无法将 jupyterhub 连接到 keycloak 并获得 ERR_TOO_MANY_REDIRECTS
[英]Cant connect jupyterhub to keycloak and getting ERR_TOO_MANY_REDIRECTS
问题描述
I'm trying to set up jupyterhub on vagrant, but after I connected (I think) the authentication to keycloak, I got the ERR_TOO_MANY_REDIRECTS error in my browser, after clicking the oauth2 button.
我正在尝试在 vagrant 上设置 jupyterhub,但是在我将(我认为)身份验证连接到 keycloak 之后,单击 oauth2 按钮后,我的浏览器中出现 ERR_TOO_MANY_REDIRECTS 错误。 Is it problem with my jupyterhub_config.py or wrong oauth_callback_url?是我的 jupyterhub_config.py 还是错误的 oauth_callback_url 有问题?
My keycloak init:我的密钥斗篷初始化:
cd $KEYCLOAK_PATH/bin && sudo bash add-user-keycloak.sh -u admin -p admin
cd $KEYCLOAK_PATH/bin && sudo nohup ./standalone.sh -Djboss.bind.address.management=0.0.0.0 -Djboss.socket.binding.port-offset=100 -Djboss.bind.address=0.0.0.0 > $KEYCLOAK_LOGS/keycloak.log 2>&1 &
My jupyterhub_config.py:我的 jupyterhub_config.py:
c.Authenticator.admin_users = {'vagrant'}
from oauthenticator.generic import GenericOAuthenticator
c.JupyterHub.authenticator_class = GenericOAuthenticator
c.GenericOAuthenticator.oauth_callback_url = 'http://0.0.0.0:8180/auth/realms/testrealm/protocol/openid-connect/auth'
c.GenericOAuthenticator.client_id = 'oauth-secret'
c.GenericOAuthenticator.client_secret = ''
c.GenericOAuthenticator.token_url = 'http://0.0.0.0:8180/auth/realms/testrealm/protocol/openid-connect/token'
c.GenericOAuthenticator.userdata_url = 'http://0.0.0.0:8180/auth/realms/testrealm/protocol/openid-connect/userinfo'
Forwarded ports from Vagrantfile:从 Vagrantfile 转发的端口:
config.vm.network "forwarded_port", guest: 8000, host: 8000
config.vm.network "forwarded_port", guest: 8001, host: 8001
config.vm.network "forwarded_port", guest: 8081, host: 8081
Some of the redirects:一些重定向:
[I 2020-10-23 08:25:51.287 JupyterHub oauth2:103] OAuth redirect: 'http://0.0.0.0:8180/auth/realms/testrealm/protocol/openid-connect/auth'
[I 2020-10-23 08:25:51.290 JupyterHub log:174] 302 GET /hub/oauth_login?response_type=code&redirect_uri=http%3A%2F%2F0.0.0.0%3A8180%2Fauth%2Frealms%2Ftestrealm%2Fprotocol%2Fopenid-connect%2Fauth&client_id=oauth-secret&state=[secret] -> ?response_type=code&redirect_uri=http%3A%2F%2F0.0.0.0%3A8180%2Fauth%2Frealms%2Ftestrealm%2Fprotocol%2Fopenid-connect%2Fauth&client_id=oauth-secret&state=[secret] (@10.0.2.2) 3.66ms
[I 2020-10-23 08:25:51.307 JupyterHub oauth2:103] OAuth redirect: 'http://0.0.0.0:8180/auth/realms/testrealm/protocol/openid-connect/auth'
[I 2020-10-23 08:25:51.311 JupyterHub log:174] 302 GET /hub/oauth_login?response_type=code&redirect_uri=http%3A%2F%2F0.0.0.0%3A8180%2Fauth%2Frealms%2Ftestrealm%2Fprotocol%2Fopenid-connect%2Fauth&client_id=oauth-secret&state=[secret] -> ?response_type=code&redirect_uri=http%3A%2F%2F0.0.0.0%3A8180%2Fauth%2Frealms%2Ftestrealm%2Fprotocol%2Fopenid-connect%2Fauth&client_id=oauth-secret&state=[secret] (@10.0.2.2) 4.66ms
[I 2020-10-23 08:25:51.326 JupyterHub oauth2:103] OAuth redirect: 'http://0.0.0.0:8180/auth/realms/testrealm/protocol/openid-connect/auth'
[I 2020-10-23 08:25:51.329 JupyterHub log:174] 302 GET /hub/oauth_login?response_type=code&redirect_uri=http%3A%2F%2F0.0.0.0%3A8180%2Fauth%2Frealms%2Ftestrealm%2Fprotocol%2Fopenid-connect%2Fauth&client_id=oauth-secret&state=[secret] -> ?response_type=code&redirect_uri=http%3A%2F%2F0.0.0.0%3A8180%2Fauth%2Frealms%2Ftestrealm%2Fprotocol%2Fopenid-connect%2Fauth&client_id=oauth-secret&state=[secret] (@10.0.2.2) 4.80ms
1 个解决方案
解决方案1
0 2021-09-09 23:31:31
TL;DR : Set the OAUTH2_AUTHORIZE_URL and OAUTH2_TOKEN_URL environment variables to the appropriate URLs which you can find in your identity provider (ie KeyCloak). TL;DR :将OAUTH2_AUTHORIZE_URL和OAUTH2_TOKEN_URL环境变量设置为您可以在身份提供者(即 KeyCloak)中找到的适当 URL。
I've been scratching my head with this one for a bit... As you see on your own logs, JupyterHub somehow believes it is the one responsible for authenticating a user but it also says that, after authentication, the user should be redirected back to itself (that's what the oauth_callback_url is saying).我一直在用这个摸不着头脑......正如你在你自己的日志中看到的那样,JupyterHub 以某种方式相信它是负责对用户进行身份验证的人,但它也说,在身份验证后,用户应该被重定向回到自身(这就是oauth_callback_url所说的)。 This leads to the JupyterHub server calling itself in a recursive way until the browser gives up.这导致 JupyterHub 服务器以递归方式调用自己,直到浏览器放弃。
