oauthenticator.github#

A JupyterHub authenticator class for use with GitHub as an identity provider.

class oauthenticator.github.GitHubOAuthenticator(**kwargs: Any)#
admin_users c.GitHubOAuthenticator.admin_users = Set()#

Set of users that will have admin rights on this JupyterHub.

Note: As of JupyterHub 2.0, full admin rights should not be required, and more precise permissions can be managed via roles.

Admin users have extra privileges:
  • Use the admin panel to see list of users logged in

  • Add / remove users in some authenticators

  • Restart / halt the hub

  • Start / stop users’ single-user servers

  • Can access each individual users’ single-user server (if configured)

Admin access should be treated the same way root access is.

Defaults to an empty set, in which case no user has admin access.

allow_all c.GitHubOAuthenticator.allow_all = Bool(False)#

Allow all authenticated users to login.

New in version 16.0.

allow_existing_users c.GitHubOAuthenticator.allow_existing_users = Bool(False)#

Allow existing users to login.

An existing user is a user in JupyterHub’s database of users, and it includes all users that has previously logged in.

Warning

Before enabling this you should review the existing users in the JupyterHub admin panel at /hub/admin. You may find users existing there because they have once been declared in config such as allowed_users or once been allowed to sign in.

Warning

When this is enabled and you are to remove access for one or more users allowed via other config options, you must make sure that they are not part of the database of users still. This can be tricky to do if you stop allowing a group of externally managed users for example.

With this enabled, JupyterHub admin users can visit /hub/admin or use JupyterHub’s REST API to add and remove users as a way to allow them access.

The username for existing users must match the normalized username returned by the authenticator. When creating users, only lowercase letters should be used unless MWOAuthenticator is used.

Note

Allowing existing users is done by adding existing users on startup and newly created users to the allowed_users set. Due to that, you can’t rely on this config to independently allow existing users if you for example would reset allowed_users after startup.

New in version 16.0.

Changed in version 16.0: Before this config was available, the default behavior was to allow existing users if allowed_users was configured with one or more user.

allowed_organizations c.GitHubOAuthenticator.allowed_organizations = Set()#

Allow members of organizations or organizations’ teams by specifying organization names like org-a and/or an organizations’ team names like org-b:team-1.

The names can have a human friendly variant with spaces etc, but you should specify the name as seen in a URL. As an example, it should be jupyterhub:mybinder-org-operators for the team orgs/jupyterhub.

Requires read:org to be set in scope to not just allow based on public membership.

allowed_users c.GitHubOAuthenticator.allowed_users = Set()#

Set of usernames that are allowed to log in.

Use this with supported authenticators to restrict which users can log in. This is an additional list that further restricts users, beyond whatever restrictions the authenticator has in place. Any user in this list is granted the ‘user’ role on hub startup.

If empty, does not perform any additional restriction.

Changed in version 1.2: Authenticator.whitelist renamed to allowed_users

auth_refresh_age c.GitHubOAuthenticator.auth_refresh_age = Int(300)#

The max age (in seconds) of authentication info before forcing a refresh of user auth info.

Refreshing auth info allows, e.g. requesting/re-validating auth tokens.

See refresh_user() for what happens when user auth info is refreshed (nothing by default).

authorize_url c.GitHubOAuthenticator.authorize_url = Unicode('')#

The URL to where the user is to be redirected initially based on the OAuth2 protocol. The user will be redirected back with an authorization grant code after authenticating successfully with the identity provider.

For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps A-B.

auto_login c.GitHubOAuthenticator.auto_login = Bool(False)#

Automatically begin the login process

rather than starting with a “Login with…” link at /hub/login

To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().

New in version 0.8.

auto_login_oauth2_authorize c.GitHubOAuthenticator.auto_login_oauth2_authorize = Bool(False)#

Automatically begin login process for OAuth2 authorization requests

When another application is using JupyterHub as OAuth2 provider, it sends users to /hub/api/oauth2/authorize. If the user isn’t logged in already, and auto_login is not set, the user will be dumped on the hub’s home page, without any context on what to do next.

Setting this to true will automatically redirect users to login if they aren’t logged in only on the /hub/api/oauth2/authorize endpoint.

New in version 1.5.

basic_auth c.GitHubOAuthenticator.basic_auth = Bool(False)#

Whether or to use HTTP Basic authentication instead of form based authentication in requests to token_url.

When using HTTP Basic authentication, a HTTP header is set with the client_id and client_secret encoded in it.

When using form based authentication, the client_id and client_secret is put in the HTTP POST request’s body.

Changed in version 16.0.0: This configuration now toggles between HTTP Basic authentication and form based authentication when working against the token_url.

Previously when this was configured True, both would be used contrary to a recommendation in OAuth 2.0 documentation.

Changed in version 16.0.2: The default value for this configuration for GenericOAuthenticator changed from True to False.

blocked_users c.GitHubOAuthenticator.blocked_users = Set()#

Set of usernames that are not allowed to log in.

Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

Changed in version 1.2: Authenticator.blacklist renamed to blocked_users

async check_allowed(username, auth_model)#

Overrides the OAuthenticator.check_allowed to also allow users part of allowed_organizations.

client_id c.GitHubOAuthenticator.client_id = Unicode('')#

The client id of the OAuth2 application registered with the identity provider.

client_secret c.GitHubOAuthenticator.client_secret = Unicode('')#

The client secret of the OAuth2 application registered with the identity provider.

custom_403_message c.GitHubOAuthenticator.custom_403_message = Unicode('Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.')#

The message to be shown when user was not allowed

delete_invalid_users c.GitHubOAuthenticator.delete_invalid_users = Bool(False)#

Delete any users from the database that do not pass validation

When JupyterHub starts, .add_user will be called on each user in the database to verify that all users are still valid.

If delete_invalid_users is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.

If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.

enable_auth_state c.GitHubOAuthenticator.enable_auth_state = Bool(False)#

Enable persisting auth_state (if available).

auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.

Encrypting auth_state requires the cryptography package.

Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.

If encryption is unavailable, auth_state cannot be persisted.

New in JupyterHub 0.8

extra_authorize_params c.GitHubOAuthenticator.extra_authorize_params = Dict()#

Extra GET params to send along with the initial OAuth request to the OAuth provider.

github_api c.GitHubOAuthenticator.github_api = Unicode('')#

URL to the GitHub REST API to use.

Determined based on github_url by default and may never need to be explicitly set.

github_client_id c.GitHubOAuthenticator.github_client_id = Unicode('')#

Deprecated since version 0.1: Use client_id.

github_client_secret c.GitHubOAuthenticator.github_client_secret = Unicode('')#

Deprecated since version 0.1: Use client_secret.

github_organization_whitelist c.GitHubOAuthenticator.github_organization_whitelist = Set()#

Deprecated since version 0.12: Use allowed_organizations.

github_url c.GitHubOAuthenticator.github_url = Unicode('')#

Used to determine the default values for github_api, authorize_url, token_url, and userdata_url.

http_request_kwargs c.GitHubOAuthenticator.http_request_kwargs = Dict()#

Extra default kwargs passed to all HTTPRequests.

# Example: send requests through a proxy
c.OAuthenticator.http_request_kwargs = {
    "proxy_host": "proxy.example.com",
    "proxy_port": 8080,
}

# Example: validate against certain root certificates
c.OAuthenticator.http_request_kwargs = {
    "ca_certs": "/path/to/a.crt",
}

See tornado.httpclient.HTTPRequest for all kwargs options you can pass. Note that the HTTP client making these requests is tornado.httpclient.AsyncHTTPClient.

login_service c.GitHubOAuthenticator.login_service = Unicode('OAuth 2.0')#

Name of the login service or identity provider that this authenticator is using to authenticate users.

This config influences the text on a button shown to unauthenticated users before they click it to login, assuming auto_login isn’t configured True.

The login button’s text will be “Login with <login_service>”.

logout_redirect_url c.GitHubOAuthenticator.logout_redirect_url = Unicode('')#

When configured, users are not presented with the JupyterHub logout page, but instead redirected to this destination.

manage_groups c.GitHubOAuthenticator.manage_groups = Bool(False)#

Let authenticator manage user groups

If True, Authenticator.authenticate and/or .refresh_user may return a list of group names in the ‘groups’ field, which will be assigned to the user.

All group-assignment APIs are disabled if this is True.

oauth_callback_url c.GitHubOAuthenticator.oauth_callback_url = Unicode('')#

Callback URL to use.

When registering an OAuth2 application with an identity provider, this is typically called the redirect url.

