Google specific configs#
Note: The instructions below are to be performed after finishing setting up google
If you’d like to rely on google groups for managing access to jupyterhub you’d have to do the following:
Install googlegroups extra_requires#
pip install oauthenticator[googlegroups]
Create a service account that only has read access to groups and users that can impersonate a G Suite admin user#
Google does not offer a way for letting users check which groups they belong to via an API, because of this caveat the way to be able to check what groups an user belongs to we have use a service account and give it read only access to users and groups.
Instructions#
Create service account and credentials#
Open the Service accounts page. If prompted, select a project.
Click add (
+) Create Service Account, enter a name and description for the service account. You can use the default service account ID, or choose a different, unique one. When done click Create.The Service account permissions (optional) section that follows is not required. Click Continue.
On the Grant users access to this service account screen, scroll down to the Create key section. Click add (
+) Create key.n the side panel that appears, select the format for your key: JSON
Click Create. Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. For information on how to store it securely, as well as other best practices, see Best practices for managing service account keys.
Click Close on the Private key saved to your computer dialog, then click Done to return to the table of your service accounts.
Locate the newly-created service account in the table. Under
Actions, click then Edit.In the service account details, click 🔽 Show domain-wide delegation, then ensure the Enable G Suite Domain-wide Delegation checkbox is checked.
If you haven’t yet configured your app’s OAuth consent screen, you must do so before you can enable domain-wide delegation. Follow the on-screen instructions to configure the OAuth consent screen, then repeat the above steps and re-check the checkbox.
Click Save to update the service account, and return to the table of service accounts. A new column, Domain-wide delegation, can be seen. Click View Client ID, to obtain and make a note of the client ID.
Configure jupyterhub_config.py add the lines below:#
Note: if you remove a member from a google group you will have to force this user to login again in order for the change to take effect
if you want to manage admin users and allowed users via google groups#
c.GoogleOAuthenticator.gsuite_administrator = {'example.com': 'someuser'}
c.GoogleOAuthenticator.google_service_account_keys = {'example.com': '/path/to/service_account.json'}
c.GoogleOAuthenticator.admin_google_groups = {'example.com': ['someadmingroup']}
c.GoogleOAuthenticator.allowed_google_groups = {'example.com': ['somegroupwithaccess', 'othergroupwithaccess'] }
if you only want to allow users via google groups#
c.GoogleOAuthenticator.gsuite_administrator = {'example.com': 'someuser'}
c.GoogleOAuthenticator.google_service_account_keys = {'example.com': '/path/to/service_account.json'}
c.GoogleOAuthenticator.allowed_google_groups = {'example.com': ['somegroupwithaccess', 'othergroupwithaccess'] }
if you want to manage admin users via google groups#
c.GoogleOAuthenticator.gsuite_administrator = {'example.com': 'someuser'}
c.GoogleOAuthenticator.google_service_account_keys = {'example.com': '/path/to/service_account.json'}
c.GoogleOAuthenticator.admin_google_groups = {'example.com': ['someadmingroup']}
You are done!#
How to retrieve an access_token and refresh_token for all scopes at once#
In your jupyterhub_config.py do the following:
c.OAuthenticator.extra_authorize_params = {'access_type': 'offline', 'approval_prompt': 'force'}
For more params you can use go here