Changelog

Contents

Changelog#

For detailed changes from the prior release, click on the version number, and its link will bring up a GitHub listing of changes. Use git log on the command line for details.

Unreleased#

16.3.1 - 2024-06-11#

Important

This release includes a security patch for GlobusOAuthenticator. See GHSA-gprj-3p75-f996 for details.

(full changelog)

New features added#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@consideRatio (activity) | @manics (activity) | @minrk (activity) | @yuvipanda (activity)

16.3.0 - 2024-03-20#

Important

This release includes a security patch for GoogleOAuthenticator.hosted_domain, see GHSA-55m3-44xf-hg4h for details.

OAuthenticator now requires JupyterHub >=2.2.

(full changelog)

New features added#

Maintenance and upkeep improvements#

Documentation improvements#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@benjimin (activity) | @consideRatio (activity) | @GeorgianaElena (activity) | @krassowski (activity) | @manics (activity) | @minrk (activity) | @thomafred (activity) | @yuvipanda (activity)

16.2#

16.2.1 - 2023-11-27#

Bugs fixed#

  • [CILogon] Fix missing schema entry for default under allowed_idps #704 (@consideRatio)

16.2.0 - 2023-11-23#

New features added#

Bugs fixed#

Continuous integration improvements#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@consideRatio (activity) | @GeorgianaElena (activity) | @manics (activity) | @minrk (activity) | @yaleman (activity)

16.1#

16.1.1 - 2023-10-18#

Note

The OkpyOAuthenticator was removed in this patch release as its believed to have no users. If you were an active user, please re-configure to use GenericOAuthenticator like described in this comment and let us know in another comment.

Bugs fixed#

Maintenance and upkeep improvements#

Continuous integration improvements#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@consideRatio (activity) | @do-it-tim (activity) | @GeorgianaElena (activity) | @manics (activity) | @minrk (activity) | @yuvipanda (activity)

16.1.0 - 2023-09-28#

New features added#

Enhancements made#

Bugs fixed#

Documentation improvements#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@consideRatio (activity) | @GeorgianaElena (activity) | @johnpmayer (activity) | @jorado (activity) | @manics (activity) | @mehalter (activity) | @minrk (activity)

16.0#

16.0.7 - 2023-08-21#

Bugs fixed#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@consideRatio (activity) | @jinserk (activity) | @GeorgianaElena (activity)

16.0.6 - 2023-08-17#

16.0.6 is a bugfix release, fixing a crash on startup when combining enable_auth_state with Google, Globus, or Bitbucket. The group membership fields are lists, which were switched to sets in 16.0, but that is not allowed by JupyterHub’s JSON serialization of auth_state.

Bugs fixed#

  • [Google, Globus, Bitbucket] Ensure auth_state is JSON serializable (lists are, not sets) #668 (@consideRatio, @minrk)

Documentation improvements#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@consideRatio (activity) | @minrk (activity) | @tico24 (activity)

16.0.5 - 2023-08-15#

Bugs fixed#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@consideRatio (activity) | @minrk (activity)

16.0.4 - 2023-08-11#

Bugs fixed#

Documentation improvements#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@consideRatio (activity) | @manics (activity) | @matthewwiese (activity) | @minrk (activity) | @NickolausDS (activity) | @stes (activity) | @taylorgibson (activity)

16.0.3 - 2023-07-08#

Documentation improvements#

  • docs: update v16 changelog to capture missed change about allow_all #651 (@consideRatio)

16.0.2 - 2023-07-06#

Bugs fixed#

Maintenance and upkeep improvements#

  • [Generic] Deprecate tls_verify in favor of validate_server_cert #647 (@consideRatio)

16.0.1 - 2023-07-05#

Bugs fixed#

Documentation improvements#

16.0.0 - 2023-07-05#

The project has been refactored greatly to make it easier to use, understand, and maintain its code and documentation. This release has several breaking changes and deprecations you should read through before upgrading.

Note

This changelog entry has been updated to capture previously undocumented changes and new changes in 16.0.2, please upgrade directly to 16.0.2 or higher.

Breaking changes#

Deprecations#

A new structure#

The authenticators are no longer overriding the authenticate method, but instead relying on the OAuthenticator base class authenticate method which calls a few lower level methods that can be overridden if needed. Like this, a lot of code has been absorbed into the OAuthenticator base class that was previously duplicated across authenticators.

To learn more about this new structure the provider specific authenticator classes rely on, please for now inspect the source code for the OAuthenticator.authenticate and OAuthenticator.check_allowed methods. Plans on writing more thorough documentation about this new structure is tracked in issue #634.

New features added#

Enhancements made#

Bugs fixed#

Maintenance and upkeep improvements#

Documentation improvements#

Continuous integration improvements#

Contributors to this release#

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@Bougakov (activity) | @consideRatio (activity) | @floriandeboissieu (activity) | @GeorgianaElena (activity) | @jabbera (activity) | @jimdigriz (activity) | @kianaf (activity) | @manics (activity) | @minrk (activity) | @Sheila-nk (activity) | @yuvipanda (activity)

15.0#

15.1.0 - 2022-09-08#

New features added#

  • [Auth0] Add auth0_domain config #534 (@drhagen)

  • [CILogon] Add allowed_domains to allowed_idps config for a possiblity to restrict access based on idp + domain #518 (@GeorgianaElena)

Enhancements made#

  • [Generic] Allow passing a string separated by periods for claim_groups_key #537 (@dingobar)

Documentation improvements#

Contributors to this release#

(GitHub contributors page for this release)

@consideRatio | @dingobar | @drhagen | @GeorgianaElena | @manics | @minrk | @terrencegf | @yuvipanda

15.0.1 - 2022-06-09#

Bugs fixed#

  • [Bitbucket] Fix for changes to bitbucket API - /teams removed and /workspaces to be used #477 (@Marcalberga)

  • [CILogon] Don’t make action a required field of CILogonOAuthenticator.allowed_idps follow-up #517 (@GeorgianaElena)

  • [CILogon] Don’t make action a required field of CILogonOAuthenticator.allowed_idps #516 (@GeorgianaElena)

Contributors to this release#

(GitHub contributors page for this release)

@consideRatio | @GeorgianaElena | @Marcalberga | @welcome

15.0.0 - 2022-06-03#

If you are using AzureAD, MediaWiki, and CILogon authenticators, make sure to read about the breaking changes.

Breaking security change#

  • CILogonOAuthenticator has breaking changes and come with a migration guide. These changes resolve the known vulnerability GHSA-r7v4-jwx9-wx43. Your hub will fail to start if you do not follow the migration guide.

Other breaking changes#

  • pyjwt version 2.4.0 or greater is now required when use with authentication classes that needs it: AzureAdOAuthenticator, MWOAuthenticator.

New features added#

Enhancements made#

Bugs fixed#

Maintenance and upkeep improvements#

Documentation improvements#

Contributors to this release#

(GitHub contributors page for this release)

@alejandrosame | @brianaydemir | @consideRatio | @diego-plan9 | @GeorgianaElena | @halfak | @kkaraivanov1 | @manics | @minrk | @missingcharacter | @rkdarst | @sgaist | @yuvipanda

14.2#

14.2.0 - 2021-08-09#

Enhancements made#

  • [GitHub] Add syntax to allow specific teams in a GitHub organization #449 (@j0nnyr0berts)

Contributors to this release#

(GitHub contributors page for this release)

@consideRatio | @dhirschfeld | @j0nnyr0berts | @jabbera | @manics | @sgibson91

14.1#

14.1.0 - 2021-07-19#

New features added#

  • [Globus] Add config to manage: allowed, admin, and blocked users through Globus groups #441 (@rpwagner)

