Does anyone have experience implementing JWT in Jupyterhub 4.x? I am attempting to use https://github.com/mogthesprog/jwtauthenticator but am running into 401s regardless of what I submit. My config in jupyterhub_config.py looks like this:

# JWT Config
c.JupyterHub.authenticator_class = 'jwtauthenticator.jwtauthenticator.JSONWebTokenAuthenticator'
c.JSONWebTokenAuthenticator.secret = '<redacted>'             # The secrect key used to generate the given token
c.JSONWebTokenAuthenticator.username_claim_field = 'username'
c.JSONWebTokenAuthenticator.expected_audience = ''
c.JSONWebLocalTokenAuthenticator.create_system_users = False
#c.JSONWebTokenAuthenticator.header_name = 'Authorization'                         # default value

The service starts without issue. I am trying to generate a sample payload to feed into a browser bar to test logins, which I generate with the following code:

#!/usr/bin/env python3                                                                                                                                                                         
                                                                                                                                                                                               
import jwt                                                                                                                                                                                     
import time                                                                                                                                                                                    
                                                                                                                                                                                               
jup_payload = {                                                                                                                                                                                
            "iat": int(time.time()),                                                                                                                                                           
            "username": "testuser",                                                                                                                                                            
            }                                                                                                                                                                                  
                                                                                                                                                                                               
jup_jwt_token = '<redacted>'                                                                                                                                              
                                                                                                                                                                                                                                                       
jwt_string = jwt.encode(jup_payload, jup_jwt_token, "HS256")                                                                                                                                  
                                                                                                                                                                                               
print(jwt_string) 

I know from looking at the jwtauthenticator code that I need an Authorization header with bearer (yes, lowercase), but I’m unsure what to include there. Do I need a token associated with a defined role and service in the Jupyterhub config? When I attempt to define those and include the header in my generated token, I still get a 401.

Finally, what is the URL I should be testing against? I am using https://<hostname>:8443/hub/login?<token_generated_above> and also https://<hostname>:8443/hub/login?token=<token_generated_above>. Again, these result in 401 responses.

Some facts:

• Jupyterhub runs fine with PAM authentication on the port defined above.
• We are an LDAP shop. There are no local users in this deployment.
• We are working on Jupyterhub v4.0.2.

Many thanks for any ideas or experience you can share.

Defined configs as instructed in JWT project README. Generated a JWT and attempted to feed it to the application in a browser.