Should very likely be set to https://[your-domain]/hub/oauth_callback.

populate_teams_in_auth_state c.GitHubOAuthenticator.populate_teams_in_auth_state = Bool(False)#

Populates the authentication state dictionary auth_state with a key teams assigned the list of teams the current user is a member of at the time of authentication. The list of teams is structured like the response of the GitHub API documented in https://docs.github.com/en/rest/reference/teams#list-teams-for-the-authenticated-user.

Requires read:org to be set in scope.

Note that authentication state is only be available to a post_auth_hook before being discarded unless configured to be persisted via enable_auth_state. For more information, see https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authentication-state.

post_auth_hook c.GitHubOAuthenticator.post_auth_hook = Any(None)#

An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.

This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the authentication dict reguardless of changes to it.

This maybe a coroutine.

Example:

import os, pwd
def my_hook(authenticator, handler, authentication):
    user_data = pwd.getpwnam(authentication['name'])
    spawn_data = {
        'pw_data': user_data
        'gid_list': os.getgrouplist(authentication['name'], user_data.pw_gid)
    }

    if authentication['auth_state'] is None:
        authentication['auth_state'] = {}
    authentication['auth_state']['spawn_data'] = spawn_data

    return authentication

c.Authenticator.post_auth_hook = my_hook
refresh_pre_spawn c.GitHubOAuthenticator.refresh_pre_spawn = Bool(False)#

Force refresh of auth prior to spawn.

This forces refresh_user() to be called prior to launching a server, to ensure that auth state is up-to-date.

This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.

If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.

scope c.GitHubOAuthenticator.scope = List()#

The OAuth scopes to request.

See the OAuth documentation of your OAuth provider for options.

token_params c.GitHubOAuthenticator.token_params = Dict()#

Extra parameters for first POST request exchanging the OAuth code for an Access Token

token_url c.GitHubOAuthenticator.token_url = Unicode('')#

The URL to where this authenticator makes a request to acquire an access token based on the authorization code received by the user returning from the authorize_url.

For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps C-D.

async update_auth_model(auth_model)#

Fetch and store email in auth state if the user’s only was: private, not part of the initial response, and we was granted a scope to fetch the private email.

Also fetch and store teams in auth state if populate_teams_in_auth_state is configured.

userdata_params c.GitHubOAuthenticator.userdata_params = Dict()#

Userdata params to get user data login information.

userdata_token_method c.GitHubOAuthenticator.userdata_token_method = Unicode('header')#

Method for sending access token in userdata request.

Supported methods: header, url.

userdata_url c.GitHubOAuthenticator.userdata_url = Unicode('')#

The URL to where this authenticator makes a request to acquire user details with an access token received via a request to the token_url.

For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps E-F.

username_claim c.GitHubOAuthenticator.username_claim = Unicode('username')#

The key to get the JupyterHub username from in the data response to the request made to userdata_url.

Examples include: email, username, nickname

What keys are available will depend on the scopes requested and the authenticator used.

username_map c.GitHubOAuthenticator.username_map = Dict()#

Dictionary mapping authenticator usernames to JupyterHub users.

Primarily used to normalize OAuth user names to local users.

username_pattern c.GitHubOAuthenticator.username_pattern = Unicode('')#

Regular expression pattern that all valid usernames must match.

If a username does not match the pattern specified here, authentication will not be attempted.

If not set, allow any username.

validate_server_cert c.GitHubOAuthenticator.validate_server_cert = Bool(False)#

Determines if certificates are validated.

Only set this to False if you feel confident it will not be a security concern.

whitelist c.GitHubOAuthenticator.whitelist = Set()#

Deprecated, use Authenticator.allowed_users

class oauthenticator.github.LocalGitHubOAuthenticator(**kwargs: Any)#

A version that mixes in local system user creation

add_user_cmd c.LocalGitHubOAuthenticator.add_user_cmd = Command()#

The command to use for creating users as a list of strings

For each element in the list, the string USERNAME will be replaced with the user’s username. The username will also be appended as the final argument.

