Custom Authenticator to use MediaWiki OAuth with JupyterHub

Requires mwoauth package.

class oauthenticator.mediawiki.MWOAuthenticator(**kwargs)
admin_users c.MWOAuthenticator.admin_users = Set()

Set of users that will have admin rights on this JupyterHub.

Admin users have extra privileges:
  • Use the admin panel to see list of users logged in

  • Add / remove users in some authenticators

  • Restart / halt the hub

  • Start / stop users’ single-user servers

  • Can access each individual users’ single-user server (if configured)

Admin access should be treated the same way root access is.

Defaults to an empty set, in which case no user has admin access.

allowed_users c.MWOAuthenticator.allowed_users = Set()

Set of usernames that are allowed to log in.

Use this with supported authenticators to restrict which users can log in. This is an additional list that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

Changed in version 1.2: Authenticator.whitelist renamed to allowed_users

auth_refresh_age c.MWOAuthenticator.auth_refresh_age = Int(300)

The max age (in seconds) of authentication info before forcing a refresh of user auth info.

Refreshing auth info allows, e.g. requesting/re-validating auth tokens.

See refresh_user() for what happens when user auth info is refreshed (nothing by default).

authorize_url c.MWOAuthenticator.authorize_url = Unicode('')

The authenticate url for initiating oauth

auto_login c.MWOAuthenticator.auto_login = Bool(False)

Automatically begin the login process

rather than starting with a “Login with…” link at /hub/login

To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().

New in version 0.8.

blocked_users c.MWOAuthenticator.blocked_users = Set()

Set of usernames that are not allowed to log in.

Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

Changed in version 1.2: Authenticator.blacklist renamed to blocked_users

delete_invalid_users c.MWOAuthenticator.delete_invalid_users = Bool(False)

Delete any users from the database that do not pass validation

When JupyterHub starts, .add_user will be called on each user in the database to verify that all users are still valid.

If delete_invalid_users is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.

If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.

enable_auth_state c.MWOAuthenticator.enable_auth_state = Bool(False)

Enable persisting auth_state (if available).

auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.

Encrypting auth_state requires the cryptography package.

Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.

If encryption is unavailable, auth_state cannot be persisted.

New in JupyterHub 0.8

executor_threads c.MWOAuthenticator.executor_threads = Int(12)

Number of executor threads.

MediaWiki OAuth requests happen in this thread, so it is mostly waiting for network replies.

extra_authorize_params c.MWOAuthenticator.extra_authorize_params = Dict()

Extra GET params to send along with the initial OAuth request to the OAuth provider.

logout_redirect_url c.MWOAuthenticator.logout_redirect_url = Unicode('')

URL for logging out of Auth0

mw_index_url c.MWOAuthenticator.mw_index_url = Unicode('https://meta.wikimedia.org/w/index.php')

Full path to index.php of the MW instance to use to log in

oauth_callback_url c.MWOAuthenticator.oauth_callback_url = Unicode('')

Callback URL to use. Typically https://{host}/hub/oauth_callback

post_auth_hook c.MWOAuthenticator.post_auth_hook = Any(None)

An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.

This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the authentication dict reguardless of changes to it.

This maybe a coroutine.


import os, pwd
def my_hook(authenticator, handler, authentication):
    user_data = pwd.getpwnam(authentication['name'])
    spawn_data = {
        'pw_data': user_data
        'gid_list': os.getgrouplist(authentication['name'], user_data.pw_gid)

    if authentication['auth_state'] is None:
        authentication['auth_state'] = {}
    authentication['auth_state']['spawn_data'] = spawn_data

    return authentication

c.Authenticator.post_auth_hook = my_hook
refresh_pre_spawn c.MWOAuthenticator.refresh_pre_spawn = Bool(False)

Force refresh of auth prior to spawn.

This forces refresh_user() to be called prior to launching a server, to ensure that auth state is up-to-date.

This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.

If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.

scope c.MWOAuthenticator.scope = List()

The OAuth scopes to request. See the OAuth documentation of your OAuth provider for options. For GitHub in particular, you can see github_scopes.md in this repo.

token_url c.MWOAuthenticator.token_url = Unicode('')

The url retrieving an access token at the completion of oauth

userdata_url c.MWOAuthenticator.userdata_url = Unicode('')

The url for retrieving user data with a completed access token

username_map c.MWOAuthenticator.username_map = Dict()

Dictionary mapping authenticator usernames to JupyterHub users.

Primarily used to normalize OAuth user names to local users.

username_pattern c.MWOAuthenticator.username_pattern = Unicode('')

Regular expression pattern that all valid usernames must match.

If a username does not match the pattern specified here, authentication will not be attempted.

If not set, allow any username.

whitelist c.MWOAuthenticator.whitelist = Set()

Deprecated, use Authenticator.allowed_users