Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate authenticating GitHub Orgs/Teams through Auth0 #698

Closed
sgibson91 opened this issue Sep 22, 2021 · 13 comments
Closed

Investigate authenticating GitHub Orgs/Teams through Auth0 #698

sgibson91 opened this issue Sep 22, 2021 · 13 comments
Assignees
Labels
Task Actions that don't involve changing our code or docs.

Comments

@sgibson91
Copy link
Member

sgibson91 commented Sep 22, 2021

Description

Over in #625, the question was raised whether we could facilitate authentication against GitHub Orgs and Teams via our current Auth0 setup. If it's possible, it would save us a lot of manual work in creating GitHub OAuth Apps, storing secrets, and allow us to continue using the infrastructure we have in place for Auth0 support.

Something we should think about while investigating this: The 2i2c Engineering team like to use Auth0 as it saves us the toil of creating IDs and secrets for various auth apps. Thinking with our Right to Replicate hat on, is there a benefit for a Hub Community (managing their own hub) to use this Auth0 as a pass-through to GitHub-based auth beyond the ID/secrets argument, especially given the more familiar setup using the native JupyterHub OAuthenticator? By folding this into our Auth0 setup, do we raise the barrier to a community replicating their infrastructure without 2i2c assistance?

Value / benefit

  • Reduced toil for 2i2c Engineers
  • A single authentication story across all hubs

Implementation details

As a point of reference, the Pangeo community did a bit of discussion around this topic as well.

When to check in on this

We need to gain some experience with our current "native JupyterHub" setup, to understand how much maintenance work it is and whether it is scalable. We should re-visit this issue around February 2022 (unless something escalates it earlier) to decide whether our current setup works well.

Tasks to complete

No response

Updates

No response

@sgibson91 sgibson91 added Task Actions that don't involve changing our code or docs. impact: low labels Sep 22, 2021
@choldgraf
Copy link
Member

The main thing that made me think we might want to suggest that other organizations use Auth0 is that the Pangeo community was already using Auth0 by their own decision, weren't they? pangeo-data/pangeo-cloud-federation#611

I think that there are probably different answers depending on the hub community size, but for communities of a decent amount of complexity, Auth0 seems to be a reasonable solution.

@sgibson91
Copy link
Member Author

sgibson91 commented Sep 27, 2021

The main thing that made me think we might want to suggest that other organizations use Auth0 is that the Pangeo community was already using Auth0 by their own decision, weren't they? pangeo-data/pangeo-cloud-federation#611

They also had this issue though jupyterhub/oauthenticator#265

And their auth0 setup involved a lot of custom Javascript https://github.com/pangeo-data/pangeo-cloud-federation/tree/prod/auth0 Do we have the skills on the team to maintain that sustainably? (I don't even have the skills to reimplement it)

If there's a way to achieve it without Javascript, that'd be interesting

@choldgraf
Copy link
Member

@sgibson91 thanks for that extra context - that is definitely important follow-up.

Agreed that if using Auth0 also requires using a ton of custom JS, it's probably not something we can recommend.

Would this be a reasonable guideline:

  • For lightweight or straightforward authentication needs, Auth0 is reasonable
  • For anything more complex, use a native authenticator

?

@sgibson91
Copy link
Member Author

  • For lightweight or straightforward authentication needs, Auth0 is reasonable
  • For anything more complex, use a native authenticator

Yes, this was pretty much what I was recommending in my design proposal, that using native JupyterHub OAuth is the exception to the rule :)

@choldgraf
Copy link
Member

Cool - I agree w/ your assessment then :-)

IMO I kinda feel like we should just consider this issue as "resolved". Unless we can think of an easy way to support this with Auth0 without using a bunch of JS, then IMO we should just follow the approach you laid out. What do you think?

@sgibson91
Copy link
Member Author

Unless we can think of an easy way to support this with Auth0 without using a bunch of JS

Tbh, I haven't done the work to look into this yet, I went straight to the Jupyter OAuthenticator. In my mind, this issue is here to track that work over longer term if and when we find ourselves being overwhelmed by manually creating GitHub OAuth Apps. Maybe I didn't write the issue up clearly enough though?

@choldgraf
Copy link
Member

that makes sense - maybe we should time-box this then? E.g., in 9 months check whether we want to re-explore with Auth0? I just worry that we'll lose track of this issue since it's not something we'll take action on any time soon until we've had more experience with the current workflow

@sgibson91
Copy link
Member Author

It would be good to hear from Pangeo folk like @scottyhq if they think using Auth0 with GitHub Teams is possible without all the Javascript given enough dev time?

@sgibson91
Copy link
Member Author

I just worry that we'll lose track of this issue since it's not something we'll take action on any time soon until we've had more experience with the current workflow

For sure, but I was also worried that if we didn't have an issue saying "this is something to explore regarding this problem" open in the future when we may need it, dragging out the info from closed issues/PRs would be harder 😅

@choldgraf
Copy link
Member

Indeed! OK I've added a short note about checking back in on this to the top comment 👍

@damianavila
Copy link
Contributor

In my mind, this issue is here to track that work over longer term if and when we find ourselves being overwhelmed by manually creating GitHub OAuth Apps.

I think this is the proper approach!

Btw, those JS pieces do not seem particularly complex, I would be more worried about using the concept of Auth "rules" regardless of the language it is implemented... I feel it might increase the risk surface and I am not sure about the limitations neither the easiness to work with them.

@scottyhq
Copy link
Contributor

It would be good to hear from Pangeo folk like @scottyhq if they think using Auth0 with GitHub Teams is possible without all the Javascript given enough dev time?

Thanks for all the work you're doing on this! i'm sure there are lots of options on how these things are implemented, in case it helps i'll just provide a bit of context on the current setup:

@yuvipanda
Copy link
Member

I think we have basically now moved to using GitHub authentication directly, and support Organizations / team based auth. We also support per-team profiles! Closing this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Task Actions that don't involve changing our code or docs.
Projects
No open projects
Development

No branches or pull requests

5 participants