How to get an access_token?

[BigFlagBurito]

Hello,

I'm sorry, but my request has nothing to do with a bug or a feature request.
I just don't know where else to ask my question.

I am happy to have found an improved version of nbgrader. But I am failing to install and configure the grader-service/grader-labextension.

This is the current status of the hub.

• JupyterHub is already running via Kubernetes (Kubespawner).
• I was able to successfully deploy the grader service via Helm.
• I get the version of the grader service via the Services tab.
• There is a profile on which grader-labextension is installed.
• Our JupyterHub uses a revised authenticator of the ‘jhub_remote_user_authenticator’ so that users can log in via Shibboleth.

The ‘Get-Started’ and the ‘Administrator Guide’ confuse me. Maybe it is also possible that the grader service cannot be used for our use case.
I'm at a point where I don't know what the next step is. I have added the userdata_hook. But where do I get access_token from?
I hope you can help me.

Thank you very much for your help.

[BigFlagBurito]

Hello,

I have made it so far that a user can log in to the grader service semi-automatically.
In the first step, the grader service authenticates the user at JupyterHub and in the second step, the service returns the access_token to JupyterHub. The grader-labextension successfully receives the access_token and can also access the service.

But now I am facing another hurdle. The service does not know which users are in which groups. The following things are not clear to me from the source code and the documentation:

• At which point does the service get the information from JupyterHub in which groups (e.g. lect1:instructor or lect1:student) a user is? Does something else have to be specified in the configuration (service or JupyterHub)?
• Where is it specified for the labextension for which lecture it should obtain the data? Or will it always retrieve all lectures for a user regardless of which profile is started?

[florian-jaeger]

Hi,

sorry for the late reply!

We use a "build-your-own" solution for authorization. While authentication workflows are standardized, the scopes or groups we receive from different systems can vary significantly. To address this, we provide a post_auth_hook function that you can use to dynamically create roles, lectures, or other resources. You can find more details about this functionality here in the documentation for the LTI authenticator.

This setup allows us to decouple authentication from authorization. For instance, you could use an OAuth2 provider for authentication while relying on a different system, such as the Moodle REST API, for authorization.

To address your questions:

• In the current version, communication is unidirectional from the grader service to JupyterHub (we actually want to fully decouple both systems at some point). While roles in the grader service can be utilized by JupyterHub, the reverse is not supported. To add users to lectures, you can use the post_auth_hook.
• The labextension checks the user’s permissions at startup. As a result, users will have access to all lectures they are part of, regardless of the Jupyter environment.

[BigFlagBurito]

Thanks for the quick reply, now I understand it much better and have already been able to add an instructor and a student.
For testing purposes, I am going through the process from ‘instructor creates an assignment’ to ‘instructor gives the feedback’ and I wanted to ask if there are certain setting options. Perhaps I have overlooked these.

• When a user authenticates with the service, the page oauth.html appears. Is it possible for the user to be authenticated directly without seeing the page?
• When starting the autograde, the new pod cannot download the default image. This is not the problem, because I quickly found out that I can use the configuration c.KubeAutogradeExecutor.image_config_path to specify which image can be used for which lecture. My question is, is it also possible to specify the image_pull_secrets? This would be very helpful because otherwise the autograder cannot download the images.
• I also get an error message in the console from the service. However, this does not seem to have any influence on anything. Because so far there were no error messages in the jupyter-user-pod nor was there a display in the JupyterLab.

DEBUG    2025-01-15 14:00:00,202 base_handler  | Recording first activity for <APIToken('SGVz...', user='username', client_id='hub')>
DEBUG    2025-01-15 14:00:00,211 base_handler  | Refreshing auth for username
INFO     2025-01-15 14:00:00,213 log           | 200 GET /services/grader/api/lectures/1/assignments/1 ([email protected]) 12.82ms
ERROR    2025-01-15 14:00:00,226 base_handler  | Failed to get current user
    Traceback (most recent call last):
      File "/usr/local/lib/python3.10/site-packages/grader_service/handlers/base_handler.py", line 161, in prepare
        raise HTTPError(401, reason="Git: authenticate request")
    tornado.web.HTTPError: HTTP 401: Git: authenticate request
WARNING  2025-01-15 14:00:00,227 log           | 401 GET /services/grader/git/lect1/1/source/info/refs?service=git-upload-pack (@XX.XXX.0.150) 1.21ms
DEBUG    2025-01-15 14:00:00,229 base_handler  | Recording first activity for <APIToken('SGVz...', user='username', client_id='hub')>
DEBUG    2025-01-15 14:00:00,239 base_handler  | Refreshing auth for username
INFO     2025-01-15 14:00:00,246 server        | Accessing git at: /var/lib/grader-service/git/lect1/1/source
INFO     2025-01-15 14:00:00,247 server        | Running command: git upload-pack --stateless-rpc --advertise-refs "/var/lib/grader-service/git/lect1/1/source"
Error from git response Stream is closed
INFO     2025-01-15 14:00:00,250 log           | 200 GET /services/grader/git/lect1/1/source/info/refs?service=git-upload-pack ([email protected]) 22.18ms

[florian-jaeger]

• Currently this is hardcoded, but we can throw it out in the next release. It does not really serve a purpose in our app and is a relict from the jupyter oauth implementation.
• Currently we can not configure image_pull_secrets for the autograde pod, but it would be rather simple to implement and it is kind of an important feature. I will open an issue for this.
• You receive the error message because git first tries to send an unauthenticated request (this is part of the git standard). After the request is rejected, git automatically sends the authenticated request. We should probably also not log this interaction.