JupyterHub 集成飛書授權(quán)登錄

實(shí)現(xiàn)流程

1、獲取 OAuthenticator 源碼

git clone https://github.com/jupyterhub/oauthenticator.git

2、添加飛書登錄代碼 oauthenticator/oauthenticator/feishu.py

"""
FeiShu Authenticator with JupyterHub
"""
import os
from jupyterhub.auth import LocalAuthenticator
from tornado.httpclient import AsyncHTTPClient, HTTPRequest
from traitlets import Bool, List, Unicode, default

from .oauth2 import OAuthenticator
import json


class FeiShuOAuthenticator(OAuthenticator):

    login_service = 'FeiShu'

    tls_verify = Bool(
        os.environ.get('OAUTH2_TLS_VERIFY', 'True').lower() in {'true', '1'},
        config=True,
        help="Disable TLS verification on http request",
    )

    allowed_groups = List(
        Unicode(),
        config=True,
        help="Automatically allow members of selected groups",
    )

    admin_groups = List(
        Unicode(),
        config=True,
        help="Groups whose members should have Jupyterhub admin privileges",
    )

    @default("http_client")
    def _default_http_client(self):
        return AsyncHTTPClient(force_instance=True, defaults=dict(validate_cert=self.tls_verify))

    def _get_app_access_token(self):
        req = HTTPRequest(
            'https://open.feishu.cn/open-apis/auth/v3/app_access_token/internal/',
            method="POST",
            headers={
                'Content-Type': "application/json; charset=utf-8",
            },
            body=json.dumps({
                'app_id': self.client_id,
                'app_secret': self.client_secret
            }),
        )
        return self.fetch(req, "fetching app access token")

    def _get_user_access_token(self, app_access_token, code):
        req = HTTPRequest(
            'https://open.feishu.cn/open-apis/authen/v1/access_token',
            method="POST",
            headers={
                'Content-Type': "application/json; charset=utf-8",
                'Authorization': f'Bearer {app_access_token}'
            },
            body=json.dumps({
                "grant_type": "authorization_code",
                "code": code
            }),
        )
        return self.fetch(req, "fetching user access token")

    def _get_user_info(self, user_access_token, union_id):
        req = HTTPRequest(
            f'https://open.feishu.cn/open-apis/contact/v3/users/{union_id}?user_id_type=union_id',
            method="GET",
            headers={
                'Content-Type': "application/json; charset=utf-8",
                'Authorization': f'Bearer {user_access_token}'
            }
        )
        return self.fetch(req, "fetching user info")

    @staticmethod
    def _create_auth_state(token_response, user_info):
        access_token = token_response['access_token']
        refresh_token = token_response.get('refresh_token', None)
        scope = token_response.get('scope', '')
        if isinstance(scope, str):
            scope = scope.split(' ')

        return {
            'access_token': access_token,
            'refresh_token': refresh_token,
            'oauth_user': user_info,
            'scope': scope,
        }

    @staticmethod
    def check_user_in_groups(member_groups, allowed_groups):
        return bool(set(member_groups) & set(allowed_groups))

    async def authenticate(self, handler, data=None):
        code = handler.get_argument("code")
        app_access_token_resp = await self._get_app_access_token()
        user_access_token_resp = await self._get_user_access_token(app_access_token_resp['app_access_token'], code)
        user_info_resp = await self._get_user_info(user_access_token_resp['data']['access_token'], user_access_token_resp['data']['union_id'])
        self.log.info("user is %s", json.dumps(user_info_resp))
        user_info = user_info_resp['data']['user']

        user_info = {
            'name': user_info['name'],
            'auth_state': self._create_auth_state(user_access_token_resp['data'], user_info)
        }

        if self.allowed_groups:
            self.log.info('Validating if user claim groups match any of {}'.format(self.allowed_groups))
            groups = user_info['department_ids']
            if self.check_user_in_groups(groups, self.allowed_groups):
                user_info['admin'] = self.check_user_in_groups(groups, self.admin_groups)
            else:
                user_info = None

        return user_info


class LocalFeiShuOAuthenticator(LocalAuthenticator, FeiShuOAuthenticator):
    """A version that mixes in local system user creation"""
    pass

3、集成 OAuthenticator 到 JupyterHub 官方 Docker 鏡像

首先,添加文件 oauthenticator/Dockerfile

FROM jupyterhub/jupyterhub

RUN pip3 install notebook

ADD . .

RUN pip3 install -e .

然后,修改 oauthenticator/setup.py,在 'jupyterhub.authenticators' 數(shù)組中添加如下內(nèi)容:

            'feishu= oauthenticator.feishu:FeiShuOAuthenticator',
            'local-feishu = oauthenticator.feishu:LocalFeiShuOAuthenticator',

最后,構(gòu)建鏡像

docker build -t jupyterhub .

4、新建 JupyterHub 配置文件

新建文件 ~/jupyterhub_config.py ,內(nèi)容如下:

import pwd
import subprocess

from oauthenticator.feishu import FeiShuOAuthenticator
c.JupyterHub.authenticator_class = FeiShuOAuthenticator

app_id = '<飛書企業(yè)自建應(yīng)用 app_id>'
app_secret = '<飛書企業(yè)自建應(yīng)用 app_secret>'
c.FeiShuOAuthenticator.authorize_url = 'https://open.feishu.cn/open-apis/authen/v1/index'
c.FeiShuOAuthenticator.extra_authorize_params = {'redirect_uri': 'http://127.0.0.1:8000/hub/oauth_callback', 'app_id': app_id}
c.FeiShuOAuthenticator.client_id = app_id
c.FeiShuOAuthenticator.client_secret = app_secret


def pre_spawn_hook(spawner):
    username = spawner.user.name
    try:
        pwd.getpwnam(username)
    except KeyError:
        subprocess.check_call(['useradd', '-ms', '/bin/bash', username])


c.Spawner.pre_spawn_hook = pre_spawn_hook

提醒:飛書應(yīng)用后臺需配置「安全設(shè)置」「重定向 URL」,添加 http://127.0.0.1:8000/hub/oauth_callback

5、測試飛書登錄

使用 Docker 啟動 JupyterHub

docker run -it --rm \
-p 8000:8000 \
-v ~/jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py \
jupyterhub \
jupyterhub -f /srv/jupyterhub/jupyterhub_config.py

啟動成功后,訪問 http://127.0.0.1:8000/ 即可測試飛書登錄。

參考資料

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容