-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to extract additional token in generic OAuth2 authenticator #487
Comments
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
Do you think we could add the entire oauthenticator/oauthenticator/generic.py Lines 138 to 151 in 3bcb7a7
|
That seems sensible also. Certainly simplifies things. |
@manics @michaeljfazio The OAuthenticator hasn't had any releases since 15.1. There has been a major refactoring in the subsystem since the last release, and to me it seems as some of the refactorings now include the id_token as well? @GeorgianaElena @consideRatio can we expect some releases of this soon? It would help us out a lot :-) |
I second this feature request. For context, OIDC is the widely-used authentication standard built on top of the OAuth authorisation standard, and OIDC offers two separate avenues for retrieving information regarding the user: an ID token and a UserInfo endpoint. The process is:
I think JupyterHub should give admins the choice of whether to use claims from the UserInfo endpoint (step 4) versus from the ID token (step 3). In the latter choice, the hub could entirely skip the final network request, but would instead be responsible for decoding (and validating) the ID token to extract its claims. Some identity providers will supply different sets of claims via each of these two avenues, for example, AWS Cognito currently provides Currently GenericOAuthenticator discards the ID token and loads only the UserInfo response into the |
Thanks for the detailed writeup! I think including the id token makes sense, especially for OIDC, and further reinforces that having an actual OIDCAuthenticator which can make the appropriate assumptions that generic OAuth can't is a thing we should have (#254). |
I agree with @benjimin's proposal. There could be a few options exposed as a
Where the last two options merge the results from the userinfo endpoint and the ID token payload. |
I've created a PR (#725) proposing that if Note, It looks like it had already been possible (as of v16 as alluded by @GeorgianaElena) for spawner hooks etc to access the raw id token via Not wanting to overcook things in absence of use-cases, this PR doesn't introduce any novel merge functionality (apologies @nocnokneo), and tries to keep the configuration complexity to a minimum. It certainly doesn't introduce full OIDC support (discovery mechanisms etc) like #254. |
Proposed change
I would like to extract an OIDC ID token in auth_state_hook. This seems like it should be straight forward when using the generic authenticator however it is not OIDC friendly. Specifically, it does not provide an easy way to extract the id_token.
Alternative options
Option 1: Allow users to specify additional tokens to be extracted into auth state (e.g. c.LocalGenericOAuthenticator.extra_tokens['id_token']
Option 2. Automatically detect if the token response contains an "id_token" and add it to the auth_state implicitly.
Who would use this feature?
In my case this is useful so that I can take the id_token and use it to register federated users in an identity pool before converting it to temporary AWS credentials server side using something like this auth hook:
The text was updated successfully, but these errors were encountered: