oauthenticator.oauth2#
Base classes for use by OAuth2 based JupyterHub authenticator classes.
Founded based on work by Kyle Kelley (@rgbkrk)
- class oauthenticator.oauth2.OAuthLoginHandler(application: Application, request: HTTPServerRequest, **kwargs: Any)#
Base class for OAuth login handler
Typically subclasses will need
- class oauthenticator.oauth2.OAuthCallbackHandler(application: Application, request: HTTPServerRequest, **kwargs: Any)#
Basic handler for OAuth callback. Calls authenticator to verify username.
- class oauthenticator.oauth2.OAuthenticator(**kwargs: Any)#
Base class for OAuthenticators.
Subclasses should, in an increasing level of customization:
Override the constant
user_auth_state_key
Override various config’s default values, such as
authorize_url
,token_url
,userdata_url
, andlogin_service
.Override various methods called by the
authenticate
method, which subclasses should not override.Override handler classes such as
login_handler
,callback_handler
, andlogout_handler
.
- add_user(user)#
Overrides
Authenticator.add_user
, a hook called for all users in the database on startup and for each user being created.The purpose of the override is to implement the
allow_existing_users
config by adding users to theallowed_users
set only ifallow_existing_users
is truthy. The overridden behavior is to do it ifallowed_users
is truthy.The implementation is adjusted from JupyterHub 4.0.1: jupyterhub/jupyterhub
- admin_users c.OAuthenticator.admin_users = Set()#
Set of users that will have admin rights on this JupyterHub.
Note: As of JupyterHub 2.0, full admin rights should not be required, and more precise permissions can be managed via roles.
- Admin users have extra privileges:
Use the admin panel to see list of users logged in
Add / remove users in some authenticators
Restart / halt the hub
Start / stop users’ single-user servers
Can access each individual users’ single-user server (if configured)
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
- allow_all c.OAuthenticator.allow_all = Bool(False)#
Allow all authenticated users to login.
New in version 16.0.
- allow_existing_users c.OAuthenticator.allow_existing_users = Bool(False)#
Allow existing users to login.
An existing user is a user in JupyterHub’s database of users, and it includes all users that has previously logged in.
Warning
Before enabling this you should review the existing users in the JupyterHub admin panel at
/hub/admin
. You may find users existing there because they have once been declared in config such asallowed_users
or once been allowed to sign in.Warning
When this is enabled and you are to remove access for one or more users allowed via other config options, you must make sure that they are not part of the database of users still. This can be tricky to do if you stop allowing a group of externally managed users for example.
With this enabled, JupyterHub admin users can visit
/hub/admin
or use JupyterHub’s REST API to add and remove users as a way to allow them access.The username for existing users must match the normalized username returned by the authenticator. When creating users, only lowercase letters should be used unless
MWOAuthenticator
is used.Note
Allowing existing users is done by adding existing users on startup and newly created users to the
allowed_users
set. Due to that, you can’t rely on this config to independently allow existing users if you for example would resetallowed_users
after startup.New in version 16.0.
Changed in version 16.0: Before this config was available, the default behavior was to allow existing users if
allowed_users
was configured with one or more user.
- allowed_users c.OAuthenticator.allowed_users = Set()#
Set of usernames that are allowed to log in.
Use this with supported authenticators to restrict which users can log in. This is an additional list that further restricts users, beyond whatever restrictions the authenticator has in place. Any user in this list is granted the ‘user’ role on hub startup.
If empty, does not perform any additional restriction.
Changed in version 1.2:
Authenticator.whitelist
renamed toallowed_users
- auth_refresh_age c.OAuthenticator.auth_refresh_age = Int(300)#
The max age (in seconds) of authentication info before forcing a refresh of user auth info.
Refreshing auth info allows, e.g. requesting/re-validating auth tokens.
See
refresh_user()
for what happens when user auth info is refreshed (nothing by default).
- async authenticate(handler, data=None, **kwargs)#
A JupyterHub Authenticator’s authenticate method’s job is:
return None if the user isn’t successfully authenticated
return a dictionary if authentication is successful with name, admin (optional), and auth_state (optional)
Subclasses should not override this method.
ref: https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authenticator-authenticate-method ref: jupyterhub/jupyterhub
- authorize_url c.OAuthenticator.authorize_url = Unicode('')#
The URL to where the user is to be redirected initially based on the OAuth2 protocol. The user will be redirected back with an authorization grant code after authenticating successfully with the identity provider.
For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps A-B.
- auto_login c.OAuthenticator.auto_login = Bool(False)#
Automatically begin the login process
rather than starting with a “Login with…” link at
/hub/login
To work,
.login_url()
must give a URL other than the default/hub/login
, such as an oauth handler or another automatic login handler, registered with.get_handlers()
.New in version 0.8.
- auto_login_oauth2_authorize c.OAuthenticator.auto_login_oauth2_authorize = Bool(False)#
Automatically begin login process for OAuth2 authorization requests
When another application is using JupyterHub as OAuth2 provider, it sends users to
/hub/api/oauth2/authorize
. If the user isn’t logged in already, and auto_login is not set, the user will be dumped on the hub’s home page, without any context on what to do next.Setting this to true will automatically redirect users to login if they aren’t logged in only on the
/hub/api/oauth2/authorize
endpoint.New in version 1.5.
- basic_auth c.OAuthenticator.basic_auth = Bool(False)#
Whether or to use HTTP Basic authentication instead of form based authentication in requests to
token_url
.When using HTTP Basic authentication, a HTTP header is set with the
client_id
andclient_secret
encoded in it.When using form based authentication, the
client_id
andclient_secret
is put in the HTTP POST request’s body.Changed in version 16.0.0: This configuration now toggles between HTTP Basic authentication and form based authentication when working against the
token_url
.Previously when this was configured True, both would be used contrary to a recommendation in OAuth 2.0 documentation.
Changed in version 16.0.2: The default value for this configuration for GenericOAuthenticator changed from True to False.
- blocked_users c.OAuthenticator.blocked_users = Set()#
Set of usernames that are not allowed to log in.
Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.
Changed in version 1.2:
Authenticator.blacklist
renamed toblocked_users
- build_access_tokens_request_params(handler, data=None)#
Builds the parameters that should be passed to the URL request that exchanges the OAuth code for the Access Token. Called by the
oauthenticator.OAuthenticator.authenticate()
.
- build_auth_state_dict(token_info, user_info)#
Builds the
auth_state
dict that will be returned by a succesfullauthenticate
method call.- Parameters:
token_info – the dictionary returned by the token request (exchanging the OAuth code for an Access Token)
user_info – the dictionary returned by the userdata request
- Returns:
- a dictionary of auth state that should be persisted with the following keys:
”access_token”: the access_token
”refresh_token”: the refresh_token, if available
”id_token”: the id_token, if available
”scope”: the scopes, if available
”token_response”: the full token_info response
self.user_auth_state_key: the full user_info response
- Return type:
auth_state
Called by the
oauthenticator.OAuthenticator.authenticate()
- build_token_info_request_headers()#
Builds and returns the headers to be used in the access token request. Called by the
oauthenticator.OAuthenticator.get_token_info()
.The Content-Type header is specified by the OAuth 2.0 RFC in https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3. utf-8 is also required according to https://www.rfc-editor.org/rfc/rfc6749#appendix-B, and that can be specified with a Content-Type directive according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type#directives.
- build_userdata_request_headers(access_token, token_type)#
Builds and returns the headers to be used in the userdata request. Called by the
oauthenticator.OAuthenticator.token_to_user()
- callback_handler#
alias of
OAuthCallbackHandler
- async check_allowed(username, auth_model)#
Returns True for users allowed to be authorized
Overrides Authenticator.check_allowed that is called from
Authenticator.get_authenticated_user
afterOAuthenticator.authenticate
has been called, and therefore also afterupdate_auth_model
has been called.Subclasses with additional config to allow a user should override this method and return True when this method returns True or if a user is allowed via the additional config.
- client_id c.OAuthenticator.client_id = Unicode('')#
The client id of the OAuth2 application registered with the identity provider.
- client_secret c.OAuthenticator.client_secret = Unicode('')#
The client secret of the OAuth2 application registered with the identity provider.
- custom_403_message c.OAuthenticator.custom_403_message = Unicode('Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.')#
The message to be shown when user was not allowed
- delete_invalid_users c.OAuthenticator.delete_invalid_users = Bool(False)#
Delete any users from the database that do not pass validation
When JupyterHub starts,
.add_user
will be called on each user in the database to verify that all users are still valid.If
delete_invalid_users
is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.