  • [Globus] Add config username_from_email #440 (@rpwagner)

  • [Auth0] Add config username_key - maps identity providers response to a JH username #439 (@GeorgianaElena)

  • [All] Support custom logout url (logout_redirect_url) #437 (@GeorgianaElena)

Bugs fixed#

  • [GitLab] Fix missing use validate_server_cert config for some web requests #443 (@wOvAN)

  • [GitHub] Set JH user’s email with non-public email if needed and granted scope to do so #442 (@satra)

Maintenance and upkeep improvements#

Documentation improvements#

Contributors to this release#

(GitHub contributors page for this release)

@consideRatio | @GeorgianaElena | @harrywang | @holdenk | @mafloh | @manics | @minrk | @NickolausDS | @rpwagner | @satra | @wOvAN

14.0#

14.0.0 - 2021-04-09#

New features added#

Enhancements made#

Bugs fixed#

  • [azuread] pyjwt 1+2 compatibility, azuread test coverage #420 (@minrk)

Maintenance and upkeep improvements#

  • Test oldest dependencies and bump jupyterhub required to 1.2 #413 (@consideRatio)

  • [Generic] Remove userdata_method configuration supposedly not relevant #376 (@consideRatio)

Documentation improvements#

Contributors to this release#

(GitHub contributors page for this release)

@consideRatio | @dhirschfeld | @dtaniwaki | @dwilliams782 | @holdenk | @manics | @manning-ncsa | @mcmartins | @minrk | @support | @welcome | @wseaton

0.13#

0.13.0 - 2021-02-04#

Enhancements made#

Bugs fixed#

Contributors to this release#

(GitHub contributors page for this release)

@biomath-vlad | @consideRatio | @kianaf | @manics | @rragundez | @yuvipanda

0.12#

[0.12.3] - 2020-12-04#

Bugs fixed#

  • Fix exception when enable_auth_state is enabled but user.encrypted_auth_state is None #391 (@rkevin-arch)

Maintenance and upkeep improvements#

Contributors to this release#

(GitHub contributors page for this release)

@consideRatio | @minrk | @rkevin-arch | @snickell

0.12.2 - 2020-11-30#

Security fix for GHSA-384w-5v3f-q499: Deprecated c.Authenticator.whitelist configuration was ignored instead of mapped to newer c.Authenticator.allowed_users when used with JupyterHub 1.2 and OAuthenticator 0.12.0-0.12.1.

0.12.1 - 2020-11-20#

Bugs fixed#

  • Avoid appending code, state parameters to next_url #386 (@minrk)

Maintenance and upkeep improvements#

Contributors to this release#

(GitHub contributors page for this release)

@consideRatio | @manics | @minrk

0.12.0 - 2020-10-26#

Enhancements made#

Bugs fixed#

  • [All] Let auth cookie be influenced by JupyterHub’s cookie_options configuration #378 (@Wh1isper)

  • [GitHub] Respect validate_server_cert attribute #354 (@nvs-abhilash)

  • [Generic] tls verify not being honored at the httprequest level when internal_ssl is enabled #326 (@sstarcher)

Maintenance and upkeep improvements#

Documentation improvements#

Contributors to this release#

(GitHub contributors page for this release)

@ablekh | @akhmerov | @Analect | @arneki | @bellackn | @betatim | @CJCShadowsan | @cmseal | @consideRatio | @d0m84 | @daniel-ciocirlan | @dmpe | @dmvieira | @GeorgianaElena | @ghezalsherdil | @guimou | @gweis | @hardik42 | @hbuttguavus | @jamescross91 | @linkcd | @louis-she | @manics | @meeseeksmachine | @michec81 | @minrk | @missingcharacter | @mransley | @NickolausDS | @nscozzaro | @nvs-abhilash | @patback66 | @PaulMazzuca | @RAbraham | @sampathkethineedi | @saurav-bhagat | @shivan10 | @SolarisYan | @sstarcher | @support | @umar-sik | @vpavlin | @welcome | @Wh1isper | @willingc | @yuvipanda | @zhiyuli

0.11#

0.11.0 - 2020-01-30#

The main change in 0.11 is a refactoring of classes to remove mixins, reducing the amount of boilerplate needed. In addition, there are some fixes to the Azure AD Authenticator. This should be a fully backward-compatible change, except in cases where some subclasses were importing these now-unneeded mixin classes, such as GitHubLoginHandler, GitHubMixin, etc.

All options should now be configurable via the standard jupyterhub config file. There should no longer be any options that are only configurable via environment variable.

This release also removes the latest Authenticators added in 0.10 (AzureAdB2COAuthenticator, AWSCognitoOAuthenticator, YandexOAuthenticator), which were released without being fully supported and which can be achieved through configuration of existing classes, such as AzureAd and Generic.

We don’t plan to accept further contributions of new providers if they can be achieved through customization or configuration of existing classes. Rather, contributors are encouraged to provide example documentation for using new providers, or pull requests addressing gaps necessary to do so with the GenericOAuthenticator.

Merged PRs#

  • [AzureAD] Don’t pass resource when requesting a token #328 (@craigminihan)

  • Remove mixins, per-Authenticator LoginHandler classes #323 (@minrk)

  • [AzureAD] Add support for setting login_service #319 (@zevaryx)

  • skeleton of sphinx docs #316 (@minrk)

Contributors to this release#

(GitHub contributors page for this release)

@consideRatio | @craigminihan | @Dmitry1987 | @manics | @minrk | @NickolausDS | @zevaryx

0.10#

0.10.0 - 2019-11-27#

New#

Fixed#

  • mediawiki: utf-8 > binary strings, req. mwoauth>=0.3.7 #297 (@consideRatio)

  • Fixed Globus Logout Handler, added test #288 (@NickolausDS)

  • Include inherited members in GitLab auth checks, requires GitLab 12.4 or newer, but will fall back to previous behavior for older GitLab versions. #283 (@vindvaki)

Maintenance#

0.9#

0.9.0 - 2019-07-30#

  • switch to asyncio coroutines from tornado coroutines (requires Python 3.5)

  • add GenericOAuthenticator.userdata_token_method configurable

  • add GenericOAuthenticator.basic_auth configurable

  • support for OpenShift 4.0 API changes

0.8#

0.8.2 - 2019-04-16#

  • Validate login URL redirects to avoid Open Redirect issues.

0.8.1 - 2019-02-28#

  • Provide better error messages

  • Allow auth scope to be array or strings

  • GitHubOAuthenticator: More efficient org_whitelist check

  • Use pytest-asyncio instead of pytest-tornado

  • CILogon: New additional_username_claims config for linked identities, fallback to the primary username claim

  • GitLabOAuthenticator: New project_id_whitelist config to whitelist users who have Developer+ access to the project

  • GoogleOAuthenticator: Allow email domains (hosted_domain) to be a list

  • Add jupyterhub-authenticator entrypoints for jupyterhub 1.0.

  • Cleanup & bugfixes

0.8.0 - 2018-08-10#

  • Add azuread.AzureADOAuthenticator

  • Add CILogonOAuthenticator.idp_whitelist and CILogonOAuthenticator.strip_idp_domain options

  • Add GenericOAuthenticator.tls_verify and GenericOAuthenticator.extra_params options

  • Add refresh token and scope to generic oauthenticator auth state

  • Better error messages when GitHub oauth fails

  • Stop normalizing mediawiki usernames, which can be case-sensitive

  • Fixes for group-membership checks with GitLab

  • Bugfixes in various authenticators

  • Deprecate GITLAB_HOST in favor of GITLAB_URL, since we expect https:// in the url, not just the host.

