Using a nifty new DNS entry, instead of an IP address #542
Comments
|
@arokem - Does your secret yaml look something like: jupyterhub:
proxy:
secretToken: <SECRET>
auth:
type: github
github:
clientId: "<SECRET>"
clientSecret: <SECRET>
callbackUrl: "http://learning2learn.pangeo.io/hub/oauth_callback" |
|
This is what I have right now, but I've also tried with callbackURL set as
you have it:
```yaml
jupyterhub:
proxy:
secretToken: "XXX"
# comment this out if not using github authentication
auth:
type: github
github:
clientId: "XXX"
clientSecret: "XXX"
callbackUrl: "http://123.456.789.10/hub/oauth_callback"
org_whitelist:
- "learning-2-learn"
scopes:
- "read:user"
admin:
access: true
users:
- arokem
- jhamman
```
…On Wed, Jan 30, 2019 at 9:48 AM Joe Hamman ***@***.***> wrote:
@arokem <https://github.com/arokem> - Does your secret yaml look
something like:
jupyterhub:
proxy:
secretToken: <SECRET>
auth:
type: github
github:
clientId: "<SECRET>"
clientSecret: <SECRET>
callbackUrl: "http://learning2learn.pangeo.io/hub/oauth_callback"
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#542 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHPNgmdCn8l2WHYGPZfow_OxBvhQkb7ks5vIdrpgaJpZM4aaqnY>
.
|
|
I think you need to change the callbackUrl to what I have above and make sure you've set the Github Oauth callback to points to the hub. |
|
Just to make sure that I understand correctly: this means changing both of
the places in GitHub where the IP address is currently entered?
When I do that I get a "403: Forbidden"
…On Wed, Jan 30, 2019 at 9:56 AM Joe Hamman ***@***.***> wrote:
I think you need to change the callbackUrl to what I have above and make
sure you've set the Github Oauth callback to points to the hub.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#542 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHPNltEYxxUvHBtXbrEBofPIFd2OtAeks5vIdzMgaJpZM4aaqnY>
.
|
|
|
|
Yes, that's right. Not sure why you are getting the forbidden response. |
|
Interestingly, if I replace the URL with the IP address, the thing just
happily starts up my server and logs me in.
Should I also change the loadBalancerIP in the jupyter_config? If I try to
put `learning2learn.pangeo.io` in there I still get the 403 message, but
now I can't get in there even if I enter the IP address.
…On Wed, Jan 30, 2019 at 10:04 AM Joe Hamman ***@***.***> wrote:
Yes, that's right. Not sure why you are getting the forbidden response.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#542 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHPNtfA4XZ3-O0I1oitI0WLz-MawJpGks5vId61gaJpZM4aaqnY>
.
|
|
In case it's useful, here's the |
|
Thanks for sharing!
Interesting - why do you have `read:org` set for the scope?
When I change the scope from `read:user` to `read:org` Github asks me for
further authorization, but I still run into the 403 error at the end of it
all.
…On Wed, Jan 30, 2019 at 10:15 AM Rich Signell ***@***.***> wrote:
In case it's useful, here's our config for pangeo.esipfed.org, where we
whitelist access by github organization:
auth:
admin:
access: true
users:
- jreadey
- rsignell-usgs
type: github
github:
clientId: "SECRET"
clientSecret: "SECRET"
callbackUrl: "http://pangeo.esipfed.org/hub/oauth_callback"
org_whitelist:
- "HDFGroup"
- "pangeo-data"
- "ESIPFed"
- "USGS-CMG"
- "cdi-workshops"
scopes:
- "read:org"
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#542 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHPNtaWlf7pKHGPHOtl4fgb2WEvTwWYks5vIeErgaJpZM4aaqnY>
.
|
|
Hmm, can't remember. There is some discussion here: |
|
The following seems to work: I created a new GitHub app that is now owned by the organization for which I am doing authentication (https://github.com/learning-2-learn) and then set the |
|
One more thing: it seems that members of the org have to change their membership from private (the default) to public. And they have to do that themselves -- you can't do it for them. |
|
@arokem, to avoid putting this requirement on users, in the github settings for the org, you can change the "third party access" setting to "no restrictions", like this: |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
My neuro-themed Pangeo is up and running! This instance is going to be accessible to a relatively small group of researchers that I collaborate with directly. They are all going to be members of a GitHub org, so I would like to use GitHub OAuth for authentication. This seems to work.
Now @jhamman gave me the nifty DNS entry
learning2learn.pangeo.ioto use, but I can't quite make GitHub authentication work. There are 4 places where the IP address appears: twice in the GitHub app page, once in the jupyter_config.yaml file (underproxy: service: leadBalancerIP) and once in the secret_config.yaml file (underauth: github: callbackUrl).Which of these do I need to change? Do I need to change anything on the GCP side, related to the IP address?
Thiis might also be a bit tricky to debug because my GitHub user name is under both the GitHub org that I am using for authentication, as well as explicitly entered into an
adminblock of the authentication block of the secret_config.yaml.The text was updated successfully, but these errors were encountered: