[Auth0] Using Auth0 usernames instead of email addresses

OK, I attempted to set up the generic Oauth authenticator, using the following settings (these are from TLJH config):

auth:
  type: oauthenticator.generic.GenericOAuthenticator
  GenericOAuthenticator:
    client_id: [REMOVED]
    client_secret: [REMOVED]
    oauth_callback_url: https://jupyter.mnstate.edu/hub/oauth_callback
    token_url: https://msumjupyter.auth0.com/oauth/token

and this just seems to generate a ERR_TOO_MANY_REDIRECTS in Chrome. 😦

I also, as a brute force approach, tried to edit my auth0.py file and replaced 'name': resp_json["email”] with 'name': resp_json["username”] but that triggered a 500 Server error, the TLJH logs indicating that this is because

File "/opt/tljh/hub/lib/python3.6/site-packages/oauthenticator/auth0.py", line 99, in authenticate
 'name': resp_json["username"],
 KeyError: 'username'

I would really appreciate if someone can find some way to use Auth0 usernames as the account names for JupyterHub.

Writing this out after working through this myself…

You’ll need to check that your scope actually includes the username, and that auth0 is returning a username (which will depend on what you’re using to authenticate with auth0 itself). A scope defines what information will be returned about the user.

There are three ‘scopes’ available with auth0: openid, email and profile. It’s likely you’re using the first two and need to add ‘profile’ by specifying this in your jupyterhub_config.py:

c.Auth0OAuthenticator.scope = ['openid', 'email', 'profile']

This will expose these fields in the auth0 userinfo response: name, family_name, given_name, middle_name, nickname, picture, and updated_at

From my brief testing with auth0’s built-in user database (as opposed to connecting to a third-party auth platform), the ‘username’ field appears to be exposed as ‘nickname’ in the /userinfo response:

{"sub": "auth0|12345", "nickname": "myusernamehere", "name": "myemail@email.com", "picture": "", "updated_at": "2019-11-07T13:33:58.827Z", "email": "myemail@email.com", "email_verified": false}

…and so, after including the ‘profile’ scope in jupyterhub_config.py, I could reference this username in auth0.py by replacing email with ‘nickname’:

        return {
            'name': resp_json["nickname"],
            'auth_state': {
                'access_token': access_token,
                'auth0_user': resp_json,
            }
        }

If you’re using a different source for authentication (e.g. Active Directory, Google, Facebook), it’s possible you’ll need to do some playing to see if the username is exposed in the ‘profile’ scope, or if you need to expose it manually using auth0 rules (which is a whole other game).

To help see the actual response JupyterHub is getting from auth0, I found it easy to just dump this to a file by adding this code…

        with open('/home/jamie/auth0data.json', 'w') as f:
             json.dump(resp_json, f)

…after:

        # Determine who the logged in user is
        headers={"Accept": "application/json",
                 "User-Agent": "JupyterHub",
                 "Authorization": "Bearer {}".format(access_token)
        }
	req = HTTPRequest("https://%s.auth0.com/userinfo" % AUTH0_SUBDOMAIN,
                          method="GET",
                          headers=headers
                          )
        resp = await http_client.fetch(req)
        resp_json = json.loads(resp.body.decode('utf8', 'replace'))

…which just dumps the json response into a file in my home directory.

More reading: https://auth0.com/docs/scopes/current/oidc-scopes

Best of luck!