401 No user detected error when accessing Jupyter Notebook (with Keycloak) #2931
Description
Validation Checklist
- Is this a Kubeflow issue?
- Are you posting in the right repository ?
- Did you follow the Kubeflow installation guideline ?
- Is the issue report properly structured and detailed with version numbers?
- Is this for Kubeflow development ?
- Would you like to work on this issue?
- You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.
Version
1.9
Describe your issue
When I try to access the Jupyter Notebook using browser, I get this error.
{"log":"No user detected.","status":401,"success":false,"user":null}
I replaced dex with Keycloak as Idp and using oauth2-proxy.
API curl test was successful.
Here are my istio-ingressgateway and jupyter web app logs.
[2024-12-10T02:54:49.977Z] "GET /api/dashboard-links HTTP/1.1" 304 - via_upstream - "-" 0 0 50 49 "10.10.0.216" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "b05621c3-f6a4-413f-862a-913209df5e05" "211.175.140.50:31635" "10.233.88.23:4180" outbound|80||oauth2-proxy.oauth2-proxy.svc.cluster.local 10.233.88.11:33264 10.233.88.11:8080 10.10.0.216:6792 - -
[2024-12-10T02:54:49.974Z] "GET /api/activities/testuser HTTP/1.1" 304 - via_upstream - "-" 0 0 68 66 "10.10.0.216" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "adc97f19-3395-4c1e-be6e-d76843d332ff" "211.175.140.50:31635" "10.233.88.23:4180" outbound|80||oauth2-proxy.oauth2-proxy.svc.cluster.local 10.233.88.11:39080 10.233.88.11:8080 10.10.0.216:45815 - -
[2024-12-10T02:54:49.976Z] "GET /api/workgroup/exists HTTP/1.1" 304 - via_upstream - "-" 0 0 69 68 "10.10.0.216" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "0a92d9bc-2a2a-44ae-b838-133d03a7ede0" "211.175.140.50:31635" "10.233.88.14:4180" outbound|80||oauth2-proxy.oauth2-proxy.svc.cluster.local 10.233.88.11:43604 10.233.88.11:8080 10.10.0.216:64148 - -
[2024-12-10T02:54:50.042Z] "GET /assets/favicon.ico HTTP/1.1" 304 - via_upstream - "-" 0 0 5 5 "10.10.0.216" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "50de2262-bed4-4afa-9423-3597865c1215" "211.175.140.50:31635" "10.233.88.14:4180" outbound|80||oauth2-proxy.oauth2-proxy.svc.cluster.local 10.233.88.11:41014 10.233.88.11:8080 10.10.0.216:24129 - -
[2024-12-10T02:54:50.034Z] "GET /pipeline/apis/v1beta1/runs?page_size=5&sort_by=created_at%20desc&resource_reference_key.type=NAMESPACE&resource_reference_key.id=testuser HTTP/1.1" 304 - via_upstream - "-" 0 0 16 8 "10.10.0.216" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "dcb1d031-a7f7-4c2c-a8bb-0946abf1a8a0" "211.175.140.50:31635" "10.233.88.23:4180" outbound|80||oauth2-proxy.oauth2-proxy.svc.cluster.local 10.233.88.11:33264 10.233.88.11:8080 10.10.0.216:53698 - -
[2024-12-10T02:54:50.088Z] "GET /assets/favicon-32x32.png HTTP/1.1" 304 - via_upstream - "-" 0 0 9 9 "10.10.0.216" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "5c0eefd1-80b7-456f-acf4-fa43dcd4b58b" "211.175.140.50:31635" "10.233.88.23:4180" outbound|80||oauth2-proxy.oauth2-proxy.svc.cluster.local 10.233.88.11:33264 10.233.88.11:8080 10.10.0.216:24129 - -
[2024-12-10T02:54:50.083Z] "GET /api/workgroup/env-info HTTP/1.1" 304 - via_upstream - "-" 0 0 21 21 "10.10.0.216" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "7fd4e48c-804c-404c-95bd-6bfe87f38871" "211.175.140.50:31635" "10.233.88.14:4180" outbound|80||oauth2-proxy.oauth2-proxy.svc.cluster.local 10.233.88.11:41014 10.233.88.11:8080 10.10.0.216:53698 - -
[2024-12-10T02:54:50.148Z] "GET /api/workgroup/get-contributors/testuser HTTP/1.1" 304 - via_upstream - "-" 0 0 16 15 "10.10.0.216" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "c0e8d0ce-8187-48d8-9a4c-1e109e291dc0" "211.175.140.50:31635" "10.233.88.14:4180" outbound|80||oauth2-proxy.oauth2-proxy.svc.cluster.local 10.233.88.11:41014 10.233.88.11:8080 10.10.0.216:53698 - -
2024-12-10 02:54:02,018 | kubeflow.kubeflow.crud_backend.errors.handlers | ERROR | HTTP Exception handled: 401 Unauthorized: No user detected.
127.0.0.6 - - [10/Dec/2024:02:54:02 +0000] "GET /api/namespaces/testuser/notebooks HTTP/1.1" 401 69 "http://211.175.140.50:31635/_/jupyter/?ns=testuser" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
2024-12-10 02:54:49,983 | kubeflow.kubeflow.crud_backend.errors.handlers | ERROR | HTTP Exception handled: 401 Unauthorized: No user detected.
127.0.0.6 - - [10/Dec/2024:02:54:49 +0000] "GET / HTTP/1.1" 401 69 "http://211.175.140.50:31635/_/jupyter/?ns=testuser" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
2024-12-10 02:54:50,015 | kubeflow.kubeflow.crud_backend.errors.handlers | ERROR | HTTP Exception handled: 401 Unauthorized: No user detected.
127.0.0.6 - - [10/Dec/2024:02:54:50 +0000] "GET /api/namespaces/testuser/notebooks HTTP/1.1" 401 69 "http://211.175.140.50:31635/_/jupyter/?ns=testuser" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
2024-12-10 04:06:59,702 | kubeflow.kubeflow.crud_backend.errors.handlers | ERROR | HTTP Exception handled: 401 Unauthorized: No user detected.
127.0.0.6 - - [10/Dec/2024:04:06:59 +0000] "GET / HTTP/1.1" 401 69 "http://211.175.140.50:31635/_/jupyter/?ns=testuser" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
2024-12-10 04:06:59,720 | kubeflow.kubeflow.crud_backend.errors.handlers | ERROR | HTTP Exception handled: 401 Unauthorized: No user detected.
127.0.0.6 - - [10/Dec/2024:04:06:59 +0000] "GET /api/namespaces/testuser/notebooks HTTP/1.1" 401 69 "http://211.175.140.50:31635/_/jupyter/?ns=testuser" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
Steps to reproduce the issue
- This is my configuration of oauth2-proxy
apiVersion: v1
kind: ConfigMap
metadata:
name: oauth2-proxy
namespace: oauth2-proxy
labels:
app: oauth2-proxy
data:
oauth2_proxy.cfg: |
provider = "keycloak-oidc"
oidc_issuer_url = "http://211.175.140.50:31122/realms/OIDC"
scope = "profile email groups openid"
upstreams = ["http://centraldashboard.kubeflow.svc.cluster.local", "http://jupyter-web-app-service.kubeflow.svc.cluster.local/jupyter"]
client_id = "Kubeflow"
client_secret = "{...}"
email_domains = [ "*" ]
skip_oidc_discovery = false
login_url = "http://{...}/realms/{...}/protocol/openid-connect/auth"
redeem_url = "http://{...}/realms/{...}/protocol/openid-connect/token"
oidc_jwks_url = "http://{...}/realms/{...}/protocol/openid-connect/certs"
extra_jwt_issuers = "http://{...}/realms/{...}"
skip_provider_button = true
skip_jwt_bearer_tokens = false
api_routes = [
# Generic
# NOTE: included because most background requests contain these paths
"/api/",
"/apis/",
"/jupyter",
# Kubeflow Pipelines
# NOTE: included because KFP UI makes MANY background requests to these paths but because they are
# not `application/json` requests, oauth2-proxy will redirect them to the login page
"^/ml_metadata",
]
set_authorization_header = true
pass_access_token = true
pass_authorization_header = true
set_xauthrequest = true
cookie_name = "oauth2_proxy"
cookie_secret = "{...}"
cookie_secure = false
cookie_httponly = true
cookie_samesite = "lax"
cookie_expire = "24h"
cookie_refresh = "1h"
# cookie_csrf = "XSRF-TOKEN"
# csrf_cookie_name = "XSRF-TOKEN"
code_challenge_method = "S256"
redirect_url = "http://{...}/oauth2/callback"
relative_redirect_url = true
show_debug_on_error = true
FORCE_HTTPS: "false"
ALLOW_SELF_SIGNED_ISSUER: "false"
M2M_TOKEN_ISSUER: "http://{keycloak IP:port}/realms/{realm}"
ENABLE_M2M_TOKENS: "false"
EXTRA_JWT_ISSUERS: "http://{keycloak IP:port}/realms/{realm}"
binaryData: {}
- Jupyter-web-app virtiualservice
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-jupyter-web-app
namespace: kubeflow
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /jupyter/
rewrite:
uri: /
route:
- destination:
host: jupyter-web-app-service.kubeflow.svc.cluster.local
port:
number: 80
- match:
- uri:
prefix: /oauth2/
route:
- destination:
host: oauth2-proxy.oauth2-proxy.svc.cluster.local
port:
number: 80
- match:
- uri:
prefix: /
route:
- destination:
host: oauth2-proxy.oauth2-proxy.svc.cluster.local
port:
number: 80
- Keycloak JWT requestauthentication
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: keycloak-jwt
namespace: istio-system
spec:
jwtRules:
- audiences:
- Kubeflow
forwardOriginalToken: true
fromHeaders:
- name: Authorization
prefix: 'Bearer '
issuer: http://{keycloak IP:port}/realms/{realm}
jwksUri: http://{keycloak IP:port}/realms/{realm}/protocol/openid-connect/certs
outputClaimToHeaders:
- claim: email
header: kubeflow-userid
- claim: groups
header: kubeflow-groups
- claim: sub
header: x-auth-request-user
selector:
matchLabels:
app: jupyter-web-app
Put here any screenshots or videos (optional)
No response