Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Logout w. GenericOAuthenticator does not remove cookies
See original GitHub issueBug description
We currently use the GenericOAuthenticator together with an internal Keycloak instance and it works reasonably well. However we noticed that a logout of JupyterHub does not clear the cookies. If the user presses Sign-in after logging out via JupyterHub they get directly taken back to the hub spawn page without going through the actual user login process.
Expected behaviour
Logout from JupyterHub deletes the Cookies and the User needs to sign-in again afterwards
Actual behaviour
Logout from JupyterHub does not delete the Cookies. A user gets directly taken to the Hub Spawn page after clicking sign in again.
How to reproduce
- Logout of the Hub (automatically takes you to the login page)
- On hub login page: Press sign in
- Observe that the hub directly takes you to the spawn page
Your personal set up
-
OS: Cent OS 7.9
-
Version(s): jupyterhub 1.5.0; python 3.6.8
-
Full environment
alembic==1.7.5
anyio==3.4.0
argon2-cffi==21.1.0
async-generator==1.10
attrs==21.2.0
Babel==2.9.1
backcall==0.2.0
batchspawner==1.1.0
bleach==4.1.0
certifi==2021.10.8
certipy==0.1.3
cffi==1.15.0
charset-normalizer==2.0.8
contextvars==2.4
cryptography==36.0.0
cycler==0.11.0
dataclasses==0.8
decorator==5.1.0
defusedxml==0.7.1
entrypoints==0.3
greenlet==1.1.2
idna==3.3
immutables==0.16
importlib-metadata==4.8.2
importlib-resources==5.4.0
ipykernel==5.5.6
ipython==7.16.2
ipython-genutils==0.2.0
jedi==0.17.2
Jinja2==3.0.3
json5==0.9.6
jsonschema==3.2.0
jupyter-client==7.1.0
jupyter-core==4.9.1
jupyter-server==1.12.1
jupyter-telemetry==0.1.0
jupyterhub==1.5.0
jupyterhub-ldapauthenticator==1.3.2
jupyterlab==3.2.4
jupyterlab-pygments==0.1.2
jupyterlab-server==2.8.2
jupyterthemes==0.20.0
kiwisolver==1.3.1
ldap3==2.9.1
lesscpy==0.15.0
Mako==1.1.6
MarkupSafe==2.0.1
matplotlib==3.3.4
mistune==0.8.4
nbclassic==0.3.4
nbclient==0.5.9
nbconvert==6.0.7
nbformat==5.1.3
nest-asyncio==1.5.1
notebook==6.4.6
numpy==1.19.5
oauthenticator==14.2.0
oauthlib==3.1.1
packaging==21.3
pamela==1.0.0
pandocfilters==1.5.0
parso==0.7.1
pexpect==4.8.0
pickleshare==0.7.5
Pillow==8.4.0
ply==3.11
prometheus-client==0.12.0
prompt-toolkit==3.0.23
ptyprocess==0.7.0
pyasn1==0.4.8
pycparser==2.21
pycurl==7.43.0
Pygments==2.10.0
pyOpenSSL==21.0.0
pyparsing==3.0.6
pyrsistent==0.18.0
python-dateutil==2.8.2
python-json-logger==2.0.2
pytz==2021.3
pyzmq==22.3.0
requests==2.26.0
ruamel.yaml==0.17.17
ruamel.yaml.clib==0.2.6
semver==2.13.0
Send2Trash==1.8.0
six==1.16.0
sniffio==1.2.0
SQLAlchemy==1.4.27
terminado==0.12.1
testpath==0.5.0
tornado==6.1
traitlets==4.3.3
typing_extensions==4.0.0
urllib3==1.26.7
wcwidth==0.2.5
webencodings==0.5.1
websocket-client==1.2.1
wrapspawner==1.0.0
zipp==3.6.0
-
Configuration
As explained we are using the GenericOAuthenticator. Its a pretty standard configuration. The only things we set in the config are
c.OAuthenticator.client_id = <client id>
c.OAuthenticator.client_secret = <client secret>
c.GenericOAuthenticator.token_url = <token url>
c.GenericOAuthenticator.userdata_url = <userdata url>
c.GenericOAuthenticator.userdata_params = {"state": "state"}
c.GenericOAuthenticator.username_key = "preferred_username"
-
Logs
# paste relevant logs here, if any
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Can you include the logs? I suspect what is happening is that the user is still logged in to keycloak itself, so the ‘login with keycloak’ results in transparent redirects to keycloak and back to JupyterHub to set new cookies.
I would not expect logging out of JupyterHub to log out of the oauth provider as well. However, you can set
c.GenericOAuthenticator.logout_redirect_url = "https://.../logout"to redirect to a further logout URL after completing logout of the Hub, if you wish.There are two of these: JupyterHub’s internal
?next=and the oauth provider’s?redirect_uri. For?next=, it’s computed based on the page requested - i.e. if you request/hub/adminwithout a cookie, you will be sent to/hub/login?next=/hub/adminand that gets passed around through the login process. It is always a path, and not an absolute URL.The absolute
redirect_uri=https://.../oauth_callbacksent to keycloak during login is only valid after initiating login by visiting/hub/oauth_login. It is set byOAUTH_CALLBACK_URLenv or by default, computed based on the incoming request (so the hostname matches without needing to be specified). For this case, you’ll need to specify the host in config (whether it comes from env or wherever), because the string is resolved without a Request object available.If you overrode the LogoutHandler.get, you could compute it based on the request like we do during login, but I don’t think that’s worth it to avoid putting the hostname in an environment variable.