diff --git a/config/clusters/earthscope/enc-prod.secret.values.yaml b/config/clusters/earthscope/enc-prod.secret.values.yaml index 323551895..2894018c8 100644 --- a/config/clusters/earthscope/enc-prod.secret.values.yaml +++ b/config/clusters/earthscope/enc-prod.secret.values.yaml @@ -2,6 +2,9 @@ basehub: jupyterhub: hub: config: + Auth0OAuthenticator: + client_id: ENC[AES256_GCM,data:DwOUn4AFZyJrPv2gw3SvArLXNrEOQgoWJPYLpJSQetE=,iv:HFevqec5FROZQkAfCnkoVZacFhVsRB2Fym82XHDzFBw=,tag:O9it7h27UX7a89sExeXs9A==,type:str] + client_secret: ENC[AES256_GCM,data:fQdBLKrl9OG1zB9wX0+j10K+1+rgSTz1/v/tVOcV8ZZcXM8FCs9EKR2nhvfrMHL3nX59NMUeI64Jb9EG16mE5g==,iv:JfSBDbzia4xNSWPmW3Cde8RqUg78l6t34yviXx54VXU=,tag:9ID3wzmWvZa1hbfsT2rTyw==,type:str] CILogonOAuthenticator: client_id: ENC[AES256_GCM,data:1C0ercYZjjc63vTPPcVa7B0Y1bnuawg854Yf3Kl4UnJ0gYuqem+zuv1lQfOzU8zKXy5L,iv:2IZjb7WzomJg8I9uDDXINjULJPXUBfJCldMOxH+B8tA=,tag:Dv1xaVkDCpI7/GLuGv6GzA==,type:str] client_secret: ENC[AES256_GCM,data:2mGbTTnKcVZp57ZX2Tj2o+j2y0NfABPtTiV6sw3oWlR/t7w4fiFkSK9cyArnJwQfRjWc6M6NNB50A3zWZrKaoPLRj8Afiq8pFTjtRZnZGe5g4h2mXYg=,iv:xmJEHc2V0aG1KEh2eAPj80tZoNzFnBz42QdCSmzO2mc=,tag:+48SuYVdlJCizaYVMn9hrA==,type:str] @@ -14,8 +17,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-12-14T18:24:34Z" - mac: ENC[AES256_GCM,data:0Kde6XE/A7k9CwhxQFsa3I61ohr9WN7AO2haWkFETpDG+jXtU5MYkrScbwnlayLa0vM6vk2OfUxR6LrB9jPcxTx8+n2Pqx6kPTzgr8a8ORhG4xc6Lqj0a1KyDMdnGi5beqoXSxolPyd1mnSTAFAVIGwle37Gg0fIr0VFii9lsfQ=,iv:gPVYPvyTEriA9sxbmtMRo611b5dB5idYa0J+DtEYcaY=,tag:RNOItHNKtUGZ/UgfT1Ea2Q==,type:str] + lastmodified: "2024-01-24T22:53:57Z" + mac: ENC[AES256_GCM,data:MgnyRZmQryZqw+0gy3yUp3syuIYsWi3vvkOQrjW4jkk3/ZfIjWyo81cnO3Jgxr2pAADAbqX4qKITpBuWpX05lEDhv3kg3L6DAhnY0iExuDSWHGYJ04856pADGtuHIFIYmQxG46u+RfpTljVZK4cHAY4OVUraHVbKVxg/iP5pkpU=,iv:XF43toaqgiGjUh0W3HG0Iq2Y10paP24BGnPk9HomLKk=,tag:bsp93INUlVt1WJA4h7uVLw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/config/clusters/earthscope/enc-staging.secret.values.yaml b/config/clusters/earthscope/enc-staging.secret.values.yaml index eaf6677ac..7dc792e32 100644 --- a/config/clusters/earthscope/enc-staging.secret.values.yaml +++ b/config/clusters/earthscope/enc-staging.secret.values.yaml @@ -3,7 +3,6 @@ basehub: hub: config: Auth0OAuthenticator: - auth0_domain: ENC[AES256_GCM,data:QIf7pJ+PuhRcLGmiJBrxbe101fgJHGfO,iv:uxvwv+jsi4hdJoq8G/C6hup7+HmqxTvgbLvrr6GcB68=,tag:CsvbXofKbCdtZGKDND5ZeQ==,type:str] client_id: ENC[AES256_GCM,data:zAZAcTnDoYXd6+HEHyCTAZcWDfFb4MVGaHguf+l80jc=,iv:aQidh2IJMcMcEPBCyB7I94of0ywyvNNc4R/9jrTh/Xo=,tag:EN3jpNVKALN4L5mBw21Ptg==,type:str] client_secret: ENC[AES256_GCM,data:glfuw+S6w1n8hNOvYlEPvTVU6yfAePNt1/zzz8ttrW8eTro5o05dKLeUgULp75/tk5BbVoYkjt3VsruVWq5nWg==,iv:GtB9642/chhguJaLsvI/It1kGWH/VZ5J/ubdbu5GzvY=,tag:Ym62f23AnqPDEFTDC9RwAA==,type:str] CILogonOAuthenticator: @@ -18,8 +17,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-01-18T22:56:16Z" - mac: ENC[AES256_GCM,data:RTdv7Ry6i7GNQJsKiNSIj8lFbFAPPk4cypVnPsrR8wT8CFN4kDxINw6u5XTbMeWtijoRSuZGSaFvjQZn/9jcHhyXipA3FNXpzvJRKMluGYDiBermpchwsFZiD2QC/OdPJwBDgMnYXRJ8aau4O4ccR1y4hGaeZSyoiACUnVlJRh4=,iv:/XngY8fbnCJ9Uu68V0u7vyitzGpNa0jaguvdrvZQlCA=,tag:hWoFsNuoQgwMiOtDgF49wg==,type:str] + lastmodified: "2024-01-24T23:03:04Z" + mac: ENC[AES256_GCM,data:ZPZmbQLCeuK1C7FR8USNXtJiE8xV6esOt4tcqSRuwe73HxAyogAstYBqDz5rlsi5qf68ew6dLkhX17oiJxABTCi4PpNMMktuVGe10OrlAEgZm4cRc3H4MfdMEfS/2I7V0PcItJINqte0EGQbYqRYgkz5XCA4+0k8075uIqypoug=,iv:uzeiyu9hP6mo7YphNJU/AZOquKU055IxznWiDXrETrA=,tag:qwDi7EleXQaYHagsXS7jzA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/config/clusters/earthscope/prod.values.yaml b/config/clusters/earthscope/prod.values.yaml index a850dd41e..82b586bcc 100644 --- a/config/clusters/earthscope/prod.values.yaml +++ b/config/clusters/earthscope/prod.values.yaml @@ -12,5 +12,10 @@ basehub: name: "EarthScope" hub: config: + Auth0OAuthenticator: + auth0_domain: login-dev.earthscope.org + extra_authorize_params: + # This isn't an actual URL, just a string. Must not have a trailing slash + audience: https://api.earthscope.org CILogonOAuthenticator: oauth_callback_url: https://earthscope.2i2c.cloud/hub/oauth_callback diff --git a/config/clusters/earthscope/staging.values.yaml b/config/clusters/earthscope/staging.values.yaml index bb621d843..51874fce2 100644 --- a/config/clusters/earthscope/staging.values.yaml +++ b/config/clusters/earthscope/staging.values.yaml @@ -12,5 +12,10 @@ basehub: name: "EarthScope staging" hub: config: + Auth0OAuthenticator: + auth0_domain: login.earthscope.org + extra_authorize_params: + # This isn't an actual URL, just a string. Must not have a trailing slash + audience: https://api.earthscope.org CILogonOAuthenticator: oauth_callback_url: https://staging.earthscope.2i2c.cloud/hub/oauth_callback diff --git a/docs/hub-deployment-guide/configure-auth/auth0.md b/docs/hub-deployment-guide/configure-auth/auth0.md index a1e937149..9ab0b97f3 100644 --- a/docs/hub-deployment-guide/configure-auth/auth0.md +++ b/docs/hub-deployment-guide/configure-auth/auth0.md @@ -64,20 +64,23 @@ jupyterhub: hub: config: Auth0OAuthenticator: - auth0_domain: client_id: client_secret: +``` + +And in the *unencrypted*, per-hub config (of form `.values.yaml`), we specify the non-secret +config values. + +```yaml +jupyterhub: + hub: + config: + Auth0OAuthenticator: + auth0_domain: scope: openid username_claim: sub ``` Once deployed, this should allow users authorized by Auth0 to login to the hub! Their usernames will look like `:`, which looks a little strange but allows differentiation between -people who use multiple accounts but the same email. For example, - -## Selecting `username_claim` - -TODO: `sub` is not always a valid username, as CILogon produces `sub` like `oauth2|cilogon|http://cilogon.org/servera/users/32158821`. -Need to figure out how to make this happen. - -## Passing on auth0 tokens to user servers via environment variables \ No newline at end of file +people who use multiple accounts but the same email. \ No newline at end of file