Skip to main content

KeyCloakAuthenticator: Authenticate JupyterHub users with KeyCloak and OIDC

Project description

KeyCloakAuthenticator

Authenticates users via SSO using OIDC.

This authenticator implements a refresh mechanism, ensuring that the tokens stored in the user dict are always up-to-date (if the update is not possible, it forces a re-authentication of the user). It also allows exchanging the user token for tokens that can be used to authenticate against other (external) services.

This Authenticator is built on top of OAuthenticator and should be possible to use some of its configuration values.

Requirements

  • Jupyterhub
  • oauthenticator
  • PyJWT[crypto]
  • openssl_devel (see below)

Installation

pip install keycloakauthenticator

If you enable check_signature, you also need the openssl_devel (or equivalent in your distribution) package.

Usage

In your JupyterHub config file, set the authenticator and configure it:

# Enable the authenticator
c.JupyterHub.authenticator_class = 'keycloakauthenticator.KeyCloakAuthenticator'
c.KeyCloakAuthenticator.username_claim = 'preferred_username'

# URL to redirect to after logout is complete with auth provider.
c.KeyCloakAuthenticator.logout_redirect_url = 'https://cern.ch/swan'
c.KeyCloakAuthenticator.oauth_callback_url = 'https://swan.cern.ch/hub/oauth_callback'

# Specify the issuer url, to get all the endpoints automatically from .well-known/openid-configuration
c.KeyCloakAuthenticator.oidc_issuer = 'https://auth.cern.ch/auth/realms/cern'

# If you need to set a different scope, like adding the offline option for longer lived refresh token
c.KeyCloakAuthenticator.scope = ['profile', 'email', 'offline_access']
# Only allow users with this specific roles (none, to allow all)
c.KeyCloakAuthenticator.allowed_roles = []
# Specify the role to set a user as admin
c.KeyCloakAuthenticator.admin_role = 'swan-admin'

# If you have the roles in a non default place inside the user token, you can retrieve them
# This must return a set
def claim_roles_key(env, token):
    return set(token.get('app_roles', []))
c.KeyCloakAuthenticator.claim_roles_key = claim_roles_key

# Request access tokens for other services by passing their id's (this uses the token exchange mechanism)
c.KeyCloakAuthenticator.exchange_tokens = ['eos-service', 'cernbox-service']

# If your authenticator needs extra configurations, set them in the pre-spawn hook
def pre_spawn_hook(authenticator, spawner, auth_state):
    spawner.environment['ACCESS_TOKEN'] = auth_state['exchanged_tokens']['eos-service']
    spawner.environment['OAUTH_INSPECTION_ENDPOINT'] = authenticator.userdata_url.replace('https://', '')
    spawner.user_uid = auth_state['oauth_user']['cern_uid']
    decoded_token = authenticator._decode_token(auth_state['access_token'])
    spawner.user_roles = authenticator.claim_roles_key(authenticator, decoded_token)
c.KeyCloakAuthenticator.pre_spawn_hook = pre_spawn_hook

#Configure token signature verification
c.KeyCloakAuthenticator.check_signature=True
c.KeyCloakAuthenticator.jwt_signing_algorithms = ["HS256", "RS256"]

# Once a token is refreshed, by default jupyterhub does not trigger a refresh again (triggered when receiving any authenticated request) in `Authenticator.auth_refresh_age` seconds (default 5 minutes)
# If you want to refresh the token less often, and align the refresh to your tokens expiration, which will also trigger the update of the oAuth/OIDC token, this value can be changed:
c.KeyCloakAuthenticator.auth_refresh_age = 900 # 15 minutes

It's also necessary to configure the Client ID and secret. One way of doing this is by setting the following environment variables:

OAUTH_CLIENT_ID=my_id
OAUTH_CLIENT_SECRET=my_secret

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keycloakauthenticator-4.0.9.tar.gz (8.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

keycloakauthenticator-4.0.9-py3-none-any.whl (8.9 kB view details)

Uploaded Python 3

File details

Details for the file keycloakauthenticator-4.0.9.tar.gz.

File metadata

  • Download URL: keycloakauthenticator-4.0.9.tar.gz
  • Upload date:
  • Size: 8.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for keycloakauthenticator-4.0.9.tar.gz
Algorithm Hash digest
SHA256 33891663e64c9208f791d165bb95a53bb6afae24310cd61bb146fa3c3806e962
MD5 76fb9a9480ba266e6d06376779f60ec7
BLAKE2b-256 0e7257faa3c66b97f183cec675659505070ab17103faae0efa2322ab5e0f97a6

See more details on using hashes here.

Provenance

The following attestation bundles were made for keycloakauthenticator-4.0.9.tar.gz:

Publisher: release.yml on swan-cern/jupyterhub-extensions

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file keycloakauthenticator-4.0.9-py3-none-any.whl.

File metadata

File hashes

Hashes for keycloakauthenticator-4.0.9-py3-none-any.whl
Algorithm Hash digest
SHA256 adec4cc5b3e144aa1b6aab4074937231c84baee0bd3bd45bc26a7aef1e5d2c89
MD5 913395e57a97b72b574907853d21f104
BLAKE2b-256 62474ea6279c42eb23e114df3ad2e44e95038561a58500f980b85fc9737befd9

See more details on using hashes here.

Provenance

The following attestation bundles were made for keycloakauthenticator-4.0.9-py3-none-any.whl:

Publisher: release.yml on swan-cern/jupyterhub-extensions

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page