oauthenticator.cilogon#
A JupyterHub authenticator class for use with CILogon as an identity provider.
- class oauthenticator.cilogon.CILogonOAuthenticator(**kwargs: Any)#
- additional_username_claims c.CILogonOAuthenticator.additional_username_claims = List()#
Removed in version 16.0: Use
allowed_idps
.
- admin_groups c.CILogonOAuthenticator.admin_groups = Set()#
Allow members of selected groups to sign in and consider them as JupyterHub admins.
If this is set and a user isn’t part of one of these groups or listed in
admin_users
, a user signing in will have their admin status revoked.Requires
manage_groups
to also beTrue
.Added in version 17: Previously available only on
GenericOAuthenticator
- admin_users c.CILogonOAuthenticator.admin_users = Set()#
Set of users that will be granted admin rights on this JupyterHub.
Note
As of JupyterHub 2.0, full admin rights should not be required, and more precise permissions can be managed via roles.
Caution
Adding users to
admin_users
can only grant admin rights, removing a username from the admin_users set DOES NOT remove admin rights previously granted.For an authoritative, restricted set of admins, assign explicit membership of the
admin
role:c.JupyterHub.load_roles = [ { "name": "admin", "users": ["admin1", "..."], } ]
Admin users can take every possible action on behalf of all users, for example:
Use the admin panel to see list of users logged in
Add / remove users in some authenticators
Restart / halt the hub
Start / stop users’ single-user servers
Can access each individual users’ single-user server
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
- allow_all c.CILogonOAuthenticator.allow_all = Bool(False)#
Allow all authenticated users to login.
Overrides all other
allow
configuration.Added in version 16.0.
- allow_existing_users c.CILogonOAuthenticator.allow_existing_users = Bool(False)#
Allow existing users to login.
Enable this if you want to manage user access via the JupyterHub admin page (/hub/admin).
With this enabled, all users present in the JupyterHub database are allowed to login. This has the effect of any user who has _previously_ been allowed to login via any means will continue to be allowed until the user is deleted via the /hub/admin page or REST API.
Warning
Before enabling this you should review the existing users in the JupyterHub admin panel at
/hub/admin
. You may find users existing there because they have previously been declared in config such asallowed_users
or allowed to sign in.Warning
When this is enabled and you wish to remove access for one or more users previously allowed, you must make sure that they are removed from the jupyterhub database. This can be tricky to do if you stop allowing a group of externally managed users for example.
With this enabled, JupyterHub admin users can visit
/hub/admin
or use JupyterHub’s REST API to add and remove users to manage who can login.Added in version 16.0.
Changed in version 16.0: Before this config was available, the default behavior was to allow existing users if
allowed_users
was configured with one or more user.
- allowed_groups c.CILogonOAuthenticator.allowed_groups = Set()#
Allow members of selected JupyterHub groups to log in.
Requires
manage_groups
to also beTrue
. Typically also requiresauth_state_groups_key
to be configured to populate the JupyterHub groups.This option is independent of other configuration such as
GitLabOAuthenticator.allowed_gitlab_groups
, which do not populate the JupyterHub groups, and do not requiremanage_groups
to be True.Added in version 17: Previously available only on
GenericOAuthenticator
- allowed_idps c.CILogonOAuthenticator.allowed_idps = Dict()#
A dictionary of the only entity IDs that will be allowed to be used as login options. See https://cilogon.org/idplist for the list of
EntityIDs
of each IdP.It can be used to enable domain stripping, adding prefixes to the usernames and to specify an identity provider specific username claim.
For example:
c.CILogonOAuthenticator.allowed_idps = { "https://idpz.utorauth.utoronto.ca/shibboleth": { "username_derivation": { "username_claim": "email", "action": "strip_idp_domain", "domain": "utoronto.ca", }, "allow_all": True, "default": True, }, "http://google.com/accounts/o8/id": { "username_derivation": { "username_claim": "email", "action": "prefix", "prefix": "google", }, "allowed_domains": ["uni.edu", "something.org"], }, "https://github.com/login/oauth/authorize": { "username_derivation": { "username_claim": "preferred_username", "action": "prefix", "prefix": "github", }, # allow_all or allowed_domains not specified for ths idp, # this means that its users must be explicitly allowed # with a config such as allowed_users or admin_users. }, } c.Authenticator.admin_users = ["github-user1"] c.Authenticator.allowed_users = ["github-user2"]
This is a description of the configuration you can pass to
allowed_idps
.default
: bool (optional)Determines the identity provider to be pre-selected in a list for users arriving to CILogons login screen.
username_derivation
: string (required)username_claim
: string (required)The claim in the
userinfo
response from which to define the JupyterHub username. Examples include:eppn
,email
. What keys are available will depend on the scopes requested.
action
: stringWhat action to perform on the username. Available options are “strip_idp_domain”, which will strip the domain from the username if specified and “prefix”, which will prefix the hub username with “prefix:”.
domain:
string (required if action is strip_idp_domain)The domain after “@” which will be stripped from the username if it exists and if the action is “strip_idp_domain”.
prefix
: string (required if action is prefix)The prefix which will be added at the beginning of the username followed by a semi-column “:”, if the action is “prefix”.
allow_all
: bool (defaults to False)Configuring this allows all users authenticating with this identity provider.
allowed_domains
: list of stringsAllows users associated with a listed domain to sign in.
Use of wildcards
*
and a bit more is supported via Python’sfnmatch
function since version 16.2. Settingallowed_domains
to["jupyter.org", "*.jupyter.org"]
would for example allow users withjovyan@jupyter.org
orjovyan@hub.jupyter.org
usernames.The domain the user is associated with is based on the username by default in version 16, but this can be reconfigured to be based on a claim in the
userinfo
response viaallowed_domains_claim
. The domain is treated case insensitive and can either be directly specified by the claim’s value or extracted from an email string.
allowed_domains_claim
: string (optional)This configuration represents the claim in the
userinfo
response to identify a domain that could allow a user to sign in viaallowed_domains
.The claim can defaults to the username claim in version 16, but this will change to “email” in version 17.
Added in version 16.2.
Changed in version 15.0: Changed format from a list to a dictionary.
- allowed_scopes c.CILogonOAuthenticator.allowed_scopes = List()#
Allow users who have been granted all these scopes to log in.
We request all the scopes listed in the ‘scope’ config, but only a subset of these may be granted by the authorization server. This may happen if the user does not have permissions to access a requested scope, or has chosen to not give consent for a particular scope. If the scopes listed in this config are not granted, the user will not be allowed to log in.
The granted scopes will be part of the access token (fetched from self.token_url). See https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 for more information.
See the OAuth documentation of your OAuth provider for various options.
- allowed_users c.CILogonOAuthenticator.allowed_users = Set()#
Set of usernames that should be allowed to login.
If unspecified, grants no access. You must set at least one other
allow
configuration if any users are to have permission to access the Hub.Any usernames in
admin_users
will also be allowed to login.
- any_allow_config c.CILogonOAuthenticator.any_allow_config = Bool(False)#
Is there any allow config?
Used to show a warning if it looks like nobody can access the Hub, which can happen when upgrading to JupyterHub 5, now that
allow_all
defaults to False.Deployments can set this explicitly to True to suppress the “No allow config found” warning.
Will be True if any config tagged with
.tag(allow_config=True)
or starts withallow
is truthy.Added in version 5.0.
- auth_refresh_age c.CILogonOAuthenticator.auth_refresh_age = Int(300)#
The max age (in seconds) of authentication info before forcing a refresh of user auth info.
Refreshing auth info allows, e.g. requesting/re-validating auth tokens.
See
refresh_user()
for what happens when user auth info is refreshed (nothing by default).
- auth_state_groups_key c.CILogonOAuthenticator.auth_state_groups_key = Union()#
Determine groups this user belongs based on contents of auth_state.
Can be a string key name (use periods for nested keys), or a callable that accepts the auth state (as a dict) and returns the groups list. Callables may be async.
Requires
manage_groups
to also beTrue
.Added in version 17.0: Previously available as
GenericOAuthenticator.claim_groups_key
- authorize_url c.CILogonOAuthenticator.authorize_url = Unicode('')#
The URL to where the user is to be redirected initially based on the OAuth2 protocol. The user will be redirected back with an authorization grant code after authenticating successfully with the identity provider.
For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps A-B.
- auto_login c.CILogonOAuthenticator.auto_login = Bool(False)#
Automatically begin the login process
rather than starting with a “Login with…” link at
/hub/login
To work,
.login_url()
must give a URL other than the default/hub/login
, such as an oauth handler or another automatic login handler, registered with.get_handlers()
.Added in version 0.8.
- auto_login_oauth2_authorize c.CILogonOAuthenticator.auto_login_oauth2_authorize = Bool(False)#
Automatically begin login process for OAuth2 authorization requests
When another application is using JupyterHub as OAuth2 provider, it sends users to
/hub/api/oauth2/authorize
. If the user isn’t logged in already, and auto_login is not set, the user will be dumped on the hub’s home page, without any context on what to do next.Setting this to true will automatically redirect users to login if they aren’t logged in only on the
/hub/api/oauth2/authorize
endpoint.Added in version 1.5.
- basic_auth c.CILogonOAuthenticator.basic_auth = Bool(False)#
Whether or to use HTTP Basic authentication instead of form based authentication in requests to
token_url
.When using HTTP Basic authentication, a HTTP header is set with the
client_id
andclient_secret
encoded in it.When using form based authentication, the
client_id
andclient_secret
is put in the HTTP POST request’s body.Changed in version 16.0.0: This configuration now toggles between HTTP Basic authentication and form based authentication when working against the
token_url
.Previously when this was configured True, both would be used contrary to a recommendation in OAuth 2.0 documentation.
Changed in version 16.0.2: The default value for this configuration for GenericOAuthenticator changed from True to False.
- blocked_users c.CILogonOAuthenticator.blocked_users = Set()#
Set of usernames that are not allowed to log in.
Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.
Changed in version 5.2: Users blocked via
blocked_users
that may have logged in in the past have all permissions and group membership revoked and all servers stopped at JupyterHub startup. Previously, User permissions (e.g. API tokens) and servers were unaffected and required additional administrator operations to block after a user is added toblocked_users
.Changed in version 1.2:
Authenticator.blacklist
renamed toblocked_users
- async check_allowed(username, auth_model)#
Overrides the OAuthenticator.check_allowed to also allow users based on idp specific config
allow_all
andallowed_domains
as configured underallowed_idps
.
- cilogon_host c.CILogonOAuthenticator.cilogon_host = Unicode('cilogon.org')#
Used to determine the default values for
authorize_url
,token_url
, anduserdata_url
.
- client_id c.CILogonOAuthenticator.client_id = Unicode('')#
The client id of the OAuth2 application registered with the identity provider.
- client_secret c.CILogonOAuthenticator.client_secret = Unicode('')#
The client secret of the OAuth2 application registered with the identity provider.
- custom_403_message c.CILogonOAuthenticator.custom_403_message = Unicode('Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.')#
The message to be shown when user was not allowed
- delete_invalid_users c.CILogonOAuthenticator.delete_invalid_users = Bool(False)#
Delete any users from the database that do not pass validation
When JupyterHub starts,
.add_user
will be called on each user in the database to verify that all users are still valid.If
delete_invalid_users
is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.
- enable_auth_state c.CILogonOAuthenticator.enable_auth_state = Bool(False)#
Enable persisting auth_state (if available).
auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.
Encrypting auth_state requires the cryptography package.
Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.
If encryption is unavailable, auth_state cannot be persisted.
New in JupyterHub 0.8
- enable_pkce c.CILogonOAuthenticator.enable_pkce = Bool(True)#
Enable Proof Key for Code Exchange (PKCE) for the OAuth2 authorization code flow. For more information, see RFC 7636.
PKCE can be used even if the authorization server does not support it. According to section 3.1 of RFC 6749:
The authorization server MUST ignore unrecognized request parameters.
Additionally, section 5 of RFC 7636 states:
As the OAuth 2.0 [RFC6749] server responses are unchanged by this specification, client implementations of this specification do not need to know if the server has implemented this specification or not and SHOULD send the additional parameters as defined in Section 4 to all servers.
Note that S256 is the only code challenge method supported. As per section 4.2 of RFC 6749:
If the client is capable of using “S256”, it MUST use “S256”, as “S256” is Mandatory To Implement (MTI) on the server.
- extra_authorize_params c.CILogonOAuthenticator.extra_authorize_params = Dict()#
Extra GET params to send along with the initial OAuth request to the OAuth provider.
- http_request_kwargs c.CILogonOAuthenticator.http_request_kwargs = Dict()#
Extra default kwargs passed to all HTTPRequests.
# Example: send requests through a proxy c.OAuthenticator.http_request_kwargs = { "proxy_host": "proxy.example.com", "proxy_port": 8080, } # Example: validate against certain root certificates c.OAuthenticator.http_request_kwargs = { "ca_certs": "/path/to/a.crt", }
See
tornado.httpclient.HTTPRequest
for all kwargs options you can pass. Note that the HTTP client making these requests istornado.httpclient.AsyncHTTPClient
.
- idp c.CILogonOAuthenticator.idp = Unicode('')#
Removed in version 15.0: Use
allowed_idps
.
- idp_whitelist c.CILogonOAuthenticator.idp_whitelist = List()#
Removed in version 0.12: Use
allowed_idps
.
- login_handler#
alias of
CILogonLoginHandler
- login_service c.CILogonOAuthenticator.login_service = Unicode('OAuth 2.0')#
Name of the login service or identity provider that this authenticator is using to authenticate users.
This config influences the text on a button shown to unauthenticated users before they click it to login, assuming
auto_login
isn’t configured True.The login button’s text will be “Login with <login_service>”.
- logout_redirect_url c.CILogonOAuthenticator.logout_redirect_url = Unicode('')#
When configured, users are not presented with the JupyterHub logout page, but instead redirected to this destination.
- manage_groups c.CILogonOAuthenticator.manage_groups = Bool(False)#
Let authenticator manage user groups
If True, Authenticator.authenticate and/or .refresh_user may return a list of group names in the ‘groups’ field, which will be assigned to the user.
All group-assignment APIs are disabled if this is True.
- manage_roles c.CILogonOAuthenticator.manage_roles = Bool(False)#
Let authenticator manage roles
If True, Authenticator.authenticate and/or .refresh_user may return a list of roles in the ‘roles’ field, which will be added to the database.
When enabled, all role management will be handled by the authenticator; in particular, assignment of roles via
JupyterHub.load_roles
traitlet will not be possible.Added in version 5.0.
- modify_auth_state_hook c.CILogonOAuthenticator.modify_auth_state_hook = Callable(None)#
Callable to modify
auth_state
Will be called with the Authenticator instance and the existing auth_state dictionary and must return the new auth_state dictionary:
auth_state = [await] modify_auth_state_hook(authenticator, auth_state)
This hook is called before populating group membership, so can be used to make additional requests to populate additional fields which may then be consumed by
auth_state_groups_key
to populate groups.This hook may be async.
- oauth_callback_url c.CILogonOAuthenticator.oauth_callback_url = Unicode('')#
Callback URL to use.
When registering an OAuth2 application with an identity provider, this is typically called the redirect url.
Should very likely be set to
https://[your-domain]/hub/oauth_callback
.
- otp_prompt c.CILogonOAuthenticator.otp_prompt = Any('OTP:')#
The prompt string for the extra OTP (One Time Password) field.
Added in version 5.0.
- post_auth_hook c.CILogonOAuthenticator.post_auth_hook = Any(None)#
An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.
This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the auth_model dict reguardless of changes to it. The hook is called with 3 positional arguments:
(authenticator, handler, auth_model)
.This may be a coroutine.
Example:
import os import pwd def my_hook(authenticator, handler, auth_model): user_data = pwd.getpwnam(auth_model['name']) spawn_data = { 'pw_data': user_data 'gid_list': os.getgrouplist(auth_model['name'], user_data.pw_gid) } if auth_model['auth_state'] is None: auth_model['auth_state'] = {} auth_model['auth_state']['spawn_data'] = spawn_data return auth_model c.Authenticator.post_auth_hook = my_hook
- refresh_pre_spawn c.CILogonOAuthenticator.refresh_pre_spawn = Bool(False)#
Force refresh of auth prior to spawn.
This forces
refresh_user()
to be called prior to launching a server, to ensure that auth state is up-to-date.This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.
If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.
- request_otp c.CILogonOAuthenticator.request_otp = Bool(False)#
Prompt for OTP (One Time Password) in the login form.
Added in version 5.0.
- reset_managed_roles_on_startup c.CILogonOAuthenticator.reset_managed_roles_on_startup = Bool(False)#
Reset managed roles to result of
load_managed_roles()
on startup.- If True:
stale managed roles will be removed,
stale assignments to managed roles will be removed.
Any role not present in
load_managed_roles()
will be considered ‘stale’.The ‘stale’ status for role assignments is also determined from
load_managed_roles()
result:user role assignments status will depend on whether the
users
key is defined or not:if a list is defined under the
users
key and the user is not listed, then the user role assignment will be considered ‘stale’,if the
users
key is not provided, the user role assignment will be preserved;
service and group role assignments will be considered ‘stale’:
if not included in the
services
andgroups
list,if the
services
andgroups
keys are not provided.
Added in version 5.0.
- scope c.CILogonOAuthenticator.scope = List()#
OAuth scopes to request.
openid
andorg.cilogon.userinfo
is required.Read more about CILogon scopes in https://www.cilogon.org/oidc.
- shown_idps c.CILogonOAuthenticator.shown_idps = List()#
Removed in version 16.0: Use
allowed_idps
.
- skin c.CILogonOAuthenticator.skin = Unicode('')#
The
skin
attribute is the name of the custom CILogon interface skin for your application.Contact help@cilogon.org to request a custom skin.
- strip_idp_domain c.CILogonOAuthenticator.strip_idp_domain = Bool(False)#
Removed in version 15.0: Use
allowed_idps
.
