vdk-jupyter: impelement manual oauth2 login workflow #2591
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
antoniivanov
force-pushed
the
person/aivanov/jupyter
branch
from
103eb65 to
d3f7fa3
Compare
|
Note : this is a stacked PR (https://benjamincongdon.me/blog/2022/07/17/In-Praise-of-Stacked-PRs/) . So will be merged after PR #2590 is merged |
antoniivanov
force-pushed
the
person/aivanov/jupyter-ui
branch
from
ef5f905 to
edffe05
Compare
antoniivanov
commented
Aug 21, 2023
...ins/vdk-jupyter/vdk-jupyterlab-extension/src/__tests__/manual-oauth2-flow-component.spec.tsx
Show resolved
Hide resolved
|
The design seems a little bit off to me. Maybe changing the style of the listed items would make it look better and maybe the first button should be blue as the other "Ok" and "Continue" buttons from the Jupyter UI. |
duyguHsnHsn
reviewed
Aug 22, 2023
projects/vdk-plugins/vdk-jupyter/vdk-jupyterlab-extension/src/components/Login2.tsx
Show resolved
Hide resolved
duyguHsnHsn
reviewed
Aug 22, 2023
duyguHsnHsn
approved these changes
Aug 22, 2023
projects/vdk-plugins/vdk-jupyter/vdk-jupyterlab-extension/src/components/Login2.tsx
Show resolved
Hide resolved
projects/vdk-plugins/vdk-jupyter/vdk-jupyterlab-extension/src/components/Login2.tsx
Outdated
Show resolved
Hide resolved
DeltaMichael
approved these changes
Aug 22, 2023
antoniivanov
force-pushed
the
person/aivanov/jupyter
branch
from
d3f7fa3 to
be12c5f
Compare
antoniivanov
force-pushed
the
person/aivanov/jupyter-ui
branch
from
edffe05 to
5d994db
Compare
This is adding the server part of Oauth2 authentication process. It adds 1 more APIs: `/login` When called it without "code" query paramter, it will start the authentication proces as per OAuth2 standard . We are using only native app workflow with PKCE (RFC 7636) because we cannot really secure the server side so we cannot reliably use client secret. When called with "code" query paramter it will finish the process and exchange the code for access token (and refresh token) and safe it in VDK storage. This change add integration with jupyter configuration. This way the extension can be configured more natively using jupyter configuration mechanism. In future change we can add integration between VDK configuration mechanims and jupyter so that properties set in VDK can be recognized in Jupyter and vice-versa but that's more advanced use-case
for more information, see https://pre-commit.ci
antoniivanov
force-pushed
the
person/aivanov/jupyter
branch
from
d8dc793 to
4a393b8
Compare
When jupyter notebook is deployed in a Multi-Notebook server instance (like jupyterhub) each user instance has a distinct URL. This means we don’t have a stable redirect URL to register with your OAuth2 provider. User Scenario 1. Every time a user starts a new notebook server, it gets a unique URL to their notebook 2. OAuth2 Challenge: Since the redirect URL is dynamic based on the instance, we can’t pre-register a fixed callback URL with the OAuth provider. Given this setup there are a couple of solution A) The authorization provider could allow dynamic URLs (not very likely as it's not very secure) B) The Notebook parent server could provide stable proxy to the underlyng notebook (so we can use `http://jupyterhub/notebook?user=xxx` and parent server would proxy this call to the user's notebook server). This way only the query paramter is dynamic which is often ok with authorization providers. The registered notebook url woudl be `http://jupyterhub/notebook` C) If none of the above works , this solution is proposed where we can use Manual Login where user would need to copy one URL into the application. Here is a short gif showing the process: <img src="https://github.com/vmware/versatile-data-kit/assets/2536458/3831f5f6-c01e-411f-87fd-3d0945425e2e"></img>
antoniivanov
force-pushed
the
person/aivanov/jupyter-ui
branch
from
5d994db to
dc9caca
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When jupyter notebook is deployed in a Multi-Notebook server instance (like jupyterhub) each user instance has a distinct URL. This means we don’t have a stable redirect URL to register with your OAuth2 provider.
User Scenario
Given this setup there are a couple of solution
A) The authorization provider could allow dynamic URLs (not very likely as it's not very secure)
B) The Notebook parent server could provide stable proxy to the underlyng notebook (so we can use
http://jupyterhub/notebook?user=xxxand parent server would proxy this call to the user's notebook server). This way only the query paramter is dynamic which is often ok with authorization providers. The registered notebook url woudl behttp://jupyterhub/notebookC) If none of the above works , this solution is proposed where we can use Manual Login where user would need to copy one URL into the application.
Here is a short gif showing the process: