Skip to main content

KeyCloakAuthenticator: Authenticate JupyterHub users with KeyCloak and OIDC

Project description

KeyCloakAuthenticator

Authenticates users via SSO using OIDC.

This authenticator implements a refresh mechanism, ensuring that the tokens stored in the user dict are always up-to-date (if the update is not possible, it forces a re-authentication of the user). It also allows exchanging the user token for tokens that can be used to authenticate against other (external) services.

This Authenticator is built on top of OAuthenticator and should be possible to use some of its configuration values.

Requirements

  • Jupyterhub
  • oauthenticator
  • PyJWT[crypto]
  • openssl_devel (see below)

Installation

pip install keycloakauthenticator

If you enable check_signature, you also need the openssl_devel (or equivalent in your distribution) package.

Usage

In your JupyterHub config file, set the authenticator and configure it:

# Enable the authenticator
c.JupyterHub.authenticator_class = 'keycloakauthenticator.KeyCloakAuthenticator'
c.KeyCloakAuthenticator.username_claim = 'preferred_username'

# URL to redirect to after logout is complete with auth provider.
c.KeyCloakAuthenticator.logout_redirect_url = 'https://cern.ch/swan'
c.KeyCloakAuthenticator.oauth_callback_url = 'https://swan.cern.ch/hub/oauth_callback'

# Specify the issuer url, to get all the endpoints automatically from .well-known/openid-configuration
c.KeyCloakAuthenticator.oidc_issuer = 'https://auth.cern.ch/auth/realms/cern'

# If you need to set a different scope, like adding the offline option for longer lived refresh token
c.KeyCloakAuthenticator.scope = ['profile', 'email', 'offline_access']
# Only allow users with this specific roles (none, to allow all)
c.KeyCloakAuthenticator.allowed_roles = []
# Specify the role to set a user as admin
c.KeyCloakAuthenticator.admin_role = 'swan-admin'

# If you have the roles in a non default place inside the user token, you can retrieve them
# This must return a set
def claim_roles_key(env, token):
    return set(token.get('app_roles', []))
c.KeyCloakAuthenticator.claim_roles_key = claim_roles_key

# Request access tokens for other services by passing their id's (this uses the token exchange mechanism)
c.KeyCloakAuthenticator.exchange_tokens = ['eos-service', 'cernbox-service']

# If your authenticator needs extra configurations, set them in the pre-spawn hook
def pre_spawn_hook(authenticator, spawner, auth_state):
    spawner.environment['ACCESS_TOKEN'] = auth_state['exchanged_tokens']['eos-service']
    spawner.environment['OAUTH_INSPECTION_ENDPOINT'] = authenticator.userdata_url.replace('https://', '')
    spawner.user_uid = auth_state['oauth_user']['cern_uid']
    decoded_token = authenticator._decode_token(auth_state['access_token'])
    spawner.user_roles = authenticator.claim_roles_key(authenticator, decoded_token)
c.KeyCloakAuthenticator.pre_spawn_hook = pre_spawn_hook

#Configure token signature verification
c.KeyCloakAuthenticator.check_signature=True
c.KeyCloakAuthenticator.jwt_signing_algorithms = ["HS256", "RS256"]

# Once a token is refreshed, by default jupyterhub does not trigger a refresh again (triggered when receiving any authenticated request) in `Authenticator.auth_refresh_age` seconds (default 5 minutes)
# If you want to refresh the token less often, and align the refresh to your tokens expiration, which will also trigger the update of the oAuth/OIDC token, this value can be changed:
c.KeyCloakAuthenticator.auth_refresh_age = 900 # 15 minutes

It's also necessary to configure the Client ID and secret. One way of doing this is by setting the following environment variables:

OAUTH_CLIENT_ID=my_id
OAUTH_CLIENT_SECRET=my_secret

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keycloakauthenticator-4.0.8.tar.gz (8.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

keycloakauthenticator-4.0.8-py3-none-any.whl (8.8 kB view details)

Uploaded Python 3

File details

Details for the file keycloakauthenticator-4.0.8.tar.gz.

File metadata

  • Download URL: keycloakauthenticator-4.0.8.tar.gz
  • Upload date:
  • Size: 8.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for keycloakauthenticator-4.0.8.tar.gz
Algorithm Hash digest
SHA256 e9390bf3ab523463eaa4ad8db97d2195a2bd5673d2a2a73bf96b78436c7842c0
MD5 c03fad2ec89c10c945ff3e70e2eb2a3b
BLAKE2b-256 8b7a85222b4c449e086f70759d2d4ac2fbe9f6059405e62c38b35dd6bc81da24

See more details on using hashes here.

Provenance

The following attestation bundles were made for keycloakauthenticator-4.0.8.tar.gz:

Publisher: release.yml on swan-cern/jupyterhub-extensions

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file keycloakauthenticator-4.0.8-py3-none-any.whl.

File metadata

File hashes

Hashes for keycloakauthenticator-4.0.8-py3-none-any.whl
Algorithm Hash digest
SHA256 7924e32e232685b93e4cf8af8d2ab68fd52fa87adbff6f46ab62381d8706f501
MD5 57f330fedfc4108519eeb9e2390cde4c
BLAKE2b-256 cbd96e35df31debff853a34498960b9f17815ce76da53fd521b4c45c41e45fc0

See more details on using hashes here.

Provenance

The following attestation bundles were made for keycloakauthenticator-4.0.8-py3-none-any.whl:

Publisher: release.yml on swan-cern/jupyterhub-extensions

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page