Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable auth0 authentication for earthscope #3618

Merged
merged 8 commits into from
Jan 25, 2024
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 83 additions & 1 deletion config/clusters/earthscope/common.values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,88 @@ basehub:
name: "EarthScope Consortium"
url: https://www.earthscope.org/
hub:
extraConfig:
001-username-claim: |
from oauthenticator.auth0 import Auth0OAuthenticator
from traitlets import List, Unicode

class CustomAuth0OAuthenticator(Auth0OAuthenticator):
# required_scopes functionality comes in from https://github.com/jupyterhub/oauthenticator/pull/719
# Can be removed from here once that PR is merged
required_scopes = List(
Unicode(),
config=True,
help="""
List of scopes that must be granted to allow login.

All the scopes listed in this config must be present in the OAuth2 grant
from the authorizing server to allow the user to login. We request all
the scopes listed in the 'scope' config, but only a subset of these may
be granted by the authorization server. This may happen if the user does not
have permissions to access a requested scope, or has chosen to not give consent
for a particular scope. If the scopes listed in this config are not granted,
the user will not be allowed to log in.

See the OAuth documentation of your OAuth provider for various options.
""",
)

async def authenticate(self, *args, **kwargs):
auth_model = await super().authenticate(*args, **kwargs)
username = auth_model["name"]
# This is required until https://github.com/jupyterhub/oauthenticator/pull/717
# gets merged, can be removed after that.
if username.startswith("oauth2|cilogon"):
cilogon_sub = username.rsplit("|", 1)[-1]
cilogon_sub_parts = cilogon_sub.split("/")
username = f"oauth2|cilogon|{cilogon_sub_parts[3]}|{cilogon_sub_parts[5]}"
auth_model["name"] = username
return auth_model

async def check_allowed(self, username, auth_model):
if await super().check_allowed(username, auth_model):
return True

if self.required_scopes:
granted_scopes = auth_model.get('auth_state', {}).get('scope', [])
missing_scopes = set(self.required_scopes) - set(granted_scopes)
if missing_scopes:
self.log.info(f"Denying access to user {username} - scopes {missing_scopes} were not granted, only {granted_scopes} were granted")
return False
else:
return True

return False

def populate_token(spawner, auth_state):
token_env = {
'AUTH0_ACCESS_TOKEN': auth_state.get("access_token", ""),
'AUTH0_ID_TOKEN': auth_state.get("id_token", ""),
'AUTH0_REFRESH_TOKEN': auth_state.get('refresh_token', '')
}
spawner.environment.update(token_env)

