[BUG] - Do not show oauth screen for users accessing the main jhub-apps service #2570
Labels
area: integration/jhub-apps
area: integration/jupyterhub
type: enhancement 💅🏼
New feature or request
Comments
krassowski
added
type: bug 🐛
|
What do you think @aktech? |
|
This is a good idea! thanks for the detailed issue. |
Adam-D-Lewis
added
area: integration/jhub-apps
and removed
needs: triage 🚦
|
I'm going through triaging issues today and saw this one. Looks like a nice improvement. I agree that that "japps" would be better as "jhub-apps". |
Adam-D-Lewis
added
area: integration/jupyterhub
type: enhancement 💅🏼
This was referenced Aug 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In nebari (and often in JupyterHub in general) the auth sequence involves two or three OAuth providers:
In such setups the JupyterHub OAuth provider is meant to be transparent to the users unless user grants additional permissions to third-party services. Typically JupyterHub OAuth checks the user identity when spawning servers, and verifies that user wants to share their identity (or specific permissions) with services.
Jhub-apps is a service which requires users to confirm that they agree to share the JupyterHub OAuth identity with the service. Currently, a confusing screen is shown to users when they first log-in into JupyterHub, after they already authenticated with Keycloak:
It is confusing because users do not know what "japps" (sic!) service is, nor what the default scope description ("Identify the owner of the requesting entity") mean, since a very technical language is used.
This screen is not always necessary, user servers are by default confirmed without user action, and services "blessed" by administrator of the JupyterHub are also handled transparently. This is configured by setting
oauth_no_confirmin the service configuration.Expected behavior
Since jhub-apps is tightly integrated with nebari it makes sense to exempt it from user making the explicit confirmation that they do want to share their identity with jhub-apps.
If we do want to keep this screen however, we may want to customize it to better describes which actions the service will perform on behalf of the user (like creating named servers, sharing servers, etc) as access to this actions is currently permitted via a separate token rather than through oauth scopes.
We previously had
oauth_no_confirmset toTrueon some services used when jhub-apps is enabled. This got removed during JupyterHub 5 upgrade (#2427) due to JupyterHub now requiring additional URL configuration for it (jupyterhub/jupyterhub#4801). The removal was based on a conversation in which these services were described as applications that do not oauth with JupyterHub, but uses keycloak directly. This is correct, these services:nebari/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/02-spawner.py
Lines 77 to 84 in 4f8fc54
do not use JupyterHub oauth but they use Keycloak directly.
However,
jhub-appsitself as of today:The code change would need to be done in:
nebari/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/02-spawner.py
Line 87 in 4f8fc54
By passing a new
oauth_no_confirmargument down to where the main jhub-app service is appended toc.JupyterHub.servicesin jhub-apps.We should probably also rethink the name of the service, it is currently set to
japps(here) which does not correspond tojhub-appsused in the documentation.OS and architecture in which you are running Nebari
Irrelevant
How to Reproduce the problem?
jhub_apps.enabled: falsejhub_apps.enabled: trueCommand output
No response
Versions and dependencies used.
No response
Compute environment
None
Integrations
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: