Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[Krzysztof B. <kb...@un...>]

Dear Zoltan,

W dniu 30.08.2021 o 15:26, Zoltan Bakcsa pisze:
> Dear Krzysztof,
>
> First of all: now it works, many thanks for the help.
>
> > One of the screenshots you have shared shows that your OAuth clients 
> are
> > configured to authenticate with the *authenticator* called 'pwd'.
>
> Yes, but that 'pwd' authenticator is under
> Identity provider>Jupyter hub login>Users authentication 
> (https://snipboard.io/rUS3MP.jpg). Since it is under Users 
> authentication I assumed that authenticator is used (only) for 
> checking user's credentials and not the client credentials.

Yes, it is used there, however it was also present on this screenshot: 
https://snipboard.io/pTxEek.jpg

So you have reused the same authenticator for authenticating users as 
well as OAuth client. This, on its own, can be a valid setup.


> > Next check if your client (in Directory browser) has this particular
> > password credential set.
>
> I did not have a password configured there. Once I set it (with Update 
> credential button in the context menu) and adjusted the jupyter hub 
> config it started to work. I must have overlooked the relevant part in 
> the docs.
>
> However, it is still super confusing to me.
> Now I have 2 "passwords" for the client.
> The one that can be set in the directory browser here: 
> https://snipboard.io/BEAplM.jpg
>
> And another one that can be set under Identity Provider>Jupyter hub 
> login> Oauth client> [client ID]>Client secret : 
> https://snipboard.io/YnEado.jpg
>
> Of course, up to now I tried to use the client secret from this latter 
> option, which did not work.
> What is the purpose of the Client secret then?
>
Hmm, that should set up exactly the same credential - you can access 
that from two places. From directory you can set all credentials and 
from IdP -> client you should be only setting the one used for OAuth. 
I'll recheck that, maybe we have some regression there, but most likely 
there was some save click missing. Anyway we should improve the UI there 
to show whether the client secret is set or not.

Best,
Krzysztof


> Br,
> Zoltan
>
> On 8/30/2021 10:25 AM, Krzysztof Benedyczak wrote:
>> Dear Zoltan,
>>
>>
>> W dniu 25.08.2021 o 15:34, ba...@aw... pisze:
>>> Dear Krzysztof,
>>>
>>>> One more thing to check: please ensure that your authenticator used 
>>>> by OAuth token endpoint ('pwd') is linked to a *password 
>>>> credential* that is actually set for the client. It is a common 
>>>> pitfall (as >in Unity you can have multiple password credentials).
>>> Could you please describe how to do this step-by-step? I'm afraid I 
>>> do not speak the Unity language yet.
>>> Also, in my first email I linked screenshots of the whole 
>>> configuration. Can you check whether the authenticator is linked to 
>>> the correct credential?
>>> Perhaps you could point me to the relevant part in the documentation?
>>
>> One of the screenshots you have shared shows that your OAuth clients 
>> are configured to authenticate with the *authenticator* called 'pwd'.
>>
>> Now this authenticator is defining how to check the client's 
>> credential. In Authentication -> Facilities you will find the list of 
>> your authenticators. Locate entry 'pwd' there and check details. It 
>> should be an authenticator of type 'password' (i.e. checking 
>> passwords stored locally). And in its configuration there will be a 
>> password credential selected, which is used by this authenticator.  
>> Note it down.
>>
>> Next check if your client (in Directory browser) has this particular 
>> password credential set. Note that you can define multiple password 
>> credentials for your system (e.g. one for admins with high security 
>> requirements, one for ordinary users with lower requirements). Also 
>> unity defines one by its own (used to for the initial admin's 
>> password). So it is likely you have >1, and make sure the 
>> authenticator is using the correct one.
>>
>> HTH,
>> Krzysztof
>>