Add support for OAuthentication via JupyterHub triggering account creation in FreeIPA

[cmd-ntrf]

It can be easier to ask people to log in Magic Castle with an OAuth authenticator and automatically create the account in FreeIPA instead of using Mokey.

I was able to put together a proof of concept that works with GitHub authenticator.

Here are the steps so far:

1. Create a FreeIPA keytab for JupyterHub:

ipa role-add 'JupyterHub' --desc='JupyterHub User management'
ipa role-add-privilege 'JupyterHub' --privilege='Group Administrators'
ipa role-add-privilege 'JupyterHub' --privilege='User Administrators'
ipa user-add jupyterhub --first Jupyter --last Hub
ipa role-add-member 'JupyterHub' --users=jupyterhub
ipa-getkeytab -p jupyterhub -k /etc/jupyterhub/jupyterhub.keytab

2. Define the function add_system_user of the jupyterhub authenticator:

class LocalGitHubOAuthenticator(LocalAuthenticator, GitHubOAuthenticator):
    """A version that mixes in local system user creation"""
    def add_system_user(self, user):
        subprocess.run(["kinit", "-kt", "/etc/jupyterhub/jupyterhub.keytab", "-p", "jupyterhub"])
        subprocess.run(["ipa_create_user.py", user.name, "--posix_group", "def-sponsor00"])
        subprocess.run(["kdestroy"])
        time.sleep(5)

3. Create a GitHub app and export the following variables before launching JupyterHub:

 export GITHUB_CLIENT_ID=[redacted]
 export GITHUB_CLIENT_SECRET=[redacted]
 export OAUTH_CALLBACK_URL=[redacted]

If internally jupyterhub is not running SSL, the OAUTH callback URL prefix must be http.
4. Configure JupyterHub authenticator in /etc/jupyterhub/jupyterhub_config.json:

  "JupyterHub": {
    "authenticator_class": "oauthenticator.LocalGitHubOAuthenticator",
  },
  "LocalAuthenticator": {
    "create_system_users": true
  },
  "GitHubOAuthenticator": {
     "allow_all": true
  }

5. Launch JupyterHub