JupyterHub Authentication



# Set a whitelist in jupyterhub_config.py
c.Authenticator.whitelist = { 'foo', 'bar' }


c.Authenticator.admin_users = { 'foo' }
# Admins may have permission to log in as other users on their respective machines, for debugging.
# As a courtesy, you should make sure your users know if admin_access is enabled.
JupyterHub.admin_access = True


A typical configuration is PAM. For this authentication, double-check that your environment is correctly setup.

# See also https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges
sudo chmod +r /etc/shadow
sudo usermod -a -G shadow $USER
# Should return None in case of successful authentication.
sudo -u $USER python3 -c "import pamela, getpass; print(pamela.authenticate('$USER', getpass.getpass()))"
import os, pamela
username = os.environ['USER']
password = '<your_password>'
service = 'login'
    print("PAM Authentication test. username = {0} and service = {1}".format(username, service))
    pamela.authenticate(username, password, service)
except pamela.PAMError as e:
    print("PAM Authentication failed: {0}".format(e))
# Create local users if needed by the Authenticator.
export NEW_USER=foo@gmail.com
# --home /home/$NEW_USER
# --force-badname
adduser -q --gecos "" --disabled-password $NEW_USER


pip3 install oauthenticator
open https://console.developers.google.com/apis/credentials
export OAUTH_CALLBACK_URL=http://localhost:8000/hub/oauth_callback
export OAUTH_CLIENT_ID=<id>
export OAUTH_CLIENT_SECRET=<secret>
# jupyterhub_config.py
c.JupyterHub.authenticator_class = 'oauthenticator.google.GoogleOAuthenticator'
c.DockerSpawner.image = 'jupyter/scipy-notebook:8f56e3c47fec'

OAuth Provider

OpenID Connect

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol, implemented by various servers and services.

While OpenID Connect endpoint discovery is not supported by oauthentiator, you can still configure JupyterHub to authenticate with OpenID Connect providers by specifying all endpoints in GenericOAuthenticator.

By setting login_service you can customize the label on the login button.

Here's an example for authenticating against keycloak, after you configure an OIDC Client and obtain the confidential client credentials.

       OAUTH2_AUTHORIZE_URL: https://${host}/auth/realms/${realm}/protocol/openid-connect/auth
       OAUTH2_TOKEN_URL: https://${host}/auth/realms/${realm}/protocol/openid-connect/token
     type: custom
       className: oauthenticator.generic.GenericOAuthenticator
         login_service: "keycloak"
         client_id: "y0urc1logonc1ient1d"
         client_secret: "an0ther1ongs3cretstr1ng"
         token_url: https://${host}/auth/realms/${realm}/protocol/openid-connect/token
         userdata_url: https://${host}/auth/realms/${realm}/protocol/openid-connect/userinfo
         userdata_method: GET
         userdata_params: {'state': 'state'}
         username_key: preferred_username

results matching ""

    No results matching ""