0.7#

0.7.3 - 2018-02-16#

0.7.3 is a security fix for CVE-2018-7206. It fixes handling of gitlab_group_whitelist when using GitLabOAuthenticator. The same fix is backported to 0.6.2.

0.7.2 - 2017-10-27#

  • Fix CILogon OAuth 2 implementation. ePPN claim is used for default username (typically institutional email). CILogonOAuthenticator.username_claim can be used to change which field is used for JupyterHub usernames.

  • GenericOAuthenticator.login_service is now configurable.

  • default to GitLab API version 4 and allow v3 via GITLAB_API_VERSION=3 environment variable.

  • Add GlobusOAuthenticator.revoke_tokens_on_logout and GlobusOAuthenticator.logout_redirect_url config for further clearing of credentials on JupyterHub logout.

0.7.1 - 2017-10-04#

  • fix regression in 0.7.0 preventing authentication via providers other than GitHub, MediaWiki

0.7.0 - 2017-10-02#

0.7.0 adds significant new functionality to all authenticators.

  • CILogon now uses OAuth 2 instead of OAuth 1, to be more consistent with the rest.

  • All OAuthenticators support auth_state when used with JupyterHub 0.8. In every case, the auth_state is a dict with two keys: access_token and the user-info reply identifying the user. For instance, GitHubOAuthenticator auth_state looks like:

    {
      'acces_token': 'abc123',
      'github_user': {
        'username': 'fake-user',
        'email': 'fake@email.com',
        ...
      }
    }
    

    auth_state can be passed to Spawners by defining a .pre_spawn_start method. See examples/auth_state for an example.

  • All OAuthenticators have a .scope trait, which is a list of string scopes to request. See your OAuth provider’s documentation for what scopes you may want. This is useful in conjunction with auth_state, which may be used to pass access tokens to Spawners via environment variables. .scope can control what permissions those tokens will have. In general, OAuthenticator default scopes should only have read-only access to identify users.

  • GITHUB_HTTP environment variable can be used to talk to HTTP-only GitHub Enterprise deployments.

0.6#

0.6.2 - 2018-02-16#

0.6.2 is a security fix for CVE-2018-7206. It fixes handling of gitlab_group_whitelist when using GitLabOAuthenticator.

0.6.1 - 2017-08-11#

0.6.1 has bugfixes for new behaviors in 0.6.0

  • Use .login_url and next_url from JupyterHub if defined (JupyterHub 0.8)

  • Fix empty login_url where final login redirect could be omitted

  • Fix mediawiki authenticator, which broke in 0.6.0

  • Encode state as base64 instead of JSON, for easier passing in URLs

0.6.0 - 2017-07-25#

  • Support for changes in upcoming JupyterHub 0.8

  • Refactor to share more code across providers

  • Deprecated GITHUB_CLIENT_ID and other provider-specific environment variables for common options. All OAuthenticators support the same OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, and OAUTH_CALLBACK_URL environment variables.

  • New authenticators:

    • auth0

    • globus

    • okpy

    • openshift

    • generic - a generic implementation that can work with any OAuth2 provider

0.5#

0.5.1 - 2016-10-05#

  • Fixes in BitbucketOAuthenticator.check_whitelist

0.5.0 - 2016-09-02#

  • Add GitLabOAuthenticator

0.4#

0.4.1 - 2016-05-18#

  • Fix typo preventing Google OAuth from working in 0.4.0

0.4.0 - 2016-05-11#

  • Enable username normalization (for mixed-case names on GitHub, requires JupyterHub 0.5). This removes GitHubOAuthenticator.username_map introduced in 0.3, because the oauth2 Authenticator has .username_map as of 0.5.

0.3 - 2016-04-20#

  • Add Google authenticator

  • Allow specifying OAuth scope

  • Add GitHubOAuthenticator.username_map for mapping GitHub usernames to system usernames.

0.2 - 2016-01-04#

  • Add mediawiki authenticator

0.1 - 2015-12-22#

  • First release