JupyterHub OAuth to Azure Government

[breauxaj]

Bug description

Configured AzureAdOAuthenticator with an App Registration, but seeing this error in logs after login attempt

Error fetching 400 POST https://login.microsoftonline.com//oauth2/token

But that URL doesn't make sense since we're an Azure Gov customer, and the url should be

https://login.microsoftonline.us/

Suggesting that the URL is assumed/hardcoded?

How to reproduce

After Azure Login, the error (truncated to not disclose sensitive info)

500 : Internal Server Error

In the hub logs

"error": "invalid_request",
"error_codes": [
900432
],
"error_description": "AADSTS900432: Confidential Client is not supported in Cross Cloud request.

Expected behaviour

Successful login, access to the app

Actual behaviour

Generates a 500 error in browser and logs

Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/tornado/web.py", line 1790, in _execute
    result = await result
             ^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 245, in get
    user = await self.login_user()
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/jupyterhub/handlers/base.py", line 964, in login_user
    authenticated = await self.authenticate(data)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/jupyterhub/auth.py", line 688, in get_authenticated_user
    authenticated = await maybe_future(self.authenticate(handler, data))
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 1316, in authenticate
    token_info = await self.get_token_info(handler, access_token_params)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 1092, in get_token_info
    token_info = await self.httpfetch(
                 ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 892, in httpfetch
    return await self.fetch(
           ^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 858, in fetch
    raise e
  File "/usr/local/lib/python3.12/site-packages/oauthenticator/oauth2.py", line 837, in fetch
    resp = await self.http_client.fetch(req, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
tornado.httpclient.HTTPClientError: HTTP 400: Bad Request 

Your personal set up

Internal Kubernetes deployment

[breauxaj]

Looks like the values are hard coded:

./oauthenticator/tests/test_azuread.py: host=['login.microsoftonline.com'],
./oauthenticator/tests/test_azuread.py: "iss": f"https://login.microsoftonline.com/{tenant_id}/v2.0",
./oauthenticator/azuread.py: return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/authorize"
./oauthenticator/azuread.py: return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/token"