Setup earthscope production credentials too

config/clusters/earthscope/enc-prod.secret.values.yaml

@@ -2,6 +2,9 @@ basehub:
     jupyterhub:
         hub:
             config:
+                Auth0OAuthenticator:
+                    client_id: ENC[AES256_GCM,data:DwOUn4AFZyJrPv2gw3SvArLXNrEOQgoWJPYLpJSQetE=,iv:HFevqec5FROZQkAfCnkoVZacFhVsRB2Fym82XHDzFBw=,tag:O9it7h27UX7a89sExeXs9A==,type:str]
+                    client_secret: ENC[AES256_GCM,data:fQdBLKrl9OG1zB9wX0+j10K+1+rgSTz1/v/tVOcV8ZZcXM8FCs9EKR2nhvfrMHL3nX59NMUeI64Jb9EG16mE5g==,iv:JfSBDbzia4xNSWPmW3Cde8RqUg78l6t34yviXx54VXU=,tag:9ID3wzmWvZa1hbfsT2rTyw==,type:str]
                 CILogonOAuthenticator:
                     client_id: ENC[AES256_GCM,data:1C0ercYZjjc63vTPPcVa7B0Y1bnuawg854Yf3Kl4UnJ0gYuqem+zuv1lQfOzU8zKXy5L,iv:2IZjb7WzomJg8I9uDDXINjULJPXUBfJCldMOxH+B8tA=,tag:Dv1xaVkDCpI7/GLuGv6GzA==,type:str]
                     client_secret: ENC[AES256_GCM,data:2mGbTTnKcVZp57ZX2Tj2o+j2y0NfABPtTiV6sw3oWlR/t7w4fiFkSK9cyArnJwQfRjWc6M6NNB50A3zWZrKaoPLRj8Afiq8pFTjtRZnZGe5g4h2mXYg=,iv:xmJEHc2V0aG1KEh2eAPj80tZoNzFnBz42QdCSmzO2mc=,tag:+48SuYVdlJCizaYVMn9hrA==,type:str]
@@ -14,8 +17,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-14T18:24:34Z"
-    mac: ENC[AES256_GCM,data:0Kde6XE/A7k9CwhxQFsa3I61ohr9WN7AO2haWkFETpDG+jXtU5MYkrScbwnlayLa0vM6vk2OfUxR6LrB9jPcxTx8+n2Pqx6kPTzgr8a8ORhG4xc6Lqj0a1KyDMdnGi5beqoXSxolPyd1mnSTAFAVIGwle37Gg0fIr0VFii9lsfQ=,iv:gPVYPvyTEriA9sxbmtMRo611b5dB5idYa0J+DtEYcaY=,tag:RNOItHNKtUGZ/UgfT1Ea2Q==,type:str]
+    lastmodified: "2024-01-24T22:53:57Z"
+    mac: ENC[AES256_GCM,data:MgnyRZmQryZqw+0gy3yUp3syuIYsWi3vvkOQrjW4jkk3/ZfIjWyo81cnO3Jgxr2pAADAbqX4qKITpBuWpX05lEDhv3kg3L6DAhnY0iExuDSWHGYJ04856pADGtuHIFIYmQxG46u+RfpTljVZK4cHAY4OVUraHVbKVxg/iP5pkpU=,iv:XF43toaqgiGjUh0W3HG0Iq2Y10paP24BGnPk9HomLKk=,tag:bsp93INUlVt1WJA4h7uVLw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

