Thanks for following up. I don't really understand how other cookies could confuse the login setup, unless they use the same cookie name as JupyterHub, but at least we now have a lead to follow.
-MinRK On Thu, Jul 28, 2016 at 6:17 PM, Tom Lippman <[email protected]> wrote: > To follow up in case anyone else has this issue: clearing cookies only > worked temporarily. Eventually the problem returned for all of my users. > > The root cause was wildcard cookies from our website. We host JupyterHub > on a subdomain (servername.company.com), and the website is at > www.company.com. The website is assigning a small number of wildcard > cookies (*.company.com) that cause a redirect loop during the OAuth flow. > With multiple google account signed in this means you keep landing back at > the account picker. With one or zero accounts signed in the browser fails > with "too many redirects". Deleting the wildcard cookies fixes the problem, > regardless of the number of google accounts signed in or which one you > signed in to first. > > Maybe this indicates a bug in the oauthenticator plugin, I'm not sure. But > I'm just going to restrict the cookies placed by the website and call it a > day. > > On Thursday, June 2, 2016 at 11:24:58 AM UTC-7, Tom Lippman wrote: >> >> Clearing cookies seems to have fixed it. >> >> On Thu, Jun 2, 2016 at 4:52 AM MinRK <[email protected]> wrote: >> >>> On Thu, Jun 2, 2016 at 2:37 AM, Tom Lippman <[email protected]> >>> wrote: >>> >>>> Hi All, >>>> >>>> I'm using JupyterHub to provide a zero-install python setup to the team >>>> at our small startup. Since we already use google apps, I'm using the >>>> google OAuthenticator plugin to restrict logins to our hosted domain. >>>> Everything works as expected, unless you try to log in from a browser with >>>> multiple google accounts signed-in. >>>> >>>> For example, I'm signed in to both my work and personal google >>>> accounts. I navigate to our JupyterHub deployment and click the sign in >>>> button. I see the google account picker. If I select my personal account, >>>> it redirects back to JupyterHub, which gives me a 403 because I'm signed in >>>> to the wrong account. If instead I select my work account, the address bar >>>> briefly shows the JupyterHub url, but then I end up back at the google >>>> account picker. The server logs show that the redirect happened, so I'm not >>>> sure what's dumping me back at the login screen. >>>> >>>> What could be causing this? Where should I be looking for fixes? >>>> >>> >>> Does it only happen if you have tried to login with the wrong id first, >>> or does it always happen if you have multiple google accounts? If it's the >>> former, there might be a stale cookie lying around that doesn't get cleared >>> properly. If it's the latter, there might be a case not properly handled by >>> the Google OAuthenticator. You can check the debug logs (run jupyterhub >>> with `--debug`) but there may need to be more poking around in exactly what >>> the authenticator is doing. >>> >>> -MinRK >>> >>> >>>> >>>> thanks, >>>> >>>> Tom Lippman >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Project Jupyter" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>> >>> >>>> To post to this group, send email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/jupyter/47c6dd0f-4e41-4e82-a0d6-650aa3c72f7c%40googlegroups.com >>>> <https://groups.google.com/d/msgid/jupyter/47c6dd0f-4e41-4e82-a0d6-650aa3c72f7c%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Project Jupyter" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/jupyter/cUDi6OJ0YE4/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jupyter/CAHNn8BWD_jc1XBe%2BoJbbcjfD4-zwAL%2B6T6icndy-q5uoiMVnvA%40mail.gmail.com >>> <https://groups.google.com/d/msgid/jupyter/CAHNn8BWD_jc1XBe%2BoJbbcjfD4-zwAL%2B6T6icndy-q5uoiMVnvA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "Project Jupyter" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jupyter/5e8b6d94-75e0-4085-ba5d-8a5271b44ee1%40googlegroups.com > <https://groups.google.com/d/msgid/jupyter/5e8b6d94-75e0-4085-ba5d-8a5271b44ee1%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAHNn8BWH5GtJ9m7_hJG4EFCHZiGVdVY1NkHVo%2Bp7cg2TuFCt8Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
