oauthenticator.globus#
Custom Authenticator to use Globus OAuth2 with JupyterHub
- class oauthenticator.globus.GlobusOAuthenticator(**kwargs: Any)#
The Globus OAuthenticator handles both authorization and passing transfer tokens to the spawner.
- admin_globus_groups c.GlobusOAuthenticator.admin_globus_groups = Set()#
Set members of defined Globus Groups as JupyterHub admin users. These users are automatically allowed to login to JupyterHub. Groups are specified with their UUIDs. Setting this will add the Globus Groups scope.
- admin_users c.GlobusOAuthenticator.admin_users = Set()#
Set of users that will have admin rights on this JupyterHub.
Note: As of JupyterHub 2.0, full admin rights should not be required, and more precise permissions can be managed via roles.
- Admin users have extra privileges:
Use the admin panel to see list of users logged in
Add / remove users in some authenticators
Restart / halt the hub
Start / stop users’ single-user servers
Can access each individual users’ single-user server (if configured)
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
- allowed_globus_groups c.GlobusOAuthenticator.allowed_globus_groups = Set()#
Allow members of defined Globus Groups to access JupyterHub. Users in an admin Globus Group are also automatically allowed. Groups are specified with their UUIDs. Setting this will add the Globus Groups scope.
- allowed_users c.GlobusOAuthenticator.allowed_users = Set()#
Set of usernames that are allowed to log in.
Use this with supported authenticators to restrict which users can log in. This is an additional list that further restricts users, beyond whatever restrictions the authenticator has in place. Any user in this list is granted the ‘user’ role on hub startup.
If empty, does not perform any additional restriction.
Changed in version 1.2: Authenticator.whitelist renamed to allowed_users
- auth_refresh_age c.GlobusOAuthenticator.auth_refresh_age = Int(300)#
The max age (in seconds) of authentication info before forcing a refresh of user auth info.
Refreshing auth info allows, e.g. requesting/re-validating auth tokens.
See
refresh_user()
for what happens when user auth info is refreshed (nothing by default).
- authorize_url c.GlobusOAuthenticator.authorize_url = Unicode('')#
The authenticate url for initiating oauth
- auto_login c.GlobusOAuthenticator.auto_login = Bool(False)#
Automatically begin the login process
rather than starting with a “Login with…” link at /hub/login
To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().
New in version 0.8.
- auto_login_oauth2_authorize c.GlobusOAuthenticator.auto_login_oauth2_authorize = Bool(False)#
Automatically begin login process for OAuth2 authorization requests
When another application is using JupyterHub as OAuth2 provider, it sends users to /hub/api/oauth2/authorize. If the user isn’t logged in already, and auto_login is not set, the user will be dumped on the hub’s home page, without any context on what to do next.
Setting this to true will automatically redirect users to login if they aren’t logged in only on the /hub/api/oauth2/authorize endpoint.
New in version 1.5.
- basic_auth c.GlobusOAuthenticator.basic_auth = Bool(False)#
Whether or not to use basic authentication for access token request
- blocked_users c.GlobusOAuthenticator.blocked_users = Set()#
Set of usernames that are not allowed to log in.
Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.
Changed in version 1.2: Authenticator.blacklist renamed to blocked_users
- build_auth_state_dict(token_info, user_info)#
Usernames (and therefore Jupyterhub accounts) will correspond to a Globus User ID, so foouser@globusid.org will have the ‘foouser’ account in Jupyterhub.
- client_id c.GlobusOAuthenticator.client_id = Unicode('')#
No help string is provided.
- client_secret c.GlobusOAuthenticator.client_secret = Unicode('')#
No help string is provided.
- custom_403_message c.GlobusOAuthenticator.custom_403_message = Unicode('Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.')#
The message to be shown when user was not allowed
- delete_invalid_users c.GlobusOAuthenticator.delete_invalid_users = Bool(False)#
Delete any users from the database that do not pass validation
When JupyterHub starts, .add_user will be called on each user in the database to verify that all users are still valid.
If delete_invalid_users is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.
If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.
- enable_auth_state c.GlobusOAuthenticator.enable_auth_state = Bool(False)#
Enable persisting auth_state (if available).
auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.
Encrypting auth_state requires the cryptography package.
Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.
If encryption is unavailable, auth_state cannot be persisted.
New in JupyterHub 0.8
- exclude_tokens c.GlobusOAuthenticator.exclude_tokens = List()#
Exclude tokens from being passed into user environments when they start notebooks, Terminals, etc.
- extra_authorize_params c.GlobusOAuthenticator.extra_authorize_params = Dict()#
Extra GET params to send along with the initial OAuth request to the OAuth provider.
- globus_groups_url c.GlobusOAuthenticator.globus_groups_url = Unicode('https://groups.api.globus.org/v2/groups/my_groups')#
Globus URL to get list of user’s Groups.
- globus_local_endpoint c.GlobusOAuthenticator.globus_local_endpoint = Unicode('')#
If Jupyterhub is also a Globus endpoint, its endpoint id can be specified here.
- http_request_kwargs c.GlobusOAuthenticator.http_request_kwargs = Dict()#
Extra default kwargs passed to all HTTPRequests.
For example, to use a HTTP proxy for all requests:
c.OAuthenticator.http_request_kwargs = {“proxy_host”: “proxy.example.com”, “proxy_port”: 8080}
See the tornado.httpclient.HTTPRequest documentation for all options and limitations: https://www.tornadoweb.org/en/stable/httpclient.html#tornado.httpclient.HTTPRequest
Note that some of these are dependent on the httpclient implementation.
- identity_provider c.GlobusOAuthenticator.identity_provider = Unicode('')#
Restrict which institution a user can use to login (GlobusID, University of Hogwarts, etc.). This should be set in the app at developers.globus.org, but this acts as an additional check to prevent unnecessary account creation.
- logout_handler#
alias of
GlobusLogoutHandler
- logout_redirect_url c.GlobusOAuthenticator.logout_redirect_url = Unicode('')#
URL for logging out of Auth0
- manage_groups c.GlobusOAuthenticator.manage_groups = Bool(False)#
Let authenticator manage user groups
If True, Authenticator.authenticate and/or .refresh_user may return a list of group names in the ‘groups’ field, which will be assigned to the user.
All group-assignment APIs are disabled if this is True.
- oauth_callback_url c.GlobusOAuthenticator.oauth_callback_url = Unicode('')#
Callback URL to use. Typically https://{host}/hub/oauth_callback
- post_auth_hook c.GlobusOAuthenticator.post_auth_hook = Any(None)#
An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.
This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the authentication dict reguardless of changes to it.
This maybe a coroutine.
Example:
import os, pwd def my_hook(authenticator, handler, authentication): user_data = pwd.getpwnam(authentication['name']) spawn_data = { 'pw_data': user_data 'gid_list': os.getgrouplist(authentication['name'], user_data.pw_gid) } if authentication['auth_state'] is None: authentication['auth_state'] = {} authentication['auth_state']['spawn_data'] = spawn_data return authentication c.Authenticator.post_auth_hook = my_hook
- async pre_spawn_start(user, spawner)#
Add tokens to the spawner whenever the spawner starts a notebook. This will allow users to create a transfer client: globus-sdk-python.readthedocs.io/en/stable/tutorial/#tutorial-step4
- refresh_pre_spawn c.GlobusOAuthenticator.refresh_pre_spawn = Bool(False)#
Force refresh of auth prior to spawn.
This forces
refresh_user()
to be called prior to launching a server, to ensure that auth state is up-to-date.This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.
If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.
- revocation_url c.GlobusOAuthenticator.revocation_url = Unicode('https://auth.globus.org/v2/oauth2/token/revoke')#
Globus URL to revoke live tokens.
- async revoke_service_tokens(services)#
Revoke live Globus access and refresh tokens.
Revoking inert or non-existent tokens does nothing. Services are defined by dicts returned by tokens.by_resource_server.
For example:
services = { 'transfer.api.globus.org': {'access_token': 'token'}, <Additional services>... }
- revoke_tokens_on_logout c.GlobusOAuthenticator.revoke_tokens_on_logout = Bool(False)#
Revoke tokens so they cannot be used again. Single-user servers MUST be restarted after logout in order to get a fresh working set of tokens.
- scope c.GlobusOAuthenticator.scope = List()#
The OAuth scopes to request. See the OAuth documentation of your OAuth provider for options. For GitHub in particular, you can see github_scopes.md in this repo.
- token_params c.GlobusOAuthenticator.token_params = Dict()#
Extra parameters for first POST request exchanging the OAuth code for an Access Token
- token_url c.GlobusOAuthenticator.token_url = Unicode('')#
The url retrieving an access token at the completion of oauth
- async update_auth_model(auth_model)#
Updates auth_model dict if any fields have changed or additional information is available or returns the unchanged auth_model.
Returns the model unchanged by default.
Should be overridden to take into account changes like group/admin membership.
- Args: auth_model - the auth model dictionary dict instead, containing:
the name key holding the username
- the auth_state key, the dictionary of of auth state
returned by
oauthenticator.OAuthenticator.build_auth_state_dict()
Called by the
oauthenticator.OAuthenticator.authenticate()
- user_info_to_username(user_info)#
Usernames (and therefore Jupyterhub accounts) will correspond to a Globus User ID, so foouser@globusid.org will have the ‘foouser’ account in Jupyterhub.
- async user_is_authorized(auth_model)#
Checks if the user that is authenticating should be authorized or not and False otherwise. Should be overridden with any relevant logic specific to each oauthenticator.
Returns True by default.
Called by the
oauthenticator.OAuthenticator.authenticate()
- userdata_params c.GlobusOAuthenticator.userdata_params = Dict()#
Userdata params to get user data login information
- userdata_token_method c.GlobusOAuthenticator.userdata_token_method = Unicode('header')#
Method for sending access token in userdata request. Supported methods: header, url. Default: header
- userdata_url c.GlobusOAuthenticator.userdata_url = Unicode('')#
The url for retrieving user data with a completed access token
- username_claim c.GlobusOAuthenticator.username_claim = Unicode('username')#
Field in userdata reply to use for username The field in the userdata response from which to get the JupyterHub username. Examples include: email, username, nickname
What keys are available will depend on the scopes requested and the authenticator used.
- username_from_email c.GlobusOAuthenticator.username_from_email = Bool(False)#
Create username from email address, not preferred username. If an identity provider is specified, email address must be from the same domain. Email scope will be set automatically.
- username_map c.GlobusOAuthenticator.username_map = Dict()#
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
- username_pattern c.GlobusOAuthenticator.username_pattern = Unicode('')#
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
- validate_server_cert c.GlobusOAuthenticator.validate_server_cert = Bool(False)#
No help string is provided.
- whitelist c.GlobusOAuthenticator.whitelist = Set()#
Deprecated, use Authenticator.allowed_users
- class oauthenticator.globus.LocalGlobusOAuthenticator(**kwargs: Any)#
A version that mixes in local system user creation
- add_user_cmd c.LocalGlobusOAuthenticator.add_user_cmd = Command()#
The command to use for creating users as a list of strings
For each element in the list, the string USERNAME will be replaced with the user’s username. The username will also be appended as the final argument.
For Linux, the default value is:
[‘adduser’, ‘-q’, ‘–gecos’, ‘””’, ‘–disabled-password’]
To specify a custom home directory, set this to:
[‘adduser’, ‘-q’, ‘–gecos’, ‘””’, ‘–home’, ‘/customhome/USERNAME’, ‘–disabled-password’]
This will run the command:
adduser -q –gecos “” –home /customhome/river –disabled-password river
when the user ‘river’ is created.
- admin_globus_groups c.LocalGlobusOAuthenticator.admin_globus_groups = Set()#
Set members of defined Globus Groups as JupyterHub admin users. These users are automatically allowed to login to JupyterHub. Groups are specified with their UUIDs. Setting this will add the Globus Groups scope.
- admin_users c.LocalGlobusOAuthenticator.admin_users = Set()#
Set of users that will have admin rights on this JupyterHub.
Note: As of JupyterHub 2.0, full admin rights should not be required, and more precise permissions can be managed via roles.
- Admin users have extra privileges:
Use the admin panel to see list of users logged in
Add / remove users in some authenticators
Restart / halt the hub
Start / stop users’ single-user servers
Can access each individual users’ single-user server (if configured)
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
- allowed_globus_groups c.LocalGlobusOAuthenticator.allowed_globus_groups = Set()#
Allow members of defined Globus Groups to access JupyterHub. Users in an admin Globus Group are also automatically allowed. Groups are specified with their UUIDs. Setting this will add the Globus Groups scope.
- allowed_groups c.LocalGlobusOAuthenticator.allowed_groups = Set()#
Allow login from all users in these UNIX groups.
If set, allowed username set is ignored.
