403 during client_init - '_xsrf' argument missing from POST

[YStrauchP4]

Bug description

RStudio's interface comes up but I see an initialization error about client_init

Using the web developer tools, I can see that the underlying error thrown is '_xsrf' argument missing from POST.

How to reproduce

1. Build a singleuser container.
   This is my Dockerfile:

FROM --platform=linux/amd64 quay.io/jupyter/base-notebook

ARG JUPYTER_VERSION=4.1.0

# Install jupyter-hub in the correct version
# must align with the main server
RUN pip install "jupyterhub==${JUPYTER_VERSION}"

# R INSTALL
USER root
RUN apt-get update && \
    apt-get install --no-install-recommends -y r-base=4.3.3-2build2
RUN pip install jupyter-rsession-proxy

# R STUDIO INSTALL
# Fixes "Depends: libssl1.1 (>= 1.1.1) but it is not installable"
RUN echo "deb http://security.ubuntu.com/ubuntu focal-security main" | tee /etc/apt/sources.list.d/focal-security.list

# Install gdebi
RUN apt-get update && apt-get install --no-install-recommends -y gdebi-core

# Install RStudio
RUN wget https://download2.rstudio.org/server/focal/amd64/rstudio-server-2024.09.0-375-amd64.deb && \
    gdebi --non-interactive rstudio-server-2024.09.0-375-amd64.deb && \
    rm rstudio-server-2024.09.0-375-amd64.deb

# Fix permissions
RUN chown -R ${NB_UID}:${NB_GID} /home/${NB_USER}

# Grant sudo to user
RUN usermod -a -G sudo ${NB_USER}
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
USER ${NB_USER}

2. Configure jupyterhub
   Full config shared below, but essentially this is a jupyterhub instance that authenticates against KeyCloak and uses a DockerSpawner to fire up the single-user container from above.
   The python bit works. I can share more details for reproduction if necessary!

3. Start Jupyerhub and click on the RStudio link in the dispatcher

Expected behaviour

RStudio shows up and is logged in

Actual behaviour

See the bug description above

Your personal set up

Jupyterhub is containerized too (docker-compose).
Using KeyCloak for authentication with GenericOAuthenticator.
The singleuser instance is a docker container built with the Dockerfile above.
I set GenericOAuthenticator.enable_auth_state = True

• OS:
  My host is MacOS, the Dockerfile is currently hardcoded to linux/amd64 architecture.
  The dockerfile ultimately inherits from ubuntu:24.04.

• Version(s):
  Python 3.12.7
  Jupyter version 4.1.0
  R 4.3.3
  rstudio-server 2024.09.0+375

Full environment

# pip freeze
alembic @ file:///tmp/wheelhouse/alembic-1.13.1-py3-none-any.whl#sha256=2edcc97bed0bd3272611ce3a98d98279e9c209e7186e43e75bbb1b2bdfdbcc43
anyio==4.6.0
argon2-cffi==23.1.0
argon2-cffi-bindings==21.2.0
arrow==1.3.0
asttokens==2.4.1
async-generator @ file:///tmp/wheelhouse/async_generator-1.10-py3-none-any.whl#sha256=01c7bf666359b4967d2cda0000cc2e4af16a0ae098cbffcb8472fb9e8ad6585b
async-lru==2.0.4
attrs @ file:///tmp/wheelhouse/attrs-23.2.0-py3-none-any.whl#sha256=99b87a485a5820b23b879f04c2305b44b951b502fd64be915879d77a7e8fc6f1
babel==2.16.0
beautifulsoup4==4.12.3
bleach==6.1.0
certifi @ file:///tmp/wheelhouse/certifi-2024.2.2-py3-none-any.whl#sha256=dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1
certipy @ file:///tmp/wheelhouse/certipy-0.1.3-py3-none-any.whl#sha256=f272c13bfa9af6b2f3f746329d08adb66af7dd0bbb08fc81175597f25a7284b5
cffi @ file:///tmp/wheelhouse/cffi-1.16.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl#sha256=a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896
charset-normalizer @ file:///tmp/wheelhouse/charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl#sha256=6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d
comm==0.2.2
cryptography @ file:///tmp/wheelhouse/cryptography-42.0.5-cp39-abi3-manylinux_2_28_aarch64.whl#sha256=7367d7b2eca6513681127ebad53b2582911d1736dc2ffc19f2c3ae49997496bc
debugpy==1.8.7
decorator==5.1.1
defusedxml==0.7.1
docker==7.1.0
dockerspawner==13.0.0
escapism==1.0.1
exceptiongroup==1.2.2
executing==2.1.0
fastjsonschema==2.20.0
fqdn==1.5.1
greenlet @ file:///tmp/wheelhouse/greenlet-3.0.3-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl#sha256=d353cadd6083fdb056bb46ed07e4340b0869c305c8ca54ef9da3421acbdf6881
gyp==0.1
h11==0.14.0
httpcore==1.0.6
httpx==0.27.2
idna @ file:///tmp/wheelhouse/idna-3.6-py3-none-any.whl#sha256=c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f
ipykernel==6.29.5
ipython==8.28.0
ipython-genutils==0.2.0
isoduration==20.11.0
jedi==0.19.1
Jinja2 @ file:///tmp/wheelhouse/Jinja2-3.1.3-py3-none-any.whl#sha256=7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa
json5==0.9.25
jsonpointer==3.0.0
jsonschema @ file:///tmp/wheelhouse/jsonschema-4.21.1-py3-none-any.whl#sha256=7996507afae316306f9e2290407761157c6f78002dcf7419acb99822143d1c6f
jsonschema-specifications @ file:///tmp/wheelhouse/jsonschema_specifications-2023.12.1-py3-none-any.whl#sha256=87e4fdf3a94858b8a2ba2778d9ba57d8a9cafca7c7489c46ba0d30a8bc6a9c3c
jupyter-events==0.10.0
jupyter-highlight-selected-word==0.2.0
jupyter-lsp==2.2.5
jupyter-telemetry @ file:///tmp/wheelhouse/jupyter_telemetry-0.1.0-py3-none-any.whl#sha256=1de3e423b23aa40ca4a4238d65c56dda544061ff5aedc3f7647220ed7e3b9589
jupyter_client==8.6.3
jupyter_contrib_core==0.4.2
jupyter_contrib_nbextensions==0.7.0
jupyter_core==5.7.2
jupyter_nbextensions_configurator==0.6.4
jupyter_server==2.14.2
jupyter_server_terminals==0.5.3
jupyterhub @ file:///tmp/wheelhouse/jupyterhub-4.1.0-py3-none-any.whl#sha256=6de62909fb8951fbd6e7f702ad8b53aaf419266152d55498329114c0d0c94a9e
jupyterlab==4.2.5
jupyterlab_pygments==0.3.0
jupyterlab_server==2.27.3
lxml==5.3.0
Mako @ file:///tmp/wheelhouse/Mako-1.3.2-py3-none-any.whl#sha256=32a99d70754dfce237019d17ffe4a282d2d3351b9c476e90d8a60e63f133b80c
MarkupSafe @ file:///tmp/wheelhouse/MarkupSafe-2.1.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl#sha256=e61659ba32cf2cf1481e575d0462554625196a1f2fc06a1c777d3f48e8865d46
matplotlib-inline==0.1.7
mistune==3.0.2
nbclient==0.10.0
nbconvert==7.16.4
nbformat==5.10.4
nest-asyncio==1.6.0
notebook==7.2.2
notebook_shim==0.2.4
oauthenticator==17.0.0
oauthlib @ file:///tmp/wheelhouse/oauthlib-3.2.2-py3-none-any.whl#sha256=8139f29aac13e25d502680e9e19963e83f16838d48a0d71c287fe40e7067fbca
overrides==7.7.0
packaging @ file:///tmp/wheelhouse/packaging-24.0-py3-none-any.whl#sha256=2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5
pamela @ file:///tmp/wheelhouse/pamela-1.1.0-py2.py3-none-any.whl#sha256=f4534bba9645665b01adfce0134772b0147faea72c278f67a1a732e7ebd46ec6
pandocfilters==1.5.1
parso==0.8.4
pexpect==4.9.0
platformdirs==4.3.6
prometheus_client @ file:///tmp/wheelhouse/prometheus_client-0.20.0-py3-none-any.whl#sha256=cde524a85bce83ca359cc837f28b8c0db5cac7aa653a588fd7e84ba061c329e7
prompt_toolkit==3.0.48
psutil==6.0.0
ptyprocess==0.7.0
pure_eval==0.2.3
pycparser @ file:///tmp/wheelhouse/pycparser-2.21-py2.py3-none-any.whl#sha256=8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9
pycurl==7.44.1
Pygments==2.18.0
PyJWT==2.9.0
pyOpenSSL @ file:///tmp/wheelhouse/pyOpenSSL-24.1.0-py3-none-any.whl#sha256=17ed5be5936449c5418d1cd269a1a9e9081bc54c17aed272b45856a3d3dc86ad
python-dateutil @ file:///tmp/wheelhouse/python_dateutil-2.9.0.post0-py2.py3-none-any.whl#sha256=a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427
python-json-logger @ file:///tmp/wheelhouse/python_json_logger-2.0.7-py3-none-any.whl#sha256=f380b826a991ebbe3de4d897aeec42760035ac760345e57b812938dc8b35e2bd
PyYAML==6.0.2
pyzmq==26.2.0
referencing @ file:///tmp/wheelhouse/referencing-0.34.0-py3-none-any.whl#sha256=d53ae300ceddd3169f1ffa9caf2cb7b769e92657e4fafb23d34b93679116dfd4
requests @ file:///tmp/wheelhouse/requests-2.31.0-py3-none-any.whl#sha256=58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f
rfc3339-validator==0.1.4
rfc3986-validator==0.1.1
rpds-py @ file:///tmp/wheelhouse/rpds_py-0.18.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl#sha256=01e36a39af54a30f28b73096dd39b6802eddd04c90dbe161c1b8dbe22353189f
ruamel.yaml @ file:///tmp/wheelhouse/ruamel.yaml-0.18.6-py3-none-any.whl#sha256=57b53ba33def16c4f3d807c0ccbc00f8a6081827e81ba2491691b76882d0c636
ruamel.yaml.clib @ file:///tmp/wheelhouse/ruamel.yaml.clib-0.2.8-cp310-cp310-manylinux_2_24_aarch64.whl#sha256=aa2267c6a303eb483de8d02db2871afb5c5fc15618d894300b88958f729ad74f
Send2Trash==1.8.3
six @ file:///tmp/wheelhouse/six-1.16.0-py2.py3-none-any.whl#sha256=8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
sniffio==1.3.1
soupsieve==2.6
SQLAlchemy @ file:///tmp/wheelhouse/SQLAlchemy-2.0.28-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl#sha256=feea693c452d85ea0015ebe3bb9cd15b6f49acc1a31c28b3c50f4db0f8fb1e71
stack-data==0.6.3
terminado==0.18.1
tinycss2==1.3.0
tomli==2.0.2
tornado @ file:///tmp/wheelhouse/tornado-6.4-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl#sha256=f7894c581ecdcf91666a0912f18ce5e757213999e183ebfc2c3fdbf4d5bd764e
traitlets @ file:///tmp/wheelhouse/traitlets-5.14.2-py3-none-any.whl#sha256=fcdf85684a772ddeba87db2f398ce00b40ff550d1528c03c14dbf6a02003cd80
types-python-dateutil==2.9.0.20241003
typing_extensions @ file:///tmp/wheelhouse/typing_extensions-4.10.0-py3-none-any.whl#sha256=69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475
uri-template==1.3.0
urllib3 @ file:///tmp/wheelhouse/urllib3-2.2.1-py3-none-any.whl#sha256=450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d
wcwidth==0.2.13
webcolors==24.8.0
webencodings==0.5.1
websocket-client==1.8.0

