Add keycloak odic auth config example. #470
Conversation
this seems to be a run-away section that was moved to the end of the doc.
| custom: | ||
| className: oauthenticator.generic.GenericOAuthenticator | ||
| config: | ||
| client_id: "y0urc1logonc1ient1d" |
There was a problem hiding this comment.
we usually use variable-naming like this <YOUR-VARIABLE-HERE>...could you do the same for the client_id and secret fields?
There was a problem hiding this comment.
sure, but do you mean host and realm? because i copied those stub client_id/secret from other sections.
There was a problem hiding this comment.
nah I just mean client_id: "<YOUR-CLIENT-ID>" and the same for the secret just beneath
There was a problem hiding this comment.
gah, actually, nevermind. I just realized all of our other examples use this too...just leave it the way it is and we should revise that in a separate PR for the whole page
doc/source/authentication.rst
Outdated
|
|
||
| To add a whitelist of usernames add to the config file under `auth`: | ||
| OpenID Connect endpoint discovery is not supported by oauthentiator, | ||
| but you can still configure JupyterHub to authenticate with it. |
There was a problem hiding this comment.
Could you provide a link out to documentation on how folks could learn more about this authentication option (and/or how to use it)?
|
looks great @clkao - I am 👍 but will wait a few hours for others to take a pass, otherwise will merge later on! |
|
awesome, thanks! Folks reading jupyterhub/oauthenticator#107 can now find a cleaner setup here. |
|
woo, thanks @clkao ! |
|
Does this solution (thanks, @clkao!) presented above and documented here still have this logout issue: jupyterhub/jupyterhub#1805? Please advise. |
|
@ablekh the github auth will have the logout issue as you are using login as a "is this app authorized by me as a user?" rather than "hello github let me login now". If you use OIDC auth with Keycloak, you wont have this issue with keycloak itself as it will have a logout endpoint available for your use that will destroy all "user is still logged in" state. But, you would with github, as the "login" is just "app okay?" so that makes logout need to become "app not okay!" rather than "logout of github" that jhub as an app cannot make you do i think (as when you give permission to the app to read basic user info, you dont give it permission to log you in and out of github itself). I think it is possible to use a de-authorize endpoint by the app though if wanting to "logout" from JH using github auth Logout aspects are in generally quite complicated as compared to login ones, what happens for example if you logout from keycloak but you have JH and other apps already logged in? Will the other already login apps logout because you logged out on the central spot? No, but they wont be granted access again without login. Hmmm, i think the example provided needs an update though. |
|
@consideRatio Thank you very much for your clarification. I've just recently started evaluating Keycloak in terms of its integration with our JupyterHub cluster(s), plus I'm not an expert in the authentication domain, so I still have a lot to learn (and try). :-) |
|
@ablekh you are very welcome! i have struggled a lot with this stuff lately and this question triggered a lot of thoughts that make me feel a piece of the puzzle fell into place. The example above btw does not seem to provide a logout endpoint, so that will cause failure. I want to provide a fresher example |
|
Oh btw i edited my comment, you were so fast to read the initial one so i failed to edit in time |
|
@consideRatio Re: edit - will re-read, no worries. :-) Thank you for additional clarifications. I'm very glad that my question helped you, in some way, to aggregate and unify your thoughts on the subject. I look forward to seeing your fresher / better example and other insights. |
No description provided.