oauthenticator
oauthenticator copied to clipboard
jupyterhub
[Google] Usernames with @: big problems
Bug description
Jupyterhub + dockerspawner (using jupyter stacks) + google oauth with g suite.
Only usernames as school email are recognized in allowed_users list (if using as usernames only substring which is before @ it returns 403 not authorized). That is because more than 1 hosted domain is configured, so google authenticator takes full email as username.
But using full email (included the @) as username leads to numerous errors. The first is: home dir is created not using @ but instead _40, and that triggers next error:
chown: cannot access '/home/[email protected]': No such file or directory
(because the home dir is not created with @ but with _40 instead).
If I rename the home directory in a bash hook, then the next error is:
Bad config encountered during initialization: No such notebook dir: '/home/username_40mydomain_2Ecom/notebooks'
(because I renamed it to workaround the previous error).
Next, if in the same bash hook I add a symlink so both versions of home dir can be found, then next error is "500 : Internal Server Error":
http.cookies.CookieError: Illegal key '[email protected]'
I also tried to remove "@mydomain.com" (which makes no sense as I have more than 1 hosted domains configured, but just to try) from the username in the start(self) method in a subclass of DockerSpawner class in jupyterhub_config.py, but then other errors come.
Expected behaviour
The home dir should be created with @ so the previous error is not happening.
@ in cookies should not raise problems
This could be an issue with another component (the jupyterhub, or with the nb stacks, or with dockerspawner). Please let me know if that is the case.
Actual behaviour
explained above
How to reproduce
Jupyterhub 1.2.2 + oauthenticator==0.12.* + dockerspawner==0.11.* (using jupyter stacks) + google oauth with g suite.
Your personal set up
-
OS: Centos 7
-
Version(s): mentioned above
-
Configuration
# jupyterhub_config.py
-
Logs
# paste relevant logs here, if any
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you. Any news regarding the use of @ in usernames (i.e. using the full email as username when multiple domains are configured)? Thanks again ;)
Can you provide your jupyterhub_config.py? Path issues should be a problem in the Spawner. How are you creating the home directories?
You can chose to define a custom Authenticator.normalize_username to transform usernames arbitrarily, as long as you pick a scheme that will produce no collisions for you.
For anyone stumbling across this in the future, one solution is to add this to your jupyterhub_config.py:
from oauthenticator.google import GoogleOAuthenticator
class CustomGoogleAuthenticator(GoogleOAuthenticator):
def normalize_username(self, username):
return username.split('@')[0].lower()
c.JupyterHub.authenticator_class = CustomGoogleAuthenticator
c.CustomGoogleAuthenticator.client_id = "$CLIENT_ID"
c.CustomGoogleAuthenticator.client_secret = "$CLIENT_SECRET"
c.CustomGoogleAuthenticator.oauth_callback_url = "$SERVER_URL/hub/oauth_callback"
Or whatever is an acceptable normalizer for your org. By the way, for The Littlest Jupyterhub users, this goes in a .py file (with any name) inside /opt/tljh/config/jupyterhub_config.d/, and then you can just run sudo tljh-config reload hub.