Configuration

# jupyterhub_config.py
import os
c = get_config()  # noqa: F821
c.JupyterHub.hub_connect_url = "http://jupyterhub:8081"
c.JupyterHub.bind_url = "http://0.0.0.0:8000"
c.Spawner.cmd = "jupyterhub-singleuser"
c.JupyterHub.spawner_class = "dockerspawner.DockerSpawner"
c.DockerSpawner.network_name = "reveal20-jupyterhub"
c.DockerSpawner.image = os.environ["JUPYTER_CONTAINER"]  # jupyter-singleuser:latest
c.DockerSpawner.remove = True
c.JupyterHub.authenticator_class = "oauthenticator.generic.GenericOAuthenticator"
c.GenericOAuthenticator.auto_login = True
c.GenericOAuthenticator.client_id = os.environ["JUPYTERHUB_OAUTH2_CLIENT_ID"]
c.GenericOAuthenticator.client_secret = os.environ["JUPYTERHUB_OAUTH2_CLIENT_SECRET"]
c.GenericOAuthenticator.oauth_callback_url = (
    os.environ["JUPYTERHUB_URL"] + "/hub/oauth_callback"
)
c.GenericOAuthenticator.authorize_url = (
    os.environ["KC_REALM_URL"] + "/protocol/openid-connect/auth"
)
c.GenericOAuthenticator.token_url = (
    os.environ["KC_REALM_URL"] + "/protocol/openid-connect/token"
)
c.GenericOAuthenticator.userdata_url = (
    os.environ["KC_REALM_URL"] + "/protocol/openid-connect/userinfo"
)
c.GenericOAuthenticator.logout_redirect_url = (
    os.environ["KC_REALM_URL"]
    + "/protocol/openid-connect/logout?redirect_uri="
    + os.environ["JUPYTERHUB_URL"]
)
c.GenericOAuthenticator.scope = ["openid", "profile", "email"]
def get_claim(data):
    return data["email"]
c.GenericOAuthenticator.username_claim = get_claim
c.OAuthenticator.allow_all = True
c.GenericOAuthenticator.enable_auth_state = True

Logs