Upgrading CILogonOAuthenticator to version 15.0#
OAuthenticator release of 15.0 version introduced some breaking changes for the CILogonOAuthenticator. This is a description of what breaking changes have been made and a step by step guide on how to update your JupyterHub CILogonOAuthenticator to this version.
The following configurations have been deprecated starting with oauthenticator 15.0
idp-> replacedThe
idpconfig refers to the SAML Entity ID of the user’s selected identity provider and prior to 15.0 was used to set the CILogonselected_idpoptional authorization parameter in order to show only this identity provider in the CILogon IdP list.Starting with oauthenticator 15.0, this config has been renamed to
shown_idpsand must now be a list of such SAML Entity IDs. Only the identity providers in this list will be shown in the CILogon IDP list, with the first one being considered the default.Old config Example
c.CILogonOAuthenticator.idp = "https://accounts.google.com/o/oauth2/auth"
New config Example
c.CILogonOAuthenticator.shown_idps = ["https://accounts.google.com/o/oauth2/auth"]
strip_idp_domain-> removedThe
strip_idp_domainboolean config was previously used to enable stripping the domains listed in theallowed_idpsfrom the hub usernames. In oauthenticator 15.0 this config option was removed and such behaviour can only be achieved using theallowed_idpsdictionary config as documented in a section below.Old config Example
c.CILogonOAuthenticator.username_claim = "email" c.CILogonOAuthenticator.allowed_idps = ["uni.edu"] c.CILogonOAuthenticator.strip_idp_domain = True
New config Example
c.CILogonOAuthenticator.allowed_idps = { 'https://uni-idp.com/login/oauth/authorize': { 'username_derivation': { 'username_claim': 'email', 'action': 'strip_idp_domain', 'domain': 'uni.edu', } }, }
Note
If
allowed_idpsis used to contain more than one entry, then check the section below to find out how to also use username prefixes to avoid username clashes.allowed_idps-> changed typeThe
allowed_idpsconfig was used prior to oauthenticator version 15.0 to only allow access into the hub to usernames containing only these domains, after the @ sign. Ifstrip_idp_domainwas enabled, these domains would have been stripped from the hub username.Starting with oauthenticator 15.0 this config option must now be a dictionary structured like below. More information about each configuration option that can go into the
username_derivationcan be found in theallowed_idpsdocstring.Stripping the domain from one IDP username, adding prefixes to another and leaving other unchanged
c.CILogonOAuthenticator.allowed_idps = { 'https://some-idp.com/login/oauth/authorize': { 'username_derivation': { 'username_claim': 'email', 'action': 'strip_idp_domain', 'domain': 'uni.edu', } }, 'https://another-idp.com/login/oauth/authorize': { 'username_derivation': { 'username_claim': 'nickname', 'action': 'prefix', 'prefix': 'idp', } }, 'https://yet-another-idp.com/login/oauth/authorize': { 'username_derivation': { 'username_claim': 'nickname', } }, }
This config translates into:
if you login using a
some-idpprovider, the hub username will be the email registered for that IdP, from which the domainuni.eduwill be stripped (assuming this is domain in the email provided bysome-idp).if you login using
another-idpthe hub username will be youranother-idpprovidednicknameclaim, username prefixed withidp:. This way, users from different identity providers can log in without username clashes.if you login using
yet-another-idp, then the username will be left unchanged, i.e. the value corresponding to theusername_claim.
Note
If
allowed_idpsis specified, then each IdP in the dict must define theusername_derivationdict, includingusername_derivation.username_claim.CILogonOAuthenticator.username_claimwill only be used ifallowed_idpsis not specified!