- allowed_users c.LocalGlobusOAuthenticator.allowed_users = Set()#
Set of usernames that are allowed to log in.
Use this with supported authenticators to restrict which users can log in. This is an additional list that further restricts users, beyond whatever restrictions the authenticator has in place. Any user in this list is granted the ‘user’ role on hub startup.
If empty, does not perform any additional restriction.
Changed in version 1.2: Authenticator.whitelist renamed to allowed_users
- auth_refresh_age c.LocalGlobusOAuthenticator.auth_refresh_age = Int(300)#
The max age (in seconds) of authentication info before forcing a refresh of user auth info.
Refreshing auth info allows, e.g. requesting/re-validating auth tokens.
See
refresh_user()
for what happens when user auth info is refreshed (nothing by default).
- authorize_url c.LocalGlobusOAuthenticator.authorize_url = Unicode('')#
The authenticate url for initiating oauth
- auto_login c.LocalGlobusOAuthenticator.auto_login = Bool(False)#
Automatically begin the login process
rather than starting with a “Login with…” link at /hub/login
To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().
New in version 0.8.
- auto_login_oauth2_authorize c.LocalGlobusOAuthenticator.auto_login_oauth2_authorize = Bool(False)#
Automatically begin login process for OAuth2 authorization requests
When another application is using JupyterHub as OAuth2 provider, it sends users to /hub/api/oauth2/authorize. If the user isn’t logged in already, and auto_login is not set, the user will be dumped on the hub’s home page, without any context on what to do next.
Setting this to true will automatically redirect users to login if they aren’t logged in only on the /hub/api/oauth2/authorize endpoint.
New in version 1.5.
- basic_auth c.LocalGlobusOAuthenticator.basic_auth = Bool(False)#
Whether or not to use basic authentication for access token request
- blocked_users c.LocalGlobusOAuthenticator.blocked_users = Set()#
Set of usernames that are not allowed to log in.
Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.
Changed in version 1.2: Authenticator.blacklist renamed to blocked_users
- client_id c.LocalGlobusOAuthenticator.client_id = Unicode('')#
No help string is provided.
- client_secret c.LocalGlobusOAuthenticator.client_secret = Unicode('')#
No help string is provided.
- create_system_users c.LocalGlobusOAuthenticator.create_system_users = Bool(False)#
If set to True, will attempt to create local system users if they do not exist already.
Supports Linux and BSD variants only.
- custom_403_message c.LocalGlobusOAuthenticator.custom_403_message = Unicode('Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.')#
The message to be shown when user was not allowed
- delete_invalid_users c.LocalGlobusOAuthenticator.delete_invalid_users = Bool(False)#
Delete any users from the database that do not pass validation
When JupyterHub starts, .add_user will be called on each user in the database to verify that all users are still valid.
If delete_invalid_users is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.
If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.
- enable_auth_state c.LocalGlobusOAuthenticator.enable_auth_state = Bool(False)#
Enable persisting auth_state (if available).
auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.
Encrypting auth_state requires the cryptography package.
Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.
If encryption is unavailable, auth_state cannot be persisted.
New in JupyterHub 0.8
- exclude_tokens c.LocalGlobusOAuthenticator.exclude_tokens = List()#
Exclude tokens from being passed into user environments when they start notebooks, Terminals, etc.
- extra_authorize_params c.LocalGlobusOAuthenticator.extra_authorize_params = Dict()#
Extra GET params to send along with the initial OAuth request to the OAuth provider.
- globus_groups_url c.LocalGlobusOAuthenticator.globus_groups_url = Unicode('https://groups.api.globus.org/v2/groups/my_groups')#
Globus URL to get list of user’s Groups.
- globus_local_endpoint c.LocalGlobusOAuthenticator.globus_local_endpoint = Unicode('')#
If Jupyterhub is also a Globus endpoint, its endpoint id can be specified here.
- group_whitelist c.LocalGlobusOAuthenticator.group_whitelist = Set()#
DEPRECATED: use allowed_groups
- http_request_kwargs c.LocalGlobusOAuthenticator.http_request_kwargs = Dict()#
Extra default kwargs passed to all HTTPRequests.
For example, to use a HTTP proxy for all requests:
c.OAuthenticator.http_request_kwargs = {“proxy_host”: “proxy.example.com”, “proxy_port”: 8080}
See the tornado.httpclient.HTTPRequest documentation for all options and limitations: https://www.tornadoweb.org/en/stable/httpclient.html#tornado.httpclient.HTTPRequest
Note that some of these are dependent on the httpclient implementation.
