oauthenticator icon indicating copy to clipboard operation
oauthenticator copied to clipboard

Published 20 hours ago verified publisher icon jupyterhub

[Generic] Support custom ca_certs bundle in GenericOAuthenticator

Open nngo opened this issue 3 years ago • 3 comments

Add support to use a custom certificate authority (CA) bundle for talking to GenericOAuthenticator (OAuth2) and overridable via OAUTH2_CA_CERTS environment variable without having to disable certificate validation with OAUTH2_TLS_VERIFY=0 env.

Otherwise get the following error:

  • tornado.curl_httpclient.CurlError: HTTP 599: SSL certificate problem: unable to get local issuer certificate

nngo avatar Feb 24 '22 21:02 nngo

Thanks for submitting your first pull request! You are awesome! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please make sure you followed the pull request template, as this will help us review your contribution more quickly. welcome You can meet the other Jovyans by joining our Discourse forum. There is also a intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

welcome[bot] avatar Feb 24 '22 21:02 welcome[bot]

@consideRatio can you look at this PR?

nngo avatar Apr 05 '22 15:04 nngo

my end goal is for this updated oauthenticator library to get used by jupyterhub/k8s-hub image, so that can inject my ca-certs there properly while running under K8s and this is the last place to get that to work with using an oauth2 for login for my K8s cert-manager/cluster issued ca-certs.

nngo avatar Apr 07 '22 15:04 nngo

Is this PR still active? We are considering building a fork just for this feature but we'd rather use a official version.

jgprogramming avatar May 17 '23 15:05 jgprogramming

There are some unresolved issues, and this repository has undergone some refactoring so this would need careful testing.

However, we may not need this PR anymore. https://github.com/jupyterhub/oauthenticator/pull/578 adds support for all Tornado request parameters: https://www.tornadoweb.org/en/stable/httpclient.html#request-objects

manics avatar May 17 '23 16:05 manics

@nngo thank you for working this!!

I'm hopeful that you can use custom certificates without configuring the authenticator specifically, but by configuring tornado running in JupyterHub via #614, and add your certificates to the jupyterhub pod via hub.extraFiles chart config.

It would be great to know if this did the trick for you!

consideRatio avatar May 18 '23 13:05 consideRatio