For Linux, the default value is:

[‘adduser’, ‘-q’, ‘–gecos’, ‘””’, ‘–disabled-password’]

To specify a custom home directory, set this to:

[‘adduser’, ‘-q’, ‘–gecos’, ‘””’, ‘–home’, ‘/customhome/USERNAME’, ‘–disabled-password’]

This will run the command:

adduser -q –gecos “” –home /customhome/river –disabled-password river

when the user ‘river’ is created.

admin_users c.LocalGitHubOAuthenticator.admin_users = Set()#

Set of users that will have admin rights on this JupyterHub.

Note: As of JupyterHub 2.0, full admin rights should not be required, and more precise permissions can be managed via roles.

Admin users have extra privileges:
  • Use the admin panel to see list of users logged in

  • Add / remove users in some authenticators

  • Restart / halt the hub

  • Start / stop users’ single-user servers

  • Can access each individual users’ single-user server (if configured)

Admin access should be treated the same way root access is.

Defaults to an empty set, in which case no user has admin access.

allow_all c.LocalGitHubOAuthenticator.allow_all = Bool(False)#

Allow all authenticated users to login.

New in version 16.0.

allow_existing_users c.LocalGitHubOAuthenticator.allow_existing_users = Bool(False)#

Allow existing users to login.

An existing user is a user in JupyterHub’s database of users, and it includes all users that has previously logged in.

Warning

Before enabling this you should review the existing users in the JupyterHub admin panel at /hub/admin. You may find users existing there because they have once been declared in config such as allowed_users or once been allowed to sign in.

Warning

When this is enabled and you are to remove access for one or more users allowed via other config options, you must make sure that they are not part of the database of users still. This can be tricky to do if you stop allowing a group of externally managed users for example.

With this enabled, JupyterHub admin users can visit /hub/admin or use JupyterHub’s REST API to add and remove users as a way to allow them access.

The username for existing users must match the normalized username returned by the authenticator. When creating users, only lowercase letters should be used unless MWOAuthenticator is used.

Note

Allowing existing users is done by adding existing users on startup and newly created users to the allowed_users set. Due to that, you can’t rely on this config to independently allow existing users if you for example would reset allowed_users after startup.

New in version 16.0.

Changed in version 16.0: Before this config was available, the default behavior was to allow existing users if allowed_users was configured with one or more user.

allowed_groups c.LocalGitHubOAuthenticator.allowed_groups = Set()#

Allow login from all users in these UNIX groups.

If set, allowed username set is ignored.

allowed_organizations c.LocalGitHubOAuthenticator.allowed_organizations = Set()#

Allow members of organizations or organizations’ teams by specifying organization names like org-a and/or an organizations’ team names like org-b:team-1.

The names can have a human friendly variant with spaces etc, but you should specify the name as seen in a URL. As an example, it should be jupyterhub:mybinder-org-operators for the team orgs/jupyterhub.

Requires read:org to be set in scope to not just allow based on public membership.

allowed_users c.LocalGitHubOAuthenticator.allowed_users = Set()#

Set of usernames that are allowed to log in.

Use this with supported authenticators to restrict which users can log in. This is an additional list that further restricts users, beyond whatever restrictions the authenticator has in place. Any user in this list is granted the ‘user’ role on hub startup.

If empty, does not perform any additional restriction.

Changed in version 1.2: Authenticator.whitelist renamed to allowed_users

auth_refresh_age c.LocalGitHubOAuthenticator.auth_refresh_age = Int(300)#

The max age (in seconds) of authentication info before forcing a refresh of user auth info.

Refreshing auth info allows, e.g. requesting/re-validating auth tokens.

See refresh_user() for what happens when user auth info is refreshed (nothing by default).

authorize_url c.LocalGitHubOAuthenticator.authorize_url = Unicode('')#

The URL to where the user is to be redirected initially based on the OAuth2 protocol. The user will be redirected back with an authorization grant code after authenticating successfully with the identity provider.

For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps A-B.

auto_login c.LocalGitHubOAuthenticator.auto_login = Bool(False)#

Automatically begin the login process

rather than starting with a “Login with…” link at /hub/login

To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().

New in version 0.8.

auto_login_oauth2_authorize c.LocalGitHubOAuthenticator.auto_login_oauth2_authorize = Bool(False)#

Automatically begin login process for OAuth2 authorization requests

When another application is using JupyterHub as OAuth2 provider, it sends users to /hub/api/oauth2/authorize. If the user isn’t logged in already, and auto_login is not set, the user will be dumped on the hub’s home page, without any context on what to do next.

Setting this to true will automatically redirect users to login if they aren’t logged in only on the /hub/api/oauth2/authorize endpoint.

New in version 1.5.

basic_auth c.LocalGitHubOAuthenticator.basic_auth = Bool(False)#

Whether or to use HTTP Basic authentication instead of form based authentication in requests to token_url.

When using HTTP Basic authentication, a HTTP header is set with the client_id and client_secret encoded in it.

When using form based authentication, the client_id and client_secret is put in the HTTP POST request’s body.

Changed in version 16.0.0: This configuration now toggles between HTTP Basic authentication and form based authentication when working against the token_url.

Previously when this was configured True, both would be used contrary to a recommendation in OAuth 2.0 documentation.

Changed in version 16.0.2: The default value for this configuration for GenericOAuthenticator changed from True to False.

blocked_users c.LocalGitHubOAuthenticator.blocked_users = Set()#

Set of usernames that are not allowed to log in.

Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

Changed in version 1.2: Authenticator.blacklist renamed to blocked_users

client_id c.LocalGitHubOAuthenticator.client_id = Unicode('')#

The client id of the OAuth2 application registered with the identity provider.

client_secret c.LocalGitHubOAuthenticator.client_secret = Unicode('')#

The client secret of the OAuth2 application registered with the identity provider.

create_system_users c.LocalGitHubOAuthenticator.create_system_users = Bool(False)#

If set to True, will attempt to create local system users if they do not exist already.

Supports Linux and BSD variants only.

custom_403_message c.LocalGitHubOAuthenticator.custom_403_message = Unicode('Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.')#

The message to be shown when user was not allowed

delete_invalid_users c.LocalGitHubOAuthenticator.delete_invalid_users = Bool(False)#

Delete any users from the database that do not pass validation

When JupyterHub starts, .add_user will be called on each user in the database to verify that all users are still valid.

If delete_invalid_users is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.

If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.

enable_auth_state c.LocalGitHubOAuthenticator.enable_auth_state = Bool(False)#

Enable persisting auth_state (if available).

auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.

Encrypting auth_state requires the cryptography package.

Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.

If encryption is unavailable, auth_state cannot be persisted.

New in JupyterHub 0.8

extra_authorize_params c.LocalGitHubOAuthenticator.extra_authorize_params = Dict()#

Extra GET params to send along with the initial OAuth request to the OAuth provider.

github_api c.LocalGitHubOAuthenticator.github_api = Unicode('')#

URL to the GitHub REST API to use.

Determined based on github_url by default and may never need to be explicitly set.

github_client_id c.LocalGitHubOAuthenticator.github_client_id = Unicode('')#

Deprecated since version 0.1: Use client_id.

github_client_secret c.LocalGitHubOAuthenticator.github_client_secret = Unicode('')#

Deprecated since version 0.1: Use client_secret.

github_organization_whitelist c.LocalGitHubOAuthenticator.github_organization_whitelist = Set()#

Deprecated since version 0.12: Use allowed_organizations.

github_url c.LocalGitHubOAuthenticator.github_url = Unicode('')#

Used to determine the default values for github_api, authorize_url, token_url, and userdata_url.

group_whitelist c.LocalGitHubOAuthenticator.group_whitelist = Set()#

DEPRECATED: use allowed_groups

http_request_kwargs c.LocalGitHubOAuthenticator.http_request_kwargs = Dict()#

Extra default kwargs passed to all HTTPRequests.

# Example: send requests through a proxy
c.OAuthenticator.http_request_kwargs = {
    "proxy_host": "proxy.example.com",
    "proxy_port": 8080,
}

# Example: validate against certain root certificates
c.OAuthenticator.http_request_kwargs = {
    "ca_certs": "/path/to/a.crt",
}

See tornado.httpclient.HTTPRequest for all kwargs options you can pass. Note that the HTTP client making these requests is tornado.httpclient.AsyncHTTPClient.

login_service c.LocalGitHubOAuthenticator.login_service = Unicode('OAuth 2.0')#

Name of the login service or identity provider that this authenticator is using to authenticate users.

This config influences the text on a button shown to unauthenticated users before they click it to login, assuming auto_login isn’t configured True.

The login button’s text will be “Login with <login_service>”.

logout_redirect_url c.LocalGitHubOAuthenticator.logout_redirect_url = Unicode('')#

When configured, users are not presented with the JupyterHub logout page, but instead redirected to this destination.

manage_groups c.LocalGitHubOAuthenticator.manage_groups = Bool(False)#

Let authenticator manage user groups

If True, Authenticator.authenticate and/or .refresh_user may return a list of group names in the ‘groups’ field, which will be assigned to the user.

All group-assignment APIs are disabled if this is True.

oauth_callback_url c.LocalGitHubOAuthenticator.oauth_callback_url = Unicode('')#

Callback URL to use.

When registering an OAuth2 application with an identity provider, this is typically called the redirect url.

Should very likely be set to https://[your-domain]/hub/oauth_callback.

populate_teams_in_auth_state c.LocalGitHubOAuthenticator.populate_teams_in_auth_state = Bool(False)#

Populates the authentication state dictionary auth_state with a key teams assigned the list of teams the current user is a member of at the time of authentication. The list of teams is structured like the response of the GitHub API documented in https://docs.github.com/en/rest/reference/teams#list-teams-for-the-authenticated-user.

Requires read:org to be set in scope.

Note that authentication state is only be available to a post_auth_hook before being discarded unless configured to be persisted via enable_auth_state. For more information, see https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authentication-state.

post_auth_hook c.LocalGitHubOAuthenticator.post_auth_hook = Any(None)#

An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.

This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the authentication dict reguardless of changes to it.

This maybe a coroutine.

Example:

import os, pwd
def my_hook(authenticator, handler, authentication):
    user_data = pwd.getpwnam(authentication['name'])
    spawn_data = {
        'pw_data': user_data
        'gid_list': os.getgrouplist(authentication['name'], user_data.pw_gid)
    }

    if authentication['auth_state'] is None:
        authentication['auth_state'] = {}
    authentication['auth_state']['spawn_data'] = spawn_data

    return authentication

c.Authenticator.post_auth_hook = my_hook
refresh_pre_spawn c.LocalGitHubOAuthenticator.refresh_pre_spawn = Bool(False)#

Force refresh of auth prior to spawn.

This forces refresh_user() to be called prior to launching a server, to ensure that auth state is up-to-date.

This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.

If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.

scope c.LocalGitHubOAuthenticator.scope = List()#

The OAuth scopes to request.

See the OAuth documentation of your OAuth provider for options.

token_params c.LocalGitHubOAuthenticator.token_params = Dict()#

Extra parameters for first POST request exchanging the OAuth code for an Access Token

token_url c.LocalGitHubOAuthenticator.token_url = Unicode('')#

The URL to where this authenticator makes a request to acquire an access token based on the authorization code received by the user returning from the authorize_url.

For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps C-D.

uids c.LocalGitHubOAuthenticator.uids = Dict()#

Dictionary of uids to use at user creation time. This helps ensure that users created from the database get the same uid each time they are created in temporary deployments or containers.

userdata_params c.LocalGitHubOAuthenticator.userdata_params = Dict()#

Userdata params to get user data login information.

userdata_token_method c.LocalGitHubOAuthenticator.userdata_token_method = Unicode('header')#

Method for sending access token in userdata request.

Supported methods: header, url.

userdata_url c.LocalGitHubOAuthenticator.userdata_url = Unicode('')#

The URL to where this authenticator makes a request to acquire user details with an access token received via a request to the token_url.

For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps E-F.

username_claim c.LocalGitHubOAuthenticator.username_claim = Unicode('username')#

The key to get the JupyterHub username from in the data response to the request made to userdata_url.

Examples include: email, username, nickname

What keys are available will depend on the scopes requested and the authenticator used.

username_map c.LocalGitHubOAuthenticator.username_map = Dict()#

Dictionary mapping authenticator usernames to JupyterHub users.

Primarily used to normalize OAuth user names to local users.

username_pattern c.LocalGitHubOAuthenticator.username_pattern = Unicode('')#

Regular expression pattern that all valid usernames must match.

If a username does not match the pattern specified here, authentication will not be attempted.

If not set, allow any username.

validate_server_cert c.LocalGitHubOAuthenticator.validate_server_cert = Bool(False)#

Determines if certificates are validated.

Only set this to False if you feel confident it will not be a security concern.

whitelist c.LocalGitHubOAuthenticator.whitelist = Set()#

Deprecated, use Authenticator.allowed_users