To follow up in case anyone else has this issue: clearing cookies only worked temporarily. Eventually the problem returned for all of my users.
The root cause was wildcard cookies from our website. We host JupyterHub on a subdomain (servername.company.com), and the website is at www.company.com. The website is assigning a small number of wildcard cookies (*.company.com) that cause a redirect loop during the OAuth flow. With multiple google account signed in this means you keep landing back at the account picker. With one or zero accounts signed in the browser fails with "too many redirects". Deleting the wildcard cookies fixes the problem, regardless of the number of google accounts signed in or which one you signed in to first. Maybe this indicates a bug in the oauthenticator plugin, I'm not sure. But I'm just going to restrict the cookies placed by the website and call it a day. On Thursday, June 2, 2016 at 11:24:58 AM UTC-7, Tom Lippman wrote: > > Clearing cookies seems to have fixed it. > > On Thu, Jun 2, 2016 at 4:52 AM MinRK <[email protected]> wrote: > >> On Thu, Jun 2, 2016 at 2:37 AM, Tom Lippman <[email protected]> >> wrote: >> >>> Hi All, >>> >>> I'm using JupyterHub to provide a zero-install python setup to the team >>> at our small startup. Since we already use google apps, I'm using the >>> google OAuthenticator plugin to restrict logins to our hosted domain. >>> Everything works as expected, unless you try to log in from a browser with >>> multiple google accounts signed-in. >>> >>> For example, I'm signed in to both my work and personal google accounts. >>> I navigate to our JupyterHub deployment and click the sign in button. I see >>> the google account picker. If I select my personal account, it redirects >>> back to JupyterHub, which gives me a 403 because I'm signed in to the wrong >>> account. If instead I select my work account, the address bar briefly >>> shows the JupyterHub url, but then I end up back at the google account >>> picker. The server logs show that the redirect happened, so I'm not sure >>> what's dumping me back at the login screen. >>> >>> What could be causing this? Where should I be looking for fixes? >>> >> >> Does it only happen if you have tried to login with the wrong id first, >> or does it always happen if you have multiple google accounts? If it's the >> former, there might be a stale cookie lying around that doesn't get cleared >> properly. If it's the latter, there might be a case not properly handled by >> the Google OAuthenticator. You can check the debug logs (run jupyterhub >> with `--debug`) but there may need to be more poking around in exactly what >> the authenticator is doing. >> >> -MinRK >> >> >>> >>> thanks, >>> >>> Tom Lippman >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Project Jupyter" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >> >> >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jupyter/47c6dd0f-4e41-4e82-a0d6-650aa3c72f7c%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jupyter/47c6dd0f-4e41-4e82-a0d6-650aa3c72f7c%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Project Jupyter" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/jupyter/cUDi6OJ0YE4/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jupyter/CAHNn8BWD_jc1XBe%2BoJbbcjfD4-zwAL%2B6T6icndy-q5uoiMVnvA%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/jupyter/CAHNn8BWD_jc1XBe%2BoJbbcjfD4-zwAL%2B6T6icndy-q5uoiMVnvA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/5e8b6d94-75e0-4085-ba5d-8a5271b44ee1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
