set:
c.GoogleOAuthenticator.hosted_domain = 'mycollege.edu'
c.GoogleOAuthenticator.login_service = 'My College'
In case you have an OpenShift deployment with OAuth properly configured (see the
following sections for a quick reference), you should set the client ID and
secret by the environment variables OAUTH_CLIENT_ID
, OAUTH_CLIENT_SECRET
and
OAUTH_CALLBACK_URL
. The OpenShift API URL can be specified by setting the
variable OPENSHIFT_URL
.
The OAUTH_CALLBACK_URL
should match http[s]://[your-app-route]/hub/oauth_callback
As a cluster admin, you can create a global OAuth client in your OpenShift cluster creating a new OAuthClient object using the API:
create -f - <<EOF
ersion: v1
: OAuthClient
data:
me: <OAUTH_CLIENT_ID>
rectURIs:
UAUTH_CALLBACK_URL>
et: <OAUTH_SECRET>
As a project member, you can use the Service Accounts as OAuth Clients scenario. This gives you the possibility of defining clients associated with service accounts. You just need to create the service account with the proper annotations:
create -f - <<EOF
ersion: v1
: ServiceAccount
data:
me: <name>
notations:
serviceaccounts.openshift.io/oauth-redirecturi.1: '<OUAUTH_CALLBACK_URL>'
In this scenario your OAUTH_CLIENT_ID
will be system:serviceaccount:<serviceaccount_namespace>:<serviceaccount_name>
,
the OAUTH_CLIENT_SECRET is the API token of the service account (oc sa get-token <serviceaccount_name>
)
and the OAUTH_CALLBACK_URL is the value of the annotation serviceaccounts.openshift.io/oauth-redirecturi.1
.
More details can be found in the upstream documentation.
Okpy is an auto-grading tool that
is widely used in UC Berkeley EECS and Data Science courses. This authenticator
enhances its support for Jupyter Notebook by enabling students to authenticate with
the Hub first and saving relevant user states
to the env
(the feature is redacted until a secure state saving mechanism is developed).
If you want to authenticate your Hub using OkpyAuthenticator, you need to specify
the authenticator class in your jupyterhub_config.py
file:
pyterHub.authenticator_class = 'oauthenticator.okpy.OkpyOAuthenticator'
You also need to configure the following parameters:
pyOAuthenticator.client_id = #client_id recognized by Okpy
pyOAuthenticator.client_secret = #the associated client secret
pyOAuthenticator.oauth_callback_url = #callback url to the Hub