Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JupyterHub OAuth to Azure Government #784

Open
breauxaj opened this issue Feb 6, 2025 · 1 comment
Open

JupyterHub OAuth to Azure Government #784

breauxaj opened this issue Feb 6, 2025 · 1 comment
Labels
bug

Comments

@breauxaj
Copy link

breauxaj commented Feb 6, 2025

Bug description

Configured AzureAdOAuthenticator with an App Registration, but seeing this error in logs after login attempt

Error fetching 400 POST https://login.microsoftonline.com//oauth2/token

But that URL doesn't make sense since we're an Azure Gov customer, and the url should be

https://login.microsoftonline.us/

Suggesting that the URL is assumed/hardcoded?

How to reproduce

After Azure Login, the error (truncated to not disclose sensitive info)

500 : Internal Server Error

In the hub logs

"error": "invalid_request",
"error_codes": [
900432
],
"error_description": "AADSTS900432: Confidential Client is not supported in Cross Cloud request.

Expected behaviour

Successful login, access to the app

Actual behaviour

Generates a 500 error in browser and logs

Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/tornado/web.py", line 1790, in _execute
    result = await result
             ^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 245, in get
    user = await self.login_user()
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/jupyterhub/handlers/base.py", line 964, in login_user
    authenticated = await self.authenticate(data)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/jupyterhub/auth.py", line 688, in get_authenticated_user
    authenticated = await maybe_future(self.authenticate(handler, data))
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 1316, in authenticate
    token_info = await self.get_token_info(handler, access_token_params)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 1092, in get_token_info
    token_info = await self.httpfetch(
                 ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 892, in httpfetch
    return await self.fetch(
           ^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 858, in fetch
    raise e
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 837, in fetch
    resp = await self.http_client.fetch(req, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
tornado.httpclient.HTTPClientError: HTTP 400: Bad Request

Your personal set up

Internal Kubernetes deployment
@breauxaj breauxaj added the bug label Feb 6, 2025
@manics manics transferred this issue from jupyterhub/zero-to-jupyterhub-k8s Feb 6, 2025
@breauxaj
Copy link
Author

breauxaj commented Feb 6, 2025

Looks like the values are hard coded:

./oauthenticator/tests/test_azuread.py: host=['login.microsoftonline.com'],
./oauthenticator/tests/test_azuread.py: "iss": f"https://login.microsoftonline.com/{tenant_id}/v2.0",
./oauthenticator/azuread.py: return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/authorize"
./oauthenticator/azuread.py: return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/token"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@breauxaj