2019-12-04 21:01:11 +00:00
.. _howto/auth/awscognito:
==============================
Authenticate using AWS Cognito
==============================
2019-12-05 16:08:37 +00:00
The **AWS Cognito Authenticator** lets users log into your JupyterHub using
2021-10-22 15:01:45 +02:00
cognito user pools. To do so, you'll first need to register and configure a
2019-12-04 21:01:11 +00:00
cognito user pool and app, and then provide information about this
application to your `` tljh `` configuration.
Create an AWS Cognito application
=========================================
#. Create a user pool `Getting Started with User Pool <https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-with-cognito-user-pools.html> `_ .
2019-12-05 16:08:16 +00:00
When you have completed creating a user pool, app, and domain you should have the following settings available to you:
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
* **App client id** : From the App client page
2019-12-04 21:01:11 +00:00
* **App client secret** From the App client page
* **Callback URL** This should be the domain you are hosting you server on::
http(s)://<my-tljh-ip-address>/hub/oauth_callback
2019-12-05 16:07:58 +00:00
* **Signout URL** : This is the landing page for a user when they are not logged on::
2019-12-04 21:01:11 +00:00
http(s)://<my-tljh-ip-address>
2019-12-05 16:07:51 +00:00
* **Auth Domain** Create an auth domain e.g. <my_jupyter_hub>::
2019-12-04 21:01:11 +00:00
https://<<my_jupyter_hub>.auth.eu-west-1.amazoncognito.com
Install and configure an AWS EC2 Instance with userdata
2021-10-22 15:01:45 +02:00
=======================================================
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
By adding following script to the ec2 instance user data you should be
able to configure the instance automatically, replace relevant placeholders::
2019-12-04 21:01:11 +00:00
#!/bin/bash
##############################################
2021-10-22 15:01:45 +02:00
# Ensure tljh is up to date
2019-12-04 21:01:11 +00:00
##############################################
2020-07-07 23:14:25 -05:00
curl -L https://tljh.jupyter.org/bootstrap.py \
2019-12-04 21:01:11 +00:00
| sudo python3 - \
--admin insightadmin
##############################################
2021-10-22 15:01:45 +02:00
# Setup AWS Cognito OAuthenticator
2019-12-04 21:01:11 +00:00
##############################################
2021-10-22 15:01:45 +02:00
echo > /opt/tljh/config/jupyterhub_config.d/awscognito.py <<EOF
c.GenericOAuthenticator.client_id = "[your app client ID]"
c.GenericOAuthenticator.client_secret = "[your app client secret]"
c.GenericOAuthenticator.oauth_callback_url = "https://[your-jupyterhub-host]/hub/oauth_callback"
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
c.GenericOAuthenticator.authorize_url = "https://your-AWSCognito-domain/oauth2/authorize"
c.GenericOAuthenticator.token_url = "https://your-AWSCognito-domain/oauth2/token"
c.GenericOAuthenticator.userdata_url = "https://your-AWSCognito-domain/oauth2/userInfo"
c.GenericOAuthenticator.logout_redirect_url = "https://your-AWSCognito-domain/oauth2/logout"
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
# these are always the same
c.GenericOAuthenticator.login_service = "AWS Cognito"
c.GenericOAuthenticator.username_key = "username"
c.GenericOAuthenticator.userdata_method = "POST"
EOF
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
tljh-config set auth.type oauthenticator.generic.GenericOAuthenticator
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
tljh-config reload
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
Manual configuration to use the AWS Cognito OAuthenticator
==========================================================
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
AWS Cognito is configured as a generic OAuth provider.
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
Using your preferred editor create the config file::
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
/opt/tljh/config/jupyterhub_config.d/awscognito.py
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
substituting the relevant variables::
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
c.GenericOAuthenticator.client_id = "[your app ID]"
c.GenericOAuthenticator.client_secret = "[your app Password]"
c.GenericOAuthenticator.oauth_callback_url = "https://[your-jupyterhub-host]/hub/oauth_callback"
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
c.GenericOAuthenticator.authorize_url = "https://your-AWSCognito-domain/oauth2/authorize"
c.GenericOAuthenticator.token_url = "https://your-AWSCognito-domain/oauth2/token"
c.GenericOAuthenticator.userdata_url = "https://your-AWSCognito-domain/oauth2/userInfo"
c.GenericOAuthenticator.logout_redirect_url = "https://your-AWSCognito-domain/oauth2/logout"
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
# these are always the same
c.GenericOAuthenticator.login_service = "AWS Cognito"
c.GenericOAuthenticator.username_key = "username"
c.GenericOAuthenticator.userdata_method = "POST"
2019-12-04 21:01:11 +00:00
We'll use the `` tljh-config `` tool to configure your JupyterHub's authentication.
For more information on `` tljh-config `` , see :ref: `topic/tljh-config` .
2021-10-22 15:01:45 +02:00
#. Tell your JupyterHub to use the GenericOAuthenticator for authentication::
2019-12-04 21:01:11 +00:00
2021-10-22 15:01:45 +02:00
tljh-config set auth.type oauthenticator.generic.GenericOAuthenticator
2019-12-04 21:01:11 +00:00
#. Restart your JupyterHub so that new users see these changes::
sudo tljh-config reload
Confirm that the new authenticator works
========================================
#. **Open an incognito window** in your browser (do not log out until you confirm
that the new authentication method works!)
#. Go to your JupyterHub URL.
#. You should see an AWS Cognito login button:
#. You will likely have to create a new user (sign up) and then you should be directed to the
Jupyter interface used in this JupyterHub.
#. **If this does not work** you can revert back to the default
JupyterHub authenticator by following the steps in :ref: `howto/auth/firstuse` .
