JupyterHub fails OAuth redirect with Google Account Chooser

[Tom Lippman]

Hi All,

I'm using JupyterHub to provide a zero-install python setup to the team at our small startup. Since we already use google apps, I'm using the google OAuthenticator plugin to restrict logins to our hosted domain. Everything works as expected, unless you try to log in from a browser with multiple google accounts signed-in.

For example, I'm signed in to both my work and personal google accounts. I navigate to our JupyterHub deployment and click the sign in button. I see the google account picker. If I select my personal account, it redirects back to JupyterHub, which gives me a 403 because I'm signed in to the wrong account.  If instead I select my work account, the address bar briefly shows the JupyterHub url, but then I end up back at the google account picker. The server logs show that the redirect happened, so I'm not sure what's dumping me back at the login screen.

What could be causing this? Where should I be looking for fixes?

thanks,

Tom Lippman

[MinRK]

Does it only happen if you have tried to login with the wrong id first, or does it always happen if you have multiple google accounts? If it's the former, there might be a stale cookie lying around that doesn't get cleared properly. If it's the latter, there might be a case not properly handled by the Google OAuthenticator. You can check the debug logs (run jupyterhub with `--debug`) but there may need to be more poking around in exactly what the authenticator is doing.

-MinRK

 

thanks,

Tom Lippman

--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/47c6dd0f-4e41-4e82-a0d6-650aa3c72f7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tom Lippman]

Clearing cookies seems to have fixed it.

You received this message because you are subscribed to a topic in the Google Groups "Project Jupyter" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jupyter/cUDi6OJ0YE4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jupyter+u...@googlegroups.com.

To post to this group, send email to jup...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAHNn8BWD_jc1XBe%2BoJbbcjfD4-zwAL%2B6T6icndy-q5uoiMVnvA%40mail.gmail.com.

[Tom Lippman]

To follow up in case anyone else has this issue: clearing cookies only worked temporarily. Eventually the problem returned for all of my users.

The root cause was wildcard cookies from our website. We host JupyterHub on a subdomain (servername.company.com), and the website is at www.company.com. The website is assigning a small number of wildcard cookies (*.company.com) that cause a redirect loop during the OAuth flow. With multiple google account signed in this means you keep landing back at the account picker. With one or zero accounts signed in the browser fails with "too many redirects". Deleting the wildcard cookies fixes the problem, regardless of the number of google accounts signed in or which one you signed in to first.

Maybe this indicates a bug in the oauthenticator plugin, I'm not sure. But I'm just going to restrict the cookies placed by the website and call it a day.

On Thursday, June 2, 2016 at 11:24:58 AM UTC-7, Tom Lippman wrote:

Clearing cookies seems to have fixed it.

On Thu, Jun 2, 2016 at 4:52 AM MinRK <benja...@gmail.com> wrote:

On Thu, Jun 2, 2016 at 2:37 AM, Tom Lippman <tom.l...@gmail.com> wrote:

Hi All,

I'm using JupyterHub to provide a zero-install python setup to the team at our small startup. Since we already use google apps, I'm using the google OAuthenticator plugin to restrict logins to our hosted domain. Everything works as expected, unless you try to log in from a browser with multiple google accounts signed-in.

For example, I'm signed in to both my work and personal google accounts. I navigate to our JupyterHub deployment and click the sign in button. I see the google account picker. If I select my personal account, it redirects back to JupyterHub, which gives me a 403 because I'm signed in to the wrong account.  If instead I select my work account, the address bar briefly shows the JupyterHub url, but then I end up back at the google account picker. The server logs show that the redirect happened, so I'm not sure what's dumping me back at the login screen.

What could be causing this? Where should I be looking for fixes?

Does it only happen if you have tried to login with the wrong id first, or does it always happen if you have multiple google accounts? If it's the former, there might be a stale cookie lying around that doesn't get cleared properly. If it's the latter, there might be a case not properly handled by the Google OAuthenticator. You can check the debug logs (run jupyterhub with `--debug`) but there may need to be more poking around in exactly what the authenticator is doing.

-MinRK

 

thanks,

Tom Lippman

--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscribe@googlegroups.com.

To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/47c6dd0f-4e41-4e82-a0d6-650aa3c72f7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Project Jupyter" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jupyter/cUDi6OJ0YE4/unsubscribe.

To unsubscribe from this group and all its topics, send an email to jupyter+unsubscribe@googlegroups.com.

[MinRK]

Thanks for following up. I don't really understand how other cookies could confuse the login setup, unless they use the same cookie name as JupyterHub, but at least we now have a lead to follow.

-MinRK

On Thu, Jul 28, 2016 at 6:17 PM, Tom Lippman <tom.l...@gmail.com> wrote:

To follow up in case anyone else has this issue: clearing cookies only worked temporarily. Eventually the problem returned for all of my users.

The root cause was wildcard cookies from our website. We host JupyterHub on a subdomain (servername.company.com), and the website is at www.company.com. The website is assigning a small number of wildcard cookies (*.company.com) that cause a redirect loop during the OAuth flow. With multiple google account signed in this means you keep landing back at the account picker. With one or zero accounts signed in the browser fails with "too many redirects". Deleting the wildcard cookies fixes the problem, regardless of the number of google accounts signed in or which one you signed in to first.

Maybe this indicates a bug in the oauthenticator plugin, I'm not sure. But I'm just going to restrict the cookies placed by the website and call it a day.

On Thursday, June 2, 2016 at 11:24:58 AM UTC-7, Tom Lippman wrote:

Clearing cookies seems to have fixed it.

On Thu, Jun 2, 2016 at 4:52 AM MinRK <benja...@gmail.com> wrote:

On Thu, Jun 2, 2016 at 2:37 AM, Tom Lippman <tom.l...@gmail.com> wrote:

Hi All,

I'm using JupyterHub to provide a zero-install python setup to the team at our small startup. Since we already use google apps, I'm using the google OAuthenticator plugin to restrict logins to our hosted domain. Everything works as expected, unless you try to log in from a browser with multiple google accounts signed-in.

For example, I'm signed in to both my work and personal google accounts. I navigate to our JupyterHub deployment and click the sign in button. I see the google account picker. If I select my personal account, it redirects back to JupyterHub, which gives me a 403 because I'm signed in to the wrong account.  If instead I select my work account, the address bar briefly shows the JupyterHub url, but then I end up back at the google account picker. The server logs show that the redirect happened, so I'm not sure what's dumping me back at the login screen.

What could be causing this? Where should I be looking for fixes?

Does it only happen if you have tried to login with the wrong id first, or does it always happen if you have multiple google accounts? If it's the former, there might be a stale cookie lying around that doesn't get cleared properly. If it's the latter, there might be a case not properly handled by the Google OAuthenticator. You can check the debug logs (run jupyterhub with `--debug`) but there may need to be more poking around in exactly what the authenticator is doing.

-MinRK

 

thanks,

Tom Lippman

--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.

To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/47c6dd0f-4e41-4e82-a0d6-650aa3c72f7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Project Jupyter" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jupyter/cUDi6OJ0YE4/unsubscribe.

To unsubscribe from this group and all its topics, send an email to jupyter+u...@googlegroups.com.

To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAHNn8BWD_jc1XBe%2BoJbbcjfD4-zwAL%2B6T6icndy-q5uoiMVnvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Project Jupyter" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.

To post to this group, send email to jup...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/5e8b6d94-75e0-4085-ba5d-8a5271b44ee1%40googlegroups.com.

[Tom Lippman]

They don't use the same cookie name. JupyterHub sets a cookie named "jupyterhub-token". These are named ANONID etc.

Tom

To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAHNn8BWH5GtJ9m7_hJG4EFCHZiGVdVY1NkHVo%2Bp7cg2TuFCt8Q%40mail.gmail.com.