JupyterHub Azure Gov OAuth posts to non-Gov AAD Authority endpoints, not the ones set in App Registration

Question

Context:

• I have JupyterHub helm chart deployed on AWS EKS, following instructions here https://zero-to-jupyterhub.readthedocs.io/en/latest/kubernetes/index.html
• for SSO for all our apps, we use Azure Gov AD
• in Azure App Registration, as required for apps authenticated on Azure Gov, Authority Endpoints are setup correctly to hit https://login.microsoftonline.us/<tenant_id>/oauth2/token as shown in attached pic
• however, when I try SSO into JupyterHub, connection in Auth0 is hitting https://login.microsoftonline.com instead, as shown in attached logs from pod running Jupyterhub, resulting in a 500 Status error

What could be causing Auth0 connection to hit a different, wrong endpoint not specified in AAD App Registration?

Did anyone face similar issues trying to authenticate an app on Azure Gov?

Is this an error on Azure AD side, or how OAuthenticator is configured on JupyterHub?

AAD Endpoints

k logs hub-78c6c9ff4f-znbxp -n jupyterhub2 --follow
[E 2022-03-03 02:15:58.325 JupyterHub oauth2:389] Error fetching 400 POST https://login.microsoftonline.com/<tenant_id>/oauth2/token: {
     "correlation_id": <id>,
     "error": "invalid_request",
     "error_codes": [
      900432
     ],
     "error_description": "AADSTS900432: Confidential Client is not supported in Cross Cloud request.\r\nTrace ID: 9898f82e-b503-4c47-8ae4-859d8d54b500\r\nCorrelation ID: a86756e7-8aaa-4eb9-876a-1db5d145889d\r\nTimestamp: 2022-03-03 02:15:58Z",
     "timestamp": "2022-03-03 02:15:58Z",
     "trace_id": "9898f82e-b503-4c47-8ae4-859d8d54b500"
    }

Answer 1

I got this resolved - TL;DR the AzureOAuthenticator from JupyterHub isn't built for Azure Gov apps. It defaults to Auth0 endpoint that is only for non-Gov Azure apps.

So I had to create my own authenticator with the correct configuration from Azure AD app registration.

Also I was using my secret ID instead of secret value.