Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JupyterHub Azure OAuth issues #7588

Open
MarcSkovMadsen opened this issue Jan 5, 2025 · 4 comments
Open

JupyterHub Azure OAuth issues #7588

MarcSkovMadsen opened this issue Jan 5, 2025 · 4 comments

Comments

@MarcSkovMadsen
Copy link
Collaborator

MarcSkovMadsen commented Jan 5, 2025
edited
Loading

panel==1.5.5

I'm trying to add azure oauth to my Panel application. I'm developing and testing in VS Code on my JupyterHub.

Setup

import panel as pn

pn.extension()

user = pn.state.user or "Guest User"

pn.panel(user).servable()

Without oauth, I would serve this via

panel serve script.py --index script

And I would be able to open the application at

https://my-domain/workspace/user/userid/vscode/proxy/5006/
and
https://my-domain/workspace/user/userid/vscode/proxy/5006/script

Azure OAuth works on my laptop

It works on my laptop served with:

panel serve script.py --index script --oauth-provider=azure --oauth-key='********-****-****-****-************' --oauth-secret='******************************' --cookie-secret='********************************' --oauth-encryption-key='********************************' --oauth-extra-params "{'tenant': '********-****-****-****-************'}"

Issues

Coming in separate posts below
@MarcSkovMadsen
Copy link
Collaborator Author

MarcSkovMadsen commented Jan 5, 2025
edited
Loading

1. Does not use https without --oauth-redirect

If I try to serve oauth without --oauth-redirect, azure will complain about http (not https) url not valid.

AADSTS50011: The redirect URI 'http://<my-domain>' specified in the request does not match the redirect URIs configured for the application
panel serve script.py --index script --oauth-provider=azure --oauth-key='********-****-****-****-************' --oauth-secret='******************************' --cookie-secret='************************************' --oauth-encryption-key='************************************' --oauth-extra-params "{'tenant': '********-****-****-****-************'}"

I do believe Panel should have been providing a https url instead of a http one by default.
And my guess is that the redirect uri should not go to the domain alone but include the full path?

Investigating this I see

Image

Image

Don't know where the http is coming from? (I clicked the login on the logout page).

@MarcSkovMadsen
Copy link
Collaborator Author

MarcSkovMadsen commented Jan 5, 2025
edited
Loading

2. Get 502 Bad Gateway when adding --oauth-redirect-uri

I

  • add --oauth-redirect-uri=https://my-domain/workspace/user/userid/vscode/proxy/5006/
  • open https://my-domain/workspace/user/userid/vscode/proxy/5006/
  • see the browser redirecting to https://my-domain/workspace/user/userid/vscode/proxy/5006/login?next=%2F%3Fcode%3D1.AV0A...
  • see 502 Bad Gateway

Image

panel serve script.py --index script --oauth-provider=azure --oauth-key='********-****-****-****-************' --oauth-secret='******************************' --cookie-secret='************************************' --oauth-encryption-key='************************************' --oauth-extra-params "{'tenant': '********-****-****-****-************'}"
--oauth-redirect-uri=https://my-domain/workspace/user/userid/vscode/proxy/5006/

If I click enter in the url https://my-domain/workspace/user/userid/vscode/proxy/5006/login?next=%2F%3Fcode%3D1.AV0A... to reload then the page actually loads:

Image

2025-01-05 16:28:36,043 ERROR: panel.auth - AzureAd OAuth provider returned a HTTP 400: Bad Request error. The full response was: {'error': 'invalid_grant', 'error_description': 'AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID:....

When I open the logout endpoint it works without issues

Image

I also tried adding --login-endpoint="signin" --logout-endpoint="signout" to see if the login part of the url is the problem. But I still got 502 error.

I'm now thinking that maybe the ?next=%2F part of the url could be the problem. That it is somehow picked up by nginx or the reverse proxy?

But if I serve with

panel serve script.py --index script

And try to open with the ?next=... query args there is no problem.

Image

@MarcSkovMadsen
Copy link
Collaborator Author

There is a discussion here mentioning the "buffer size" as the issue https://discourse.holoviz.org/t/oauth-redirect-uri/5182. I will ask the support team about that.

@philippjfr
Copy link
Member

OAuth + Jupyter Proxy definitely seems like a combination that is probably not been exercised well or at all since usually you'd expect the JupyterHub to handle the authentication part.

Don't know where the http is coming from? (I clicked the login on the logout page).

Suspect one of the proxies is performing SSL termination so that Panel only ever sees an HTTP request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@philippjfr @MarcSkovMadsen