keycloakjupyterhub

Keycloak integration problem with JupyterHub

I've Keycloak deployed and run in k8s cluster with helm release. There is a client 'styx' configured for JupyterHub in 'dev' realm. The client has 'Client authentication' turned on.

When the correct username and password are entered and redirect happen from Keycloak back to JupyterHub it fails on retrieving user info (HTTP 403 error from Keycloak).

[E 2023-01-11 02:34:20.026 JupyterHub oauth2:386] Error fetching user data 403 GET https://ceres.themodelvault.com/realms/dev/protocol/openid-connect/userinfo:
[E 2023-01-11 02:34:20.027 JupyterHub web:1798] Uncaught exception GET /hub/oauth_callback?state=eyJzdGF0ZV9pZCI6ICIzZWZiZjQzNzM4ZDA0ZmM2YTZmODdjYzk4MDAxZjkxNCIsICJuZXh0X3VybCI6ICIvaHViLyJ9&session_state=129fa2d5-c9d3-4d13-8539-7611f0e05604&code=3d9031f9-3889-4ad4-a676-4d2276e5907f.129fa2d5-c9d3-4d13-8539-7611f0e05604.0526b372-e282-401f-af45-6ea2ca2647fd (::ffff:10.0.106.200)
    HTTPServerRequest(protocol='http', host='styx-dev.themodelvault.com', method='GET', uri='/hub/oauth_callback?state=eyJzdGF0ZV9pZCI6ICIzZWZiZjQzNzM4ZDA0ZmM2YTZmODdjYzk4MDAxZjkxNCIsICJuZXh0X3VybCI6ICIvaHViLyJ9&session_state=129fa2d5-c9d3-4d13-8539-7611f0e05604&code=3d9031f9-3889-4ad4-a676-4d2276e5907f.129fa2d5-c9d3-4d13-8539-7611f0e05604.0526b372-e282-401f-af45-6ea2ca2647fd', version='HTTP/1.1', remote_ip='::ffff:10.0.106.200')
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/tornado/web.py", line 1713, in _execute
        result = await result
      File "/usr/local/lib/python3.9/site-packages/oauthenticator/oauth2.py", line 222, in get
        user = await self.login_user()
      File "/usr/local/lib/python3.9/site-packages/jupyterhub/handlers/base.py", line 801, in login_user
        authenticated = await self.authenticate(data)
      File "/usr/local/lib/python3.9/site-packages/jupyterhub/auth.py", line 491, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/usr/local/lib/python3.9/site-packages/oauthenticator/generic.py", line 165, in authenticate
        user_data_resp_json = await self._get_user_data(token_resp_json)
      File "/usr/local/lib/python3.9/site-packages/oauthenticator/oauth2.py", line 387, in fetch
        raise e
      File "/usr/local/lib/python3.9/site-packages/oauthenticator/oauth2.py", line 366, in fetch
        resp = await self.http_client.fetch(req, **kwargs)
    tornado.httpclient.HTTPClientError: HTTP 403: Forbidden

UPD: Fixed with https://keycloak.discourse.group/t/issue-on-userinfo-endpoint-at-keycloak-20/18461

Solution

  • Fixed with openid scope as explained in https://keycloak.discourse.group/t/issue-on-userinfo-endpoint-at-keycloak-20/18461