-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable authentication via CILogon #315
Comments
After some conversations with @colliand I think that we should bump this up the priority list a little bit, because it will be really useful if we can tell universities that we will "probably" be able to integrate with their institutional SSO via CILogon. |
We'd like our alpha service to support this (see 2i2c-org/team-compass#262 for ref) , so just another note that this deliverable is quite valuable now! |
Next step here is to apply for credentials here: https://cilogon.org/oauth2/register. I hope we qualify using them for free? https://www.cilogon.org/subscribe |
Some updates about this: I followed the instructions in https://www.cilogon.org/auth0 and created a new auth0 application that I then registered with CILogon. I provided the 2i2c We need to wait for this to happen now: However, even if the request hasn't been approved, we've been provided the client credentials. Should we store these encrypted somewhere in this repo (maybe here)? |
@GeorgianaElena it seems the request was approved, see https://2i2c.freshdesk.com/a/tickets/38 |
Great! Thanks @consideRatio! |
That location makes sense to me from the top of my head. |
I realized that we're supporting JupyterHub OAuthenticator now, so I'm experimenting with using JupyterHub OAuthenticator to enable CILogon instead of using it through Auth0. I think this issue was opened long before the OAuthenticator addition, so the Auth0 integration might not necessarily be a requirement. Happy to hear people's ideas about this. Thank you for asking, @choldgraf! UPDATE: |
Authentication via CILogon status1. Why not use JupyterHub
|
username_pattern: '^(.+@mills\.edu|yuvipanda@2i2c\.org|choldgraf@2i2c\.org|georgianaelena@2i2c\.org|sgibson@2i2c\.org|erik@2i2c\.org|damianavila@2i2c\.org|aculich@berkeley\.edu|jpercy@berkeley\.edu|deployment-service-check)$' |
-
Another approach would be to make changes upstream, either in
JupyterHub Authenticator
or directly inAuth0Oauthenticator
(though I'm not sure if it would make sense to have an allowed email domain list in this Auth0 specific authenticator ?) -
Auth0 rules?? (we are only allowed 3 rules I believe, so this is not scalable)
3. Help
I would love help and feedback about which of these two approaches is better, especially:
- Is there a way to have only the 2i2c.cloud domain in the callback_url list of CILogon and achieve the same redirection behaviour like we do with the 2i2c auth0 domain?
- If 1'st point ⬆️ is not achievable, what's the best way to "de-uglify" the
username_pattern
example above and restrict based on identity provider?
To me, this is a big blocker. I'd rather cope with ugly code than need to rely on manual intervention from CILogon |
So it sounds like our next step here is to:
Is that right? |
Yes, I think so |
I've updated the top comment with a few more next steps that I think are needed to close this out. I also added a few scenarios that we should test to make sure it works as expected! |
Planning Meeting / Next StepsHow to allow community users + 2i2c users to log-in
Next steps
Also opened up #936 to discuss/explore how we can gain access to hubs that use CILogon (or other SSO) |
@GeorgianaElena as a followup to a [email protected] email received in https://2i2c.freshdesk.com/a/tickets/69, I wanted to note that:
Misc
|
Update: Try out the demo hub!@GeorgianaElena has deployed a JupyterHub at demo.pilot.2i2c.cloud - this can be used to try out things, demo them, etc. She's enabled CILogon with My quick feedback: I really like it! It seems like a nice way to support many different institutional sign-ons, and I really like the simplicity of setup! Question: how do I "log out" of CILogon?I tried once with my @2i2c.org address, and this worked really nicely! However, I'd now like to try logging in with my Berkeley address to confirm that I cannot access the hub. I can't figure out how to do this! @GeorgianaElena could you provide guidance? I suspect others will hit the same issue if they accidentally log in with the wrong address first |
Good question @choldgraf, I hadn't noticed. I believe there's something similar with this issue we had some time ago I also noticed a similar behavior with the toronto hub 😕 (That one is using AzureAdOAuthenticator) I will open up issues about each of these issues: |
UpdateI opened #967 to tackle the remaining bullets of this issue (about changing current Auth0 setup with CILogon) and #957 about the logging out issue that @choldgraf noticed. I was thinking to add the logging out issue to out Operational list of tasks and discuss more about changing Auth0 with CILogon in its own issue, linked above. WDYT @choldgraf? for me, it feels like since we have CILogon auth, we can close this one? |
@GeorgianaElena that sounds good to me - my main question is whether we can provide a workaround for people who run into the issue described in #957 - I think it'd be a big problem if users logged in with the wrong email but couldn't log out. Could we recommend that they clear their browser cache or something? Regarding #967, agreed that we can follow that up in subsequent conversations. |
Note for the future ➡️ |
OK, now that #974 is in, I think that we can consider this one resolved! 🎉🎉🎉 There are still some things to keep track of and follow up. Specifically:
|
Problem statement
Right now we only offer two ways to authenticate for our hubs: GitHub and Google OAuth. However, this falls short in a few ways:
@berkeley.edu
) rather than with an individual list of usersSolution
CILogon is an authentication system focused on north american & western european academia. It is the authentication mechanism behind the "eduroam" network and a few others (some more info is here).
It is free for 'academic users' (https://www.cilogon.org/subscribe), and I would like to think we qualify.
If we support CILogon as a login provider, it lets us provide direct institutional logins to a large swath of potential users. This is probably particularly attractive to communities that are specific to an organization / institution, because it allows them to use the same login credentials that they are already using in their institution.
Appetite
1 sprint
If we are integrating this with Auth0, it hopefully shouldn't be too much work to get running. It might take a bit of time to get the authentication approval from the CILogon folks, however.
Guidance / implementation
CILogin has specific instructions on integrating with Auth0, and that is what we should do!
Out of scope
Tasks to complete
2022-01-26
We'll aim to get the following done by the next sprint:
@place.edu
pattern@place.edu
users AND 2i2c admin usersThe text was updated successfully, but these errors were encountered: