Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add keycloak odic auth config example. #470

Merged
merged 4 commits into from
Feb 1, 2018
Merged

Add keycloak odic auth config example. #470

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9e83e2a
Remove duplicated section about whitelist
clkao Jan 31, 2018
2cd4a06
Add odic auth config example
clkao Jan 31, 2018
1cf6b66
rework the description about oidc
clkao Jan 31, 2018
2cabbf8
link to keycloak doc for creating OIDC client as well
clkao Jan 31, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 28 additions & 6 deletions doc/source/authentication.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,16 +83,38 @@ tape archive, public cloud, or your own laptop. Start a Globus app
callbackUrl: "https://<your_jupyterhub_host>/hub/oauth_callback"
identityProvider: "youruniversity.edu"

OpenID Connect
^^^^^^^^^^^^^^

To add a whitelist of usernames add to the config file under `auth`:
`OpenID Connect <https://openid.net/connect>`_ is an identity layer on top of the
OAuth 2.0 protocol, implemented by
`various servers and services <https://openid.net/developers/certified/#OPServices>`_.
While OpenID Connect endpoint discovery is not supported by oauthentiator,
you can still configure JupyterHub to authenticate with OpenID Connect providers
by specifying all endpoints in GenericOAuthenticator.

Here's an example for authenticating against `keycloak <http://www.keycloak.org/docs/3.4/securing_apps/index.html#endpoints>`_,
after you `configure an OIDC Client <http://www.keycloak.org/docs/3.4/server_admin/index.html#oidc-clients>`_
and obtain the confidential client credentials.

.. code-block:: yaml

auth:
whitelist:
users:
- user1
- user2
hub:
extraEnv:
OAUTH2_AUTHORIZE_URL: https://${host}/auth/realms/${realm}/protocol/openid-connect/auth
OAUTH2_TOKEN_URL: https://${host}/auth/realms/${realm}/protocol/openid-connect/token
auth:
type: custom
custom:
className: oauthenticator.generic.GenericOAuthenticator
config:
client_id: "y0urc1logonc1ient1d"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we usually use variable-naming like this <YOUR-VARIABLE-HERE>...could you do the same for the client_id and secret fields?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, but do you mean host and realm? because i copied those stub client_id/secret from other sections.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nah I just mean client_id: "<YOUR-CLIENT-ID>" and the same for the secret just beneath

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gah, actually, nevermind. I just realized all of our other examples use this too...just leave it the way it is and we should revise that in a separate PR for the whole page

client_secret: "an0ther1ongs3cretstr1ng"
token_url: https://${host}/auth/realms/${realm}/protocol/openid-connect/token
userdata_url: https://${host}/auth/realms/${realm}/protocol/openid-connect/userinfo
userdata_method: GET
userdata_params: {'state': 'state'}
username_key: preferred_username

Full Example of Google OAuth2
-----------------------------
Expand Down