- enable_auth_state c.OAuthenticator.enable_auth_state = Bool(False)#
Enable persisting auth_state (if available).
auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.
Encrypting auth_state requires the cryptography package.
Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.
If encryption is unavailable, auth_state cannot be persisted.
New in JupyterHub 0.8
- extra_authorize_params c.OAuthenticator.extra_authorize_params = Dict()#
Extra GET params to send along with the initial OAuth request to the OAuth provider.
- async fetch(req, label='fetching', parse_json=True, **kwargs)#
Wrapper for http requests
logs error responses, parses successful JSON responses
- Parameters:
req – tornado HTTPRequest
label (str) – label describing what is happening, used in log message when the request fails.
parse_json (bool) – whether to parse the response as JSON
**kwargs – remaining keyword args passed to underlying
client.fetch(req, **kwargs)
- Returns:
parsed JSON response if
parse_json=True
, elsetornado.HTTPResponse
- get_callback_url(handler=None)#
Get my OAuth redirect URL
Either from config or guess based on the current request.
- get_handlers(app)#
Return any custom handlers the authenticator needs to register
Used in conjugation with
login_url
andlogout_url
.- Parameters:
app (JupyterHub Application) – the application object, in case it needs to be accessed for info.
- Returns:
list of
('/url', Handler)
tuples passed to tornado. The Hub prefix is added to any URLs.- Return type:
handlers (list)
- async get_prev_refresh_token(handler, username)#
Retrieves the
refresh_token
from previous encrypted auth state. Called by theoauthenticator.OAuthenticator.authenticate()
- async get_token_info(handler, params)#
Makes a “POST” request to
self.token_url
, with the parameters received as argument.- Returns:
the JSON response to the
token_url
the request.
Called by the
oauthenticator.OAuthenticator.authenticate()
- http_request_kwargs c.OAuthenticator.http_request_kwargs = Dict()#
Extra default kwargs passed to all HTTPRequests.
# Example: send requests through a proxy c.OAuthenticator.http_request_kwargs = { "proxy_host": "proxy.example.com", "proxy_port": 8080, } # Example: validate against certain root certificates c.OAuthenticator.http_request_kwargs = { "ca_certs": "/path/to/a.crt", }
See
tornado.httpclient.HTTPRequest
for all kwargs options you can pass. Note that the HTTP client making these requests istornado.httpclient.AsyncHTTPClient
.
- async httpfetch(url, label='fetching', parse_json=True, raise_error=True, **kwargs)#
Wrapper for creating and fetching http requests
Includes http_request_kwargs in request kwargs logs error responses, parses successful JSON responses
- Parameters:
url (str) – url to fetch
label (str) – label describing what is happening, used in log message when the request fails.
parse_json (bool) – whether to parse the response as JSON
raise_error (bool) – whether to raise an exception on HTTP errors
**kwargs – remaining keyword args passed to underlying
tornado.HTTPRequest
, overrideshttp_request_kwargs
- Returns:
parsed JSON response if
parse_json=True
, elsetornado.HTTPResponse
- login_handler#
alias of
OAuthLoginHandler
- login_service c.OAuthenticator.login_service = Unicode('OAuth 2.0')#
Name of the login service or identity provider that this authenticator is using to authenticate users.
This config influences the text on a button shown to unauthenticated users before they click it to login, assuming
auto_login
isn’t configured True.The login button’s text will be “Login with <login_service>”.
- login_url(base_url)#
Override this when registering a custom login handler
Generally used by authenticators that do not use simple form-based authentication.
The subclass overriding this is responsible for making sure there is a handler available to handle the URL returned from this method, using the
get_handlers
method.- Parameters:
base_url (str) – the base URL of the Hub (e.g. /hub/)
- Returns:
The login URL, e.g. ‘/hub/login’
- Return type:
str
- logout_handler#
alias of
OAuthLogoutHandler
- logout_redirect_url c.OAuthenticator.logout_redirect_url = Unicode('')#
When configured, users are not presented with the JupyterHub logout page, but instead redirected to this destination.
- logout_url(base_url)#
Override when registering a custom logout handler
The subclass overriding this is responsible for making sure there is a handler available to handle the URL returned from this method, using the
get_handlers
method.- Parameters:
base_url (str) – the base URL of the Hub (e.g. /hub/)
- Returns:
The logout URL, e.g. ‘/hub/logout’
- Return type:
str
- manage_groups c.OAuthenticator.manage_groups = Bool(False)#
Let authenticator manage user groups
If True, Authenticator.authenticate and/or .refresh_user may return a list of group names in the ‘groups’ field, which will be assigned to the user.
All group-assignment APIs are disabled if this is True.
- oauth_callback_url c.OAuthenticator.oauth_callback_url = Unicode('')#
Callback URL to use.
When registering an OAuth2 application with an identity provider, this is typically called the redirect url.
Should very likely be set to
https://[your-domain]/hub/oauth_callback
.
- post_auth_hook c.OAuthenticator.post_auth_hook = Any(None)#
An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.
This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the authentication dict reguardless of changes to it.
This maybe a coroutine.
Example:
import os, pwd def my_hook(authenticator, handler, authentication): user_data = pwd.getpwnam(authentication['name']) spawn_data = { 'pw_data': user_data 'gid_list': os.getgrouplist(authentication['name'], user_data.pw_gid) } if authentication['auth_state'] is None: authentication['auth_state'] = {} authentication['auth_state']['spawn_data'] = spawn_data return authentication c.Authenticator.post_auth_hook = my_hook
- refresh_pre_spawn c.OAuthenticator.refresh_pre_spawn = Bool(False)#
Force refresh of auth prior to spawn.
This forces
refresh_user()
to be called prior to launching a server, to ensure that auth state is up-to-date.This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.
If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.
- scope c.OAuthenticator.scope = List()#
The OAuth scopes to request.
See the OAuth documentation of your OAuth provider for options.
- token_params c.OAuthenticator.token_params = Dict()#
Extra parameters for first POST request exchanging the OAuth code for an Access Token
- async token_to_user(token_info)#
Determines who the logged-in user by sending a “GET” request to
oauthenticator.OAuthenticator.userdata_url
using theaccess_token
.- Parameters:
token_info – the dictionary returned by the token request (exchanging the OAuth code for an Access Token)
- Returns:
the JSON response to the
userdata_url
request.
Called by the
oauthenticator.OAuthenticator.authenticate()
- token_url c.OAuthenticator.token_url = Unicode('')#
The URL to where this authenticator makes a request to acquire an access token based on the authorization code received by the user returning from the
authorize_url
.For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps C-D.
- async update_auth_model(auth_model)#
Updates and returns the
auth_model
dict.Should be overridden to collect information required for check_allowed.
- Args: auth_model - the auth model dictionary, containing:
name
: the normalized usernameadmin
: the admin status (True/False/None), where None means itshould be unchanged.
auth_state
: the dictionary of of auth statereturned by
oauthenticator.OAuthenticator.build_auth_state_dict()
Called by the
oauthenticator.OAuthenticator.authenticate()
- user_info_to_username(user_info)#
Gets the self.username_claim key’s value from the user_info dictionary.
Should be overridden by the authenticators for which the hub username cannot be extracted this way and needs extra processing.
- Parameters:
user_info – the dictionary returned by the userdata request
- Returns:
user_info[“self.username_claim”] or raises an error if such value isn’t found.
Called by the
oauthenticator.OAuthenticator.authenticate()
- userdata_params c.OAuthenticator.userdata_params = Dict()#
Userdata params to get user data login information.
- userdata_token_method c.OAuthenticator.userdata_token_method = Unicode('header')#
Method for sending access token in userdata request.
Supported methods: header, url.
- userdata_url c.OAuthenticator.userdata_url = Unicode('')#
The URL to where this authenticator makes a request to acquire user details with an access token received via a request to the
token_url
.For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps E-F.
- username_claim c.OAuthenticator.username_claim = Unicode('username')#
The key to get the JupyterHub username from in the data response to the request made to
userdata_url
.Examples include: email, username, nickname
What keys are available will depend on the scopes requested and the authenticator used.
- username_map c.OAuthenticator.username_map = Dict()#
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
- username_pattern c.OAuthenticator.username_pattern = Unicode('')#
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
- validate_server_cert c.OAuthenticator.validate_server_cert = Bool(False)#
Determines if certificates are validated.
Only set this to False if you feel confident it will not be a security concern.
- whitelist c.OAuthenticator.whitelist = Set()#
Deprecated, use
Authenticator.allowed_users