From 595408f24761470e7e46c2f7e9c5feb3cb17bad2 Mon Sep 17 00:00:00 2001 From: Aliaksandr Tsimokhau <32734390+AliaksandrTsimokhau@users.noreply.github.com> Date: Wed, 7 Aug 2024 20:03:03 +0400 Subject: [PATCH 1/2] Update authentication.md Add a working example of using predefined secret to store ouath client credentials to avoid storing them on github. Example is based on forum discussion https://discourse.jupyter.org/t/jupyterhub-to-github-authentication-using-secrets/19380 --- docs/source/administrator/authentication.md | 27 +++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/source/administrator/authentication.md b/docs/source/administrator/authentication.md index 8a410c4c21..8b9acfc1cd 100644 --- a/docs/source/administrator/authentication.md +++ b/docs/source/administrator/authentication.md @@ -267,6 +267,33 @@ hub: JupyterHub: authenticator_class: google ``` +For security reasons `client_id` and `client_secret` parameters could be ommited from config +and passed via Extra environment variables `OAUTH_CLIENT_ID` and `OAUTH_CLIENT_SECRET` directly +as they are respected by all oauthenticator based Authenticator classes. +Assuming that the secret have already been created it could look like this. + +```yaml +hub: + config: + GoogleOAuthenticator: + oauth_callback_url: https://your-jupyterhub-domain/hub/oauth_callback + hosted_domain: + - your-university.edu + login_service: Your university + JupyterHub: + authenticator_class: google + extraEnv: + OAUTH_CLIENT_ID: + valueFrom: + secretKeyRef: + name: jupyterhub-google-oauth + key: client-id + OAUTH_CLIENT_SECRET: + valueFrom: + secretKeyRef: + name: jupyterhub-google-oauth + key: client-secret +``` The `oauth_callback_url` key is set to the authorized redirect URI you specified earlier. Set `hosted_domain` to your institution's domain name. The value of From da9ea0b7f861fa54644df345937f68aecc1484f6 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 7 Aug 2024 16:03:51 +0000 Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/source/administrator/authentication.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/source/administrator/authentication.md b/docs/source/administrator/authentication.md index 8b9acfc1cd..2fdc0a08f1 100644 --- a/docs/source/administrator/authentication.md +++ b/docs/source/administrator/authentication.md @@ -267,6 +267,7 @@ hub: JupyterHub: authenticator_class: google ``` + For security reasons `client_id` and `client_secret` parameters could be ommited from config and passed via Extra environment variables `OAUTH_CLIENT_ID` and `OAUTH_CLIENT_SECRET` directly as they are respected by all oauthenticator based Authenticator classes.