config/clusters/earthscope/enc-staging.secret.values.yaml

@@ -3,7 +3,6 @@ basehub:
         hub:
             config:
                 Auth0OAuthenticator:
-                    auth0_domain: ENC[AES256_GCM,data:QIf7pJ+PuhRcLGmiJBrxbe101fgJHGfO,iv:uxvwv+jsi4hdJoq8G/C6hup7+HmqxTvgbLvrr6GcB68=,tag:CsvbXofKbCdtZGKDND5ZeQ==,type:str]
                     client_id: ENC[AES256_GCM,data:zAZAcTnDoYXd6+HEHyCTAZcWDfFb4MVGaHguf+l80jc=,iv:aQidh2IJMcMcEPBCyB7I94of0ywyvNNc4R/9jrTh/Xo=,tag:EN3jpNVKALN4L5mBw21Ptg==,type:str]
                     client_secret: ENC[AES256_GCM,data:glfuw+S6w1n8hNOvYlEPvTVU6yfAePNt1/zzz8ttrW8eTro5o05dKLeUgULp75/tk5BbVoYkjt3VsruVWq5nWg==,iv:GtB9642/chhguJaLsvI/It1kGWH/VZ5J/ubdbu5GzvY=,tag:Ym62f23AnqPDEFTDC9RwAA==,type:str]
                 CILogonOAuthenticator:
@@ -18,8 +17,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-01-18T22:56:16Z"
-    mac: ENC[AES256_GCM,data:RTdv7Ry6i7GNQJsKiNSIj8lFbFAPPk4cypVnPsrR8wT8CFN4kDxINw6u5XTbMeWtijoRSuZGSaFvjQZn/9jcHhyXipA3FNXpzvJRKMluGYDiBermpchwsFZiD2QC/OdPJwBDgMnYXRJ8aau4O4ccR1y4hGaeZSyoiACUnVlJRh4=,iv:/XngY8fbnCJ9Uu68V0u7vyitzGpNa0jaguvdrvZQlCA=,tag:hWoFsNuoQgwMiOtDgF49wg==,type:str]
+    lastmodified: "2024-01-24T23:03:04Z"
+    mac: ENC[AES256_GCM,data:ZPZmbQLCeuK1C7FR8USNXtJiE8xV6esOt4tcqSRuwe73HxAyogAstYBqDz5rlsi5qf68ew6dLkhX17oiJxABTCi4PpNMMktuVGe10OrlAEgZm4cRc3H4MfdMEfS/2I7V0PcItJINqte0EGQbYqRYgkz5XCA4+0k8075uIqypoug=,iv:uzeiyu9hP6mo7YphNJU/AZOquKU055IxznWiDXrETrA=,tag:qwDi7EleXQaYHagsXS7jzA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

config/clusters/earthscope/prod.values.yaml

@@ -12,5 +12,10 @@ basehub:
             name: "EarthScope"
     hub:
       config:
+        Auth0OAuthenticator:
+          auth0_domain: login-dev.earthscope.org
+          extra_authorize_params:
+            # This isn't an actual URL, just a string. Must not have a trailing slash
+            audience: https://api.earthscope.org
         CILogonOAuthenticator:
           oauth_callback_url: https://earthscope.2i2c.cloud/hub/oauth_callback

config/clusters/earthscope/staging.values.yaml

@@ -12,5 +12,10 @@ basehub:
             name: "EarthScope staging"
     hub:
       config:
+        Auth0OAuthenticator:
+          auth0_domain: login.earthscope.org
+          extra_authorize_params:
+            # This isn't an actual URL, just a string. Must not have a trailing slash
+            audience: https://api.earthscope.org
         CILogonOAuthenticator:
           oauth_callback_url: https://staging.earthscope.2i2c.cloud/hub/oauth_callback

docs/hub-deployment-guide/configure-auth/auth0.md

@@ -64,20 +64,23 @@ jupyterhub:
   hub:
     config:
       Auth0OAuthenticator:
-        auth0_domain: <auth0-domain>
         client_id: <client-id>
         client_secret: <client-secret>
+```
+
+And in the *unencrypted*, per-hub config (of form `<hub-name>.values.yaml`), we specify the non-secret
+config values.
+
+```yaml
+jupyterhub:
+  hub:
+    config:
+      Auth0OAuthenticator:
+        auth0_domain: <auth0-domain>
         scope: openid
         username_claim: sub
 ```
 
 Once deployed, this should allow users authorized by Auth0 to login to the hub! Their usernames will
 look like `<auth-provider>:<id>`, which looks a little strange but allows differentiation between
-people who use multiple accounts but the same email. For example,
-
-## Selecting `username_claim`
-
-TODO: `sub` is not always a valid username, as CILogon produces `sub` like `oauth2|cilogon|http://cilogon.org/servera/users/32158821`.
-Need to figure out how to make this happen.
-
-## Passing on auth0 tokens to user servers via environment variables
+people who use multiple accounts but the same email.