From 6a83adad44ac096f8723ec753035fd3a8ed39296 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Krassowski?=
 <5832902+krassowski@users.noreply.github.com>
Date: Thu, 4 Apr 2024 18:01:18 +0100
Subject: [PATCH] Get JupyterHub `groups` from Keycloak, support
 `oauthenticator` 16.3+ (#2361)

Co-authored-by: Amit Kumar <dtu.amit@gmail.com>
---
 .../kubernetes/services/jupyterhub/main.tf    | 31 ++++++++++++-------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf
index f99ef62eed..7ac85a607f 100644
--- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf
+++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf
@@ -150,18 +150,25 @@ resource "helm_release" "jupyterhub" {
             enable_auth_state = true
           }
           GenericOAuthenticator = {
-            client_id          = module.jupyterhub-openid-client.config.client_id
-            client_secret      = module.jupyterhub-openid-client.config.client_secret
-            oauth_callback_url = "https://${var.external-url}/hub/oauth_callback"
-            authorize_url      = module.jupyterhub-openid-client.config.authentication_url
-            token_url          = module.jupyterhub-openid-client.config.token_url
-            userdata_url       = module.jupyterhub-openid-client.config.userinfo_url
-            login_service      = "Keycloak"
-            username_key       = "preferred_username"
-            claim_groups_key   = "roles"
-            allowed_groups     = ["jupyterhub_admin", "jupyterhub_developer"]
-            admin_groups       = ["jupyterhub_admin"]
-            tls_verify         = false
+            client_id            = module.jupyterhub-openid-client.config.client_id
+            client_secret        = module.jupyterhub-openid-client.config.client_secret
+            oauth_callback_url   = "https://${var.external-url}/hub/oauth_callback"
+            authorize_url        = module.jupyterhub-openid-client.config.authentication_url
+            token_url            = module.jupyterhub-openid-client.config.token_url
+            userdata_url         = module.jupyterhub-openid-client.config.userinfo_url
+            login_service        = "Keycloak"
+            username_claim       = "preferred_username"
+            claim_groups_key     = "groups"
+            allowed_groups       = ["/analyst", "/developer", "/admin"]
+            admin_groups         = ["/admin"]
+            manage_groups        = true
+            refresh_pre_spawn    = true
+            validate_server_cert = false
+
+            # deprecated, to be removed (replaced by validate_server_cert)
+            tls_verify = false
+            # deprecated, to be removed (replaced by username_claim)
+            username_key = "preferred_username"
           }
         }
       }