c.Spawner.auth_state_hook = populate_token

c.JupyterHub.authenticator_class = CustomAuth0OAuthenticator
config:
JupyterHub:
authenticator_class: cilogon
authenticator_class: auth0
CustomAuth0OAuthenticator:
required_scopes:
# This allows EarthScope to control who can login to the hub
- geolab
Auth0OAuthenticator:
scope:
- openid
# This gives us refresh token
- offline_access
# This allows EarthScope to control who can login to the hub
- geolab
extra_authorize_params:
# This isn't an actual URL, just a string. Must not have a trailing slash
audience: https://api.dev.earthscope.org
username_claim: sub
CILogonOAuthenticator:
allowed_idps:
http://github.com/login/oauth/authorize:
Expand All @@ -46,9 +125,12 @@ basehub:
username_derivation:
username_claim: email
Authenticator:
enable_auth_state: true
admin_users:
- timdittmann
- chad-earthscope
- google-oauth2|101500906458831444600
- oauth2|cilogon|servera|32158821
singleuser:
profileList:
- display_name: "Shared Small: 1-4 CPU, 8-32 GB"
Expand Down
7 changes: 5 additions & 2 deletions config/clusters/earthscope/enc-prod.secret.values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ basehub:
jupyterhub:
hub:
config:
Auth0OAuthenticator:
client_id: ENC[AES256_GCM,data:DwOUn4AFZyJrPv2gw3SvArLXNrEOQgoWJPYLpJSQetE=,iv:HFevqec5FROZQkAfCnkoVZacFhVsRB2Fym82XHDzFBw=,tag:O9it7h27UX7a89sExeXs9A==,type:str]
client_secret: ENC[AES256_GCM,data:fQdBLKrl9OG1zB9wX0+j10K+1+rgSTz1/v/tVOcV8ZZcXM8FCs9EKR2nhvfrMHL3nX59NMUeI64Jb9EG16mE5g==,iv:JfSBDbzia4xNSWPmW3Cde8RqUg78l6t34yviXx54VXU=,tag:9ID3wzmWvZa1hbfsT2rTyw==,type:str]
CILogonOAuthenticator:
client_id: ENC[AES256_GCM,data:1C0ercYZjjc63vTPPcVa7B0Y1bnuawg854Yf3Kl4UnJ0gYuqem+zuv1lQfOzU8zKXy5L,iv:2IZjb7WzomJg8I9uDDXINjULJPXUBfJCldMOxH+B8tA=,tag:Dv1xaVkDCpI7/GLuGv6GzA==,type:str]
client_secret: ENC[AES256_GCM,data:2mGbTTnKcVZp57ZX2Tj2o+j2y0NfABPtTiV6sw3oWlR/t7w4fiFkSK9cyArnJwQfRjWc6M6NNB50A3zWZrKaoPLRj8Afiq8pFTjtRZnZGe5g4h2mXYg=,iv:xmJEHc2V0aG1KEh2eAPj80tZoNzFnBz42QdCSmzO2mc=,tag:+48SuYVdlJCizaYVMn9hrA==,type:str]
Expand All @@ -14,8 +17,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-12-14T18:24:34Z"
mac: ENC[AES256_GCM,data:0Kde6XE/A7k9CwhxQFsa3I61ohr9WN7AO2haWkFETpDG+jXtU5MYkrScbwnlayLa0vM6vk2OfUxR6LrB9jPcxTx8+n2Pqx6kPTzgr8a8ORhG4xc6Lqj0a1KyDMdnGi5beqoXSxolPyd1mnSTAFAVIGwle37Gg0fIr0VFii9lsfQ=,iv:gPVYPvyTEriA9sxbmtMRo611b5dB5idYa0J+DtEYcaY=,tag:RNOItHNKtUGZ/UgfT1Ea2Q==,type:str]
lastmodified: "2024-01-24T22:53:57Z"
mac: ENC[AES256_GCM,data:MgnyRZmQryZqw+0gy3yUp3syuIYsWi3vvkOQrjW4jkk3/ZfIjWyo81cnO3Jgxr2pAADAbqX4qKITpBuWpX05lEDhv3kg3L6DAhnY0iExuDSWHGYJ04856pADGtuHIFIYmQxG46u+RfpTljVZK4cHAY4OVUraHVbKVxg/iP5pkpU=,iv:XF43toaqgiGjUh0W3HG0Iq2Y10paP24BGnPk9HomLKk=,tag:bsp93INUlVt1WJA4h7uVLw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
7 changes: 5 additions & 2 deletions config/clusters/earthscope/enc-staging.secret.values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ basehub:
jupyterhub:
hub:
config:
Auth0OAuthenticator:
client_id: ENC[AES256_GCM,data:zAZAcTnDoYXd6+HEHyCTAZcWDfFb4MVGaHguf+l80jc=,iv:aQidh2IJMcMcEPBCyB7I94of0ywyvNNc4R/9jrTh/Xo=,tag:EN3jpNVKALN4L5mBw21Ptg==,type:str]
client_secret: ENC[AES256_GCM,data:glfuw+S6w1n8hNOvYlEPvTVU6yfAePNt1/zzz8ttrW8eTro5o05dKLeUgULp75/tk5BbVoYkjt3VsruVWq5nWg==,iv:GtB9642/chhguJaLsvI/It1kGWH/VZ5J/ubdbu5GzvY=,tag:Ym62f23AnqPDEFTDC9RwAA==,type:str]
CILogonOAuthenticator:
client_id: ENC[AES256_GCM,data:Lv/25K0A8CZs6dK20mujkn536hpreimP/MUqGOJ4cpXLTFnJNRmGkN7mYPC2klalEKcn,iv:nj4b7Y75A9wgg+w2XBas17Cs8Az3AzDkeO9u1ZwI1Jo=,tag:gCMMoa3iQWVRQvTQkCIkAg==,type:str]
client_secret: ENC[AES256_GCM,data:EAD3iQGXs7soD4VxRXol2YuuJBmOpDBbX5Cg+VyTk7xA7Jn715vZMNBeOKtal1a6kzyds3tuw+h+DWsF3Dod2MxHS7H4FARHLopP9xuAvS6Tw3mZZ28=,iv:F8CqwLYz7WR5qge0Yj91aU/w5pj6fiEaBvndVe4zvG4=,tag:60BekNlkRhf2a3Nkvo1kWg==,type:str]
Expand All @@ -14,8 +17,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-12-14T18:42:52Z"
mac: ENC[AES256_GCM,data:DWO/hv47PbcFx8NATfOJrLUMkOV3dTUzr53nUtpDge+NseEOSoMKeEWz1L7jWYhM+Iga05csm78BT9c3gI921dKlOXRJ6fn1e5guxqKPOAuZugbWUeEqGa8Z26sAwuSRXIZyWiWDJZJThsNk4+s0s7vZmXcrGHGjWA3eCEvTwxE=,iv:9QDeyrmE0euFgqcvZMCuubNA44YB8x2Sa1CqEGJjKjM=,tag:qj5ZnX1TS2Lt4QbXuJFB0Q==,type:str]
lastmodified: "2024-01-24T23:03:04Z"
mac: ENC[AES256_GCM,data:ZPZmbQLCeuK1C7FR8USNXtJiE8xV6esOt4tcqSRuwe73HxAyogAstYBqDz5rlsi5qf68ew6dLkhX17oiJxABTCi4PpNMMktuVGe10OrlAEgZm4cRc3H4MfdMEfS/2I7V0PcItJINqte0EGQbYqRYgkz5XCA4+0k8075uIqypoug=,iv:uzeiyu9hP6mo7YphNJU/AZOquKU055IxznWiDXrETrA=,tag:qwDi7EleXQaYHagsXS7jzA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
5 changes: 5 additions & 0 deletions config/clusters/earthscope/prod.values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,10 @@ basehub:
name: "EarthScope"
hub:
config:
Auth0OAuthenticator:
auth0_domain: login.earthscope.org
extra_authorize_params:
# This isn't an actual URL, just a string. Must not have a trailing slash
audience: https://api.earthscope.org
CILogonOAuthenticator:
oauth_callback_url: https://earthscope.2i2c.cloud/hub/oauth_callback
5 changes: 5 additions & 0 deletions config/clusters/earthscope/staging.values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,10 @@ basehub:
name: "EarthScope staging"
hub:
config:
Auth0OAuthenticator:
auth0_domain: login-dev.earthscope.org
extra_authorize_params:
# This isn't an actual URL, just a string. Must not have a trailing slash
audience: https://api.dev.earthscope.org
CILogonOAuthenticator:
oauth_callback_url: https://staging.earthscope.2i2c.cloud/hub/oauth_callback
86 changes: 86 additions & 0 deletions docs/hub-deployment-guide/configure-auth/auth0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
(auth:auth0)=
# Auth0

