OpenShift support will break with OpenShift 4.0.

[GrahamDumpleton]

The current code in openshift.py uses:

• https://github.com/jupyterhub/oauthenticator/blob/master/oauthenticator/openshift.py#L82

        req = HTTPRequest("%s/oapi/v1/users/~" % OPENSHIFT_URL,
                          method="GET",
                          validate_cert=False,
                          headers=headers)

The oapi path is old and was only being retained for backward compatibility with older versions.

Looks like from OpenShift 4.0 you must use the newer namespaces REST API endpoint.

/apis/user.openshift.io/v1/users/~

I'll see if there is a way that which should be used can be auto detected, or switch it to new one but make it configurable if anyone really needs it to work with the much older OpenShift versions.

[GrahamDumpleton]

Actually, is more than just this issue.

In the past the Kubernetes REST API endpoints have been available on the same hostname as the OAuth REST API endpoints. This is no longer the case.

So the code uses the OPENSHIFT_URL environment variable as OAuth endpoint, but uses the same for Kubernetes REST API call, which results in 404 Not Found for the REST API endpoint.

There are a couple of options to consider.

1. Use KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT environment variables for constructing URL to Kubernetes REST API URL. Allow this to be overridden with OPENSHIFT_REST_API_URL environment variable.

2. Have OPENSHIFT_URL actually be used to reference the Kubernetes REST API endpoint and make a query against the path /.well-known/oauth-authorization-server to get the OAuth server metadata. Use the issuer field from that to determine the actual OAuth server URL. The URL given by OPENSHIFT_URL would then be used to look up the users information. Could allow this look up to be avoided by setting environment variable OPENSHIFT_AUTH_API_URL manually. For consistency, perhaps deprecate OPENSHIFT_URL (but still accept it), and going forward require OPENSHIFT_REST_API_URL so name clearly indicates the purpose.

Option (1) could actually be used if OPENSHIFT_URL not set so combined with option (2).

As prior to OpenShift 4.0, OAuth and Kubernetes REST API were one in the same, option (2) above should still work there. Either way, anyone using this with OpenShift 4.0 is going to have to make a change.

[vpavlin]

I have worked around this in my fork for now, but it would be great if this could get some attention. Or at least a hint on the preferred way of fixing and I am happy to look into providing a PR.

[GrahamDumpleton]

The PR is already at:

• OpenShift 4.0 splits OAuth provider out of REST API URL host. #257

I haven't had a chance to look at tests as been on holiday and only just got back today.

My fork/branch with changes is at:

• https://github.com/jupyter-on-openshift/oauthenticator/tree/openshift_users_rest_api_path

You can see how I use it at:

• https://github.com/openshift-labs/workshop-spawner/blob/develop/jupyterhub/.jupyter/config-hosted-workshop.py#L5

[cben]

xref openshift/origin#21782

FWIW, if you have questions how far back some API groups existed and what they looked like, https://github.com/cben/kubernetes-discovery-samples might help (I'll try to add openshift 4.0 there soon)

[manics]

#257 was merged