The following GitHub scopes may be suitable for certain use cases:
read:org grants access to the users’ organizations. This is handy if
you want to use GitHub organizations in your backend environment as Unix
groups for collaboration purposes. Having globally consistent UIDs
(from the GitHub ID) and GIDs (from the organization IDs) makes access
permissions on shared storage much easier.
public_repo allows “trusted users” read and write privileges for
public repositories. If you want to automatically provision
pushes to GitHub, you can accomplish this by passing a token with this
scope to your Lab or classic Notebook instance.
repo does the same for private repositories too.
user:email allows the authenticator to determine email addresses even
if they are marked private. Having access to email addresses, in
conjunction with read/write repository access, allows preconfiguring the
user’s git configuration for GitHub pushes without any required action
by the user.
The additional fields exposed by expanded scope are all stored in the
auth_state structure, so you’ll need to enable
auth_state and install the Python
cryptography package to be able to
We currently use the following fields:
idis an integer set to the GitHub account ID.
loginis the GitHub username
nameis the full name GitHub knows the user by.
access_tokenis the token used to authenticate to GitHub.
teamsis list of teams the user is part of, fetched only if
populate_teams_in_auth_stateoption is set to
read:orgscope is also required for this to work.
To use this expanded user information, you will need to subclass your
current spawner and modify the subclass to read these fields from
auth_state and then use this information to provision your Notebook or
If you would like to restrict access to members of specific GitHub organizations
you can pass a list of organization names to
For example, the below will ensure that only members of
org_b will be authorized to access.
c.GitHubOAuthenticator.allowed_organizations = ["org_a", "org_b"]
It is also possible to restrict access to members of specific teams within
organizations using the syntax:
For example, the below will only allow members of
org_b access. Members of
org_b but not
team_1 will be
unauthorized to access.
c.GitHubOAuthenticator.allowed_organizations = ["org_a", "org_b:team_1"]
Restricting access by either organization or team requires the
Ensure you use the organization/team name as it appears in the GitHub url