[Auth0](https://auth0.com/) is a commercial authentication provider that some communities
would like to use, for the various extra features it offers. Since it's outside the primary
two authentication mechanisms we offer, this costs extra - please confirm with partnerships
team that the community is being billed for it.

## Set up the hub with CILogon

First, we set up the hub and use [CILogon](auth:cilogon) for authentication, so the community
can get started and poke around. This decouples getting started from the auth0 process,
to make everything smoother (for both 2i2c engineers and the community).

## Requesting credentials from the community

We have to ask the community to create and provision Auth0 credentials for us. They will need
to create a [Regular Auth0 Web App](https://auth0.com/docs/get-started/auth0-overview/create-applications/regular-web-apps)
for each hub - so at the least, for the staging hub and the production hub.

Under [Application URIs](https://auth0.com/docs/get-started/applications/application-settings#application-uris),
they should use the following URL under"Allowed Callback URLs":
yuvipanda marked this conversation as resolved.
Show resolved Hide resolved

`https://<domain-of-the-hub>/hub/oauth_callback`

Once created, they should collect the following information:

1. `client_secret` and `client_id` for the created application.
2. The "Auth0 domain" for the created application.

These are *secure credentials*, and must be sent to us using [the encrypted support mechanism](https://docs.2i2c.org/support/#send-us-encrypted-content)

They can configure this with whatever [connections](https://auth0.com/docs/connections) they
prefer - 2i2c is not responsible for and hence can not really help with configuring this.

```{note}

It may be advantageous to 2i2c engineers to have shared access to this auth0 web application,
so we can debug issues that may arise. But we don't want to create too much friction here,
by having to manually create accounts for each 2i2c engineer for each auth0 application we
administer. Solutions (potentially a shared account) are being explored.
```

## Configuring the JupyterHub to use Auth0

We will use the upstream [Auth0OAuthenticator](https://github.com/jupyterhub/oauthenticator/blob/main/oauthenticator/auth0.py)
to allow folks to login to JupyterHub.

In the `common.yaml` file for the cluster hosting the hubs, we set the authenticator to be `auth0`.

```yaml
jupyterhub:
hub:
config:
JupyterHub:
authenticator_class: auth0
```

In the encrypted, per-hub config (of form `enc-<hub-name>.secret.values.yaml`), we specify the secret values
we received from the community.

```yaml
jupyterhub:
hub:
config:
Auth0OAuthenticator:
client_id: <client-id>
client_secret: <client-secret>
```

And in the *unencrypted*, per-hub config (of form `<hub-name>.values.yaml`), we specify the non-secret
config values.

```yaml
jupyterhub:
hub:
config:
Auth0OAuthenticator:
auth0_domain: <auth0-domain>
scope: openid
username_claim: sub
```

Once deployed, this should allow users authorized by Auth0 to login to the hub! Their usernames will
look like `<auth-provider>:<id>`, which looks a little strange but allows differentiation between
people who use multiple accounts but the same email.
1 change: 1 addition & 0 deletions docs/hub-deployment-guide/configure-auth/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,5 @@ Switching authentication providers (e.g. from GitHub to Google) for a pre-existi
:caption: Authentication Providers
github-orgs
cilogon
auth0
```
Loading