I assume you are running both keyCloak and JupyterHub on the same VM, which you provisioned with vagrant .我假设你是在同一个虚拟机,这与你配置的流浪汉同时运行keyCloak和JupyterHub。 If that's the case, consider changing the 0.0.0.0 bits with 127.0.0.1 .如果是这种情况,请考虑将0.0.0.0位更改为127.0.0.1 。 Otherwise, try to change 0.0.0.0 to the IPv4 address where KeyCloak can be reached for c.GenericOAuthenticator.userdata_url and c.GenericOAuthenticator.token_url .否则,尝试将0.0.0.0更改为可以为c.GenericOAuthenticator.userdata_url和c.GenericOAuthenticator.token_url的 IPv4 地址。 When things aren't working as they should it's usually a good idea to avoid wildcards and the like to narrow down where the problem lies...当事情不能正常工作时,避免使用通配符等来缩小问题所在通常是一个好主意......
The address where the JupyterHub instance lives should be included for c.GenericOAuthenticator.oauth_callback_url and, on top of that, you should point it back to the JupyterHub instance. JupyterHub 实例所在的地址应该包含在c.GenericOAuthenticator.oauth_callback_url ,最重要的是,您应该将其指向 JupyterHub 实例。 In my case, that would be <jupyterhub-ip>:<jupyterhub-port>/hub/oauth_callback .就我而言,这将是<jupyterhub-ip>:<jupyterhub-port>/hub/oauth_callback 。 Remember that this member is telling KeyCloak where it should contact JupyterHub during the authentication flow.请记住,该成员告诉 KeyCloak 在身份验证流程中它应该在哪里联系 JupyterHub。
In any case, the only thing for us to do is point JupyterHub to the KeyCloak instance.无论如何,我们唯一要做的就是将 JupyterHub 指向 KeyCloak 实例。 If you take a look at this snippet from JupyterHub's OAuthenticator, you'll find that the default value for the authorize_url is extracted from an environment variable named OAUTH2_AUTHORIZE_URL .如果您查看 JupyterHub 的 OAuthenticator 中的这个片段,您会发现authorize_url的默认值是从名为OAUTH2_AUTHORIZE_URL的环境变量中提取的。 I'm not really confident on what the @default decorator does, but I do now that manually setting the value of authorize_url in the configuration file didn't work for me...我对@default装饰器的作用不是很自信,但我现在做的是在配置文件中手动设置authorize_url的值对我不起作用......
You just need to export the aforementioned environment value and that should be the end of it.您只需要导出上述环境值,这应该就结束了。 You can do so with:你可以这样做:
export OAUTH2_AUTHORIZE_URL="https://<keycloak-ip>:<keycloak-port>auth/realms/testrealm/protocol/openid-connect/auth"
I have also exported the token url through the OAUTH2_TOKEN_URL variable in pretty much the same way, with a value equivalent to what you have in your configuration (once you change the 0.0.0.0 IP address).我还以几乎相同的方式通过OAUTH2_TOKEN_URL变量导出了令牌 url,其值与您在配置中的值相同(一旦您更改了0.0.0.0 IP 地址)。 The GitHub issue that helped me帮助我的GitHub 问题
Make sure these variable are visible to the JupyterHub process.确保这些变量对 JupyterHub 进程可见。 I was running The Littlest JupyterHub and I had to include them in the appropriate unit file ( /etc/systemd/system/jupyterhub.service ) like below:我正在运行The Littlest JupyterHub ,我必须将它们包含在适当的单元文件( /etc/systemd/system/jupyterhub.service )中,如下所示:
Environment=OAUTH2_AUTHORIZE_URL=https://<keycloak-ip>:<keycloak-port>/auth/realms/<realm-name>/protocol/openid-connect/auth
Environment=OAUTH2_TOKEN_URL=https://<keycloak-ip>:<keycloak-port>/auth/realms/<realm-name>/protocol/openid-connect/token
Remember to run systemctl daemon-reload and systemctl restart jupyterlab if that's your scenario...如果这是您的情况,请记住运行systemctl daemon-reload和systemctl restart jupyterlab ...
Coming now to an end, the key idea is to set the appropriate environment variables so that things behave as they should...现在结束,关键思想是设置适当的环境变量,以便事情按应有的方式运行......
PD: I might be missing something with the @default decorator, but I would rather set an environment variable than get down to brass tacks with python for this kind of issue... PD:我可能在@default装饰器中遗漏了一些东西,但我宁愿设置一个环境变量,也不愿用python 解决这类问题......
If you have any further questions feel free to fire away!如果您有任何其他问题,请随时开火!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.