- identity_provider c.LocalGlobusOAuthenticator.identity_provider = Unicode('')#
Restrict which institution a user can use to login (GlobusID, University of Hogwarts, etc.). This should be set in the app at developers.globus.org, but this acts as an additional check to prevent unnecessary account creation.
- logout_redirect_url c.LocalGlobusOAuthenticator.logout_redirect_url = Unicode('')#
URL for logging out of Auth0
- manage_groups c.LocalGlobusOAuthenticator.manage_groups = Bool(False)#
Let authenticator manage user groups
If True, Authenticator.authenticate and/or .refresh_user may return a list of group names in the ‘groups’ field, which will be assigned to the user.
All group-assignment APIs are disabled if this is True.
- oauth_callback_url c.LocalGlobusOAuthenticator.oauth_callback_url = Unicode('')#
Callback URL to use. Typically https://{host}/hub/oauth_callback
- post_auth_hook c.LocalGlobusOAuthenticator.post_auth_hook = Any(None)#
An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.
This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the authentication dict reguardless of changes to it.
This maybe a coroutine.
Example:
import os, pwd def my_hook(authenticator, handler, authentication): user_data = pwd.getpwnam(authentication['name']) spawn_data = { 'pw_data': user_data 'gid_list': os.getgrouplist(authentication['name'], user_data.pw_gid) } if authentication['auth_state'] is None: authentication['auth_state'] = {} authentication['auth_state']['spawn_data'] = spawn_data return authentication c.Authenticator.post_auth_hook = my_hook
- refresh_pre_spawn c.LocalGlobusOAuthenticator.refresh_pre_spawn = Bool(False)#
Force refresh of auth prior to spawn.
This forces
refresh_user()
to be called prior to launching a server, to ensure that auth state is up-to-date.This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.
If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.
- revocation_url c.LocalGlobusOAuthenticator.revocation_url = Unicode('https://auth.globus.org/v2/oauth2/token/revoke')#
Globus URL to revoke live tokens.
- revoke_tokens_on_logout c.LocalGlobusOAuthenticator.revoke_tokens_on_logout = Bool(False)#
Revoke tokens so they cannot be used again. Single-user servers MUST be restarted after logout in order to get a fresh working set of tokens.
- scope c.LocalGlobusOAuthenticator.scope = List()#
The OAuth scopes to request. See the OAuth documentation of your OAuth provider for options. For GitHub in particular, you can see github_scopes.md in this repo.
- token_params c.LocalGlobusOAuthenticator.token_params = Dict()#
Extra parameters for first POST request exchanging the OAuth code for an Access Token
- token_url c.LocalGlobusOAuthenticator.token_url = Unicode('')#
The url retrieving an access token at the completion of oauth
- uids c.LocalGlobusOAuthenticator.uids = Dict()#
Dictionary of uids to use at user creation time. This helps ensure that users created from the database get the same uid each time they are created in temporary deployments or containers.
- userdata_params c.LocalGlobusOAuthenticator.userdata_params = Dict()#
Userdata params to get user data login information
- userdata_token_method c.LocalGlobusOAuthenticator.userdata_token_method = Unicode('header')#
Method for sending access token in userdata request. Supported methods: header, url. Default: header
- userdata_url c.LocalGlobusOAuthenticator.userdata_url = Unicode('')#
The url for retrieving user data with a completed access token
- username_claim c.LocalGlobusOAuthenticator.username_claim = Unicode('username')#
Field in userdata reply to use for username The field in the userdata response from which to get the JupyterHub username. Examples include: email, username, nickname
What keys are available will depend on the scopes requested and the authenticator used.
- username_from_email c.LocalGlobusOAuthenticator.username_from_email = Bool(False)#
Create username from email address, not preferred username. If an identity provider is specified, email address must be from the same domain. Email scope will be set automatically.
- username_map c.LocalGlobusOAuthenticator.username_map = Dict()#
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
- username_pattern c.LocalGlobusOAuthenticator.username_pattern = Unicode('')#
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
- validate_server_cert c.LocalGlobusOAuthenticator.validate_server_cert = Bool(False)#
No help string is provided.
- whitelist c.LocalGlobusOAuthenticator.whitelist = Set()#
Deprecated, use Authenticator.allowed_users