-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[AzureAD] Only allows display name or email #499
Comments
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
Solution#1: :::Example::: #This works to get email to match via sssd and jupyterhub_config.py Solution#2 :::Example::: Solution#3 :::Reference::: |
Is this actually a bug, or should this issue be marked "enhancement", or is there another tag that would make more sense? Or is the issue at this point in fact neither a bug nor an enhancement request, but rather a concern that the code in oauthenticator works as designed but we are finding we can use only a handle of AD attributes for the ldap_user_name and c.AzureAdOAuthenticator.username_claim so we're looking for some help in understanding how we can use others, and that might mean changing something within our AzureAD config to make those attributes available? |
You can do this by customizing the token claims without needing an enhancement for the authenticator or calling graph: https://learn.microsoft.com/en-us/azure/active-directory/develop/jwt-claims-customization |
Quick_view: We want AzureAD.py oauthenticator to retrieve the username, uid, or sAMAccountName to match sssd.conf OR alternate solution.
OS: Ubuntu 18.04
Version: Jupyterhub version 2.2.2
Authentication: oauthenticator.azuread.AzureAdOAuthenticator-14.2.0dev
Additional Setup : SSSD > AD > Points to sAMAccountName
Issue: Using c.AzureAdOAuthenticator.username_claim = 'unique_name' this retrieves the email or upn . Jupyterhub fails to load if that directory does not exist and that user does not have permissions on that directory. It is impossible to create a user with an @ sign. This rules out using email to authenticate. If I remove username_claim config, this then uses the display name. I was able to get this working by changing the dispalyname to the username, though it breaks some email functionality, so not a solution. Ideally I am looking for the right attribute that retrieves the uid or sAMAccountName, so this matches our SSSD > AD integration OR simply describing where the missing logic exists.
Jupyterhub_config.py :
##Azure AD MFA Test###
import os
from oauthenticator.azuread import AzureAdOAuthenticator
c.JupyterHub.authenticator_class = AzureAdOAuthenticator
c.Application.log_level = 'DEBUG'
c.AzureAdOAuthenticator.tenant_id = 'tenant_id_here'
c.AzureAdOAuthenticator.oauth_callback_url = 'https://domain_OR_IP/hub/oauth_callback'
c.AzureAdOAuthenticator.client_id = 'client_id_here'
c.AzureAdOAuthenticator.client_secret = 'client_secret_here'
c.AzureAdOAuthenticator.scope = ['openid','profile']
#Uncomment the line below to use the display name instead
c.AzureAdOAuthenticator.username_claim = 'unique_name'
###Server Config###
c.JupyterHub.ssl_key = '/etc/ssl/private/private-ssl.key'
c.JupyterHub.ssl_cert = '/etc/ssl/certs/private-ssl.crt'
c.JupyterHub.ip = 'ip_address_here'
c.JupyterHub.port = 443
###Admin Spawner###
c.JupyterHub.admin_access = True
###PAM Auth Admins###
c.PAMAuthenticator.admin_groups = {'sudo'}
###Notebook Idle Shutdown###
c.ServerApp.shutdown_no_activity_timeout = 60 * 60
c.MappingKernelManager.cull_idle_timeout = 20 * 60
c.MappingKernelManager.cull_interval = 2 *60
sssd.conf:
[sssd]
domains = domain.com
config_file_version = 2
services = nss, pam, ssh
debug_level = 3
[nss]
debug_level = 3
[pam]
debug_level = 3
[domain/domain.com]
debug_level = 3
enumerate = false
case_sensitive = false
min_id = 100
id_provider = ldap
auth_provider = ldap
access_provider = simple
chpass_provider = ldap
ldap_schema = schema-here
ldap_id_use_start_tls = true
ldap_tls_reqcert = allow
ldap_user_search_base = OU=Users,OU=domain-Users,dc=domain,dc=com
ldap_group_search_base = OU=Groups,OU=domain-Users,dc=domain,dc=com
ldap_user_object_class = user
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_uri = ldap://ad-domain.com,ldap://ad-domain.com
ldap_default_bind_dn = CN=AccountName,OU=Service,OU=Users,OU=domain-Users,DC=domain,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = passwrod_here
#Access settings via simple
simple_allow_groups = groups-allowed
R&D:
I was experimenting changing the unique_name attribute ( c.AzureAdOAuthenticator.username_claim = 'unique_name' ) based on what attributes are available regarding Azure Oauth2 scopes listed in the config ( c.AzureAdOAuthenticator.scope = ['openid','profile'] ) , I found that most of these attributes are unusable, please help with this, we have reached a dead end.
['aud', 'iss', 'iat', 'nbf', 'exp', 'amr', 'family_name', 'given_name', 'name', 'oid', 'preferred_username', 'rh', 'sub', 'tid', 'uti', 'ipaddr', 'name', 'oid', 'onprem_sid', 'rh', 'sub', 'tid', 'unique_name', 'upn', 'ver']
aud = Long string of numbers
Iss = 403 : Forbidden
Iat = 500 : Internal Server Error
Nbf = 500 : Internal Server Error
name = 500 : Internal Server Error ( does show name, doesnt work )
Uid = 500 : Internal Server Error
Preferred_username = 500 : Internal Server Error
sAMAccountName = 500 Internal server error
The text was updated successfully, but these errors were encountered: