zhangyiss/the-littlest-jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/the-littlest-jupyterhub.git synced 2025-12-18 21:54:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #729 from minrk/awscognito

Browse Source 
update awscognito docs to use GenericOAuthenticator
This commit is contained in:
Erik Sundell
2021-10-24 23:46:13 +02:00
committed by GitHub
parent 382e8837fb fe081dff13
commit c6c6e34886
1 changed files with 41 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
docs/howto/auth/awscognito.rst
View File

@@ -5,7 +5,7 @@ Authenticate using AWS Cognito
============================== ==============================
The **AWS Cognito Authenticator** lets users log into your JupyterHub using The **AWS Cognito Authenticator** lets users log into your JupyterHub using
cognito user pools. To do so, you'll first need to register and configure a cognito user pools. To do so, you'll first need to register and configure a
cognito user pool and app, and then provide information about this cognito user pool and app, and then provide information about this
application to your ``tljh`` configuration. application to your ``tljh`` configuration.
@@ -17,7 +17,7 @@ Create an AWS Cognito application
When you have completed creating a user pool, app, and domain you should have the following settings available to you: When you have completed creating a user pool, app, and domain you should have the following settings available to you:
* **App client id**: From the App client page * **App client id**: From the App client page
* **App client secret** From the App client page * **App client secret** From the App client page
* **Callback URL** This should be the domain you are hosting you server on:: * **Callback URL** This should be the domain you are hosting you server on::
@@ -33,75 +33,73 @@ Create an AWS Cognito application
Install and configure an AWS EC2 Instance with userdata Install and configure an AWS EC2 Instance with userdata
======================================================== =======================================================
By adding following script to the ec2 instance user data you should be By adding following script to the ec2 instance user data you should be
able to configure the instance automatically, replace relevant config variables:: able to configure the instance automatically, replace relevant placeholders::
#!/bin/bash #!/bin/bash
############################################## ##############################################
# Setup systemd environment variable overrides # Ensure tljh is up to date
##############################################
mkdir /etc/systemd/system/jupyterhub.service.d
echo "[Service]
Environment=AWSCOGNITO_DOMAIN=${awscognito_domain}" >> /etc/systemd/system/jupyterhub.service.d/jupyterhub.conf
##############################################
# Need to ensure oauthenticator is bumped to 0.10.0
############################################## ##############################################
curl -L https://tljh.jupyter.org/bootstrap.py \ curl -L https://tljh.jupyter.org/bootstrap.py \
| sudo python3 - \ | sudo python3 - \
--admin insightadmin --admin insightadmin
############################################## ##############################################
# Setup aws Cognito Authenticator # Setup AWS Cognito OAuthenticator
############################################## ##############################################
echo "c.AWSCognitoAuthenticator.client_id='${client_id}' echo > /opt/tljh/config/jupyterhub_config.d/awscognito.py <<EOF
c.AWSCognitoAuthenticator.client_secret='${client_secret}' c.GenericOAuthenticator.client_id = "[your app client ID]"
c.AWSCognitoAuthenticator.oauth_callback_url='${callback_url}' c.GenericOAuthenticator.client_secret = "[your app client secret]"
c.AWSCognitoAuthenticator.username_key='username' c.GenericOAuthenticator.oauth_callback_url = "https://[your-jupyterhub-host]/hub/oauth_callback"
c.AWSCognitoAuthenticator.oauth_logout_redirect_url='${logout_url}'" >> /opt/tljh/config/jupyterhub_config.d/awscognito.py
c.GenericOAuthenticator.authorize_url = "https://your-AWSCognito-domain/oauth2/authorize"
c.GenericOAuthenticator.token_url = "https://your-AWSCognito-domain/oauth2/token"
c.GenericOAuthenticator.userdata_url = "https://your-AWSCognito-domain/oauth2/userInfo"
c.GenericOAuthenticator.logout_redirect_url = "https://your-AWSCognito-domain/oauth2/logout"
tljh-config set auth.type oauthenticator.awscognito.AWSCognitoAuthenticator # these are always the same
c.GenericOAuthenticator.login_service = "AWS Cognito"
c.GenericOAuthenticator.username_key = "username"
c.GenericOAuthenticator.userdata_method = "POST"
EOF
tljh-config set auth.type oauthenticator.generic.GenericOAuthenticator
tljh-config reload tljh-config reload
Manual configuration to use the AWS Cognito Oauthenticator Manual configuration to use the AWS Cognito OAuthenticator
============================================================ ==========================================================
Assuming tljh has already been installed, we need to make sure the oautheneticator module is at 0.10.0 and if not AWS Cognito is configured as a generic OAuth provider.
do a pip install oauthenticator>=0.10.0
Because the AWS Congito authenticator uses environment variables and the systemd script we need to pass the Using your preferred editor create the config file::
the AWS Cognito domain in via systemd we can do this by creating a systemd service overide file::
/etc/systemd/system/jupyterhub.service.d/jupyterhub.conf /opt/tljh/config/jupyterhub_config.d/awscognito.py
and add the following:: substituting the relevant variables::
[Service] c.GenericOAuthenticator.client_id = "[your app ID]"
Environment=AWSCOGNITO_DOMAIN=https://<<my_jupyter_hub>.auth.eu-west-1.amazoncognito.com c.GenericOAuthenticator.client_secret = "[your app Password]"
c.GenericOAuthenticator.oauth_callback_url = "https://[your-jupyterhub-host]/hub/oauth_callback"
Using your prefered editor create the config file:: c.GenericOAuthenticator.authorize_url = "https://your-AWSCognito-domain/oauth2/authorize"
c.GenericOAuthenticator.token_url = "https://your-AWSCognito-domain/oauth2/token"
c.GenericOAuthenticator.userdata_url = "https://your-AWSCognito-domain/oauth2/userInfo"
c.GenericOAuthenticator.logout_redirect_url = "https://your-AWSCognito-domain/oauth2/logout"
/opt/tljh/config/jupyterhub_config.d/awscognito.py # these are always the same
c.GenericOAuthenticator.login_service = "AWS Cognito"
subsituting the relevant variables:: c.GenericOAuthenticator.username_key = "username"
c.GenericOAuthenticator.userdata_method = "POST"
c.AWSCognitoAuthenticator.client_id='${client_id}'
c.AWSCognitoAuthenticator.client_secret='${client_secret}'
c.AWSCognitoAuthenticator.oauth_callback_url='${callback_url}'
c.AWSCognitoAuthenticator.username_key='username'
c.AWSCognitoAuthenticator.oauth_logout_redirect_url='${logout_url}'
We'll use the ``tljh-config`` tool to configure your JupyterHub's authentication. We'll use the ``tljh-config`` tool to configure your JupyterHub's authentication.
For more information on ``tljh-config``, see :ref:`topic/tljh-config`. For more information on ``tljh-config``, see :ref:`topic/tljh-config`.
#. Tell your JupyterHub to *use* the AWS Cognito OAuthenticator for authentication:: #. Tell your JupyterHub to use the GenericOAuthenticator for authentication::
tljh-config set auth.type oauthenticator.awscognito.AWSCognitoAuthenticator tljh-config set auth.type oauthenticator.generic.GenericOAuthenticator
#. Restart your JupyterHub so that new users see these changes:: #. Restart your JupyterHub so that new users see these changes::