- token_params c.CILogonOAuthenticator.token_params = Dict()#
Extra parameters for first POST request exchanging the OAuth code for an Access Token
- token_url c.CILogonOAuthenticator.token_url = Unicode('')#
The URL to where this authenticator makes a request to acquire an access token based on the authorization code received by the user returning from the
authorize_url
.For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps C-D.
- user_info_to_username(user_info)#
Overrides OAuthenticator.user_info_to_username that relies on username_claim to instead consider idp specific config in under allowed_idps[user_info[“idp”]][“username_derivation”].
Returns a username based on user_info and configuration in allowed_idps under the associated idp’s username_derivation config.
- userdata_from_id_token c.CILogonOAuthenticator.userdata_from_id_token = Bool(False)#
Extract user details from an id token received via a request to
token_url
, rather than making a follow-up request to the userinfo endpointuserdata_url
.Should only be used if
token_url
uses HTTPS, to ensure token authenticity.For more context, see Authentication using the Authorization Code Flow in the OIDC Core standard document.
- userdata_params c.CILogonOAuthenticator.userdata_params = Dict()#
Userdata params to get user data login information.
- userdata_token_method c.CILogonOAuthenticator.userdata_token_method = Unicode('header')#
Method for sending access token in userdata request.
Supported methods: header, url.
- userdata_url c.CILogonOAuthenticator.userdata_url = Unicode('')#
The URL to where this authenticator makes a request to acquire user details with an access token received via a request to the
token_url
.For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps E-F.
Incompatible with
userdata_from_id_token
.
- username_claim c.CILogonOAuthenticator.username_claim = Unicode('')#
Removed in version 16.0: Use
allowed_idps
.
- username_map c.CILogonOAuthenticator.username_map = Dict()#
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
- username_pattern c.CILogonOAuthenticator.username_pattern = Unicode('')#
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
- validate_server_cert c.CILogonOAuthenticator.validate_server_cert = Bool(False)#
Determines if certificates are validated.
Only set this to False if you feel confident it will not be a security concern.
- whitelist c.CILogonOAuthenticator.whitelist = Set()#
Deprecated, use
Authenticator.allowed_users
- class oauthenticator.cilogon.LocalCILogonOAuthenticator(**kwargs: Any)#
A version that mixes in local system user creation
- add_user_cmd c.LocalCILogonOAuthenticator.add_user_cmd = Command()#
The command to use for creating users as a list of strings
For each element in the list, the string USERNAME will be replaced with the user’s username. The username will also be appended as the final argument.
For Linux, the default value is:
[‘adduser’, ‘-q’, ‘–gecos’, ‘””’, ‘–disabled-password’]
To specify a custom home directory, set this to:
[‘adduser’, ‘-q’, ‘–gecos’, ‘””’, ‘–home’, ‘/customhome/USERNAME’, ‘–disabled-password’]
This will run the command:
adduser -q –gecos “” –home /customhome/river –disabled-password river
when the user ‘river’ is created.
- additional_username_claims c.LocalCILogonOAuthenticator.additional_username_claims = List()#
Removed in version 16.0: Use
allowed_idps
.
- admin_groups c.LocalCILogonOAuthenticator.admin_groups = Set()#
Allow members of selected groups to sign in and consider them as JupyterHub admins.
If this is set and a user isn’t part of one of these groups or listed in
admin_users
, a user signing in will have their admin status revoked.Requires
manage_groups
to also beTrue
.Added in version 17: Previously available only on
GenericOAuthenticator
- admin_users c.LocalCILogonOAuthenticator.admin_users = Set()#
Set of users that will be granted admin rights on this JupyterHub.
Note
As of JupyterHub 2.0, full admin rights should not be required, and more precise permissions can be managed via roles.
Caution
Adding users to
admin_users
can only grant admin rights, removing a username from the admin_users set DOES NOT remove admin rights previously granted.For an authoritative, restricted set of admins, assign explicit membership of the
admin
role:c.JupyterHub.load_roles = [ { "name": "admin", "users": ["admin1", "..."], } ]
Admin users can take every possible action on behalf of all users, for example:
Use the admin panel to see list of users logged in
Add / remove users in some authenticators
Restart / halt the hub
Start / stop users’ single-user servers
Can access each individual users’ single-user server
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
- allow_all c.LocalCILogonOAuthenticator.allow_all = Bool(False)#
Allow all authenticated users to login.
Overrides all other
allow
configuration.Added in version 16.0.
- allow_existing_users c.LocalCILogonOAuthenticator.allow_existing_users = Bool(False)#
Allow existing users to login.
Enable this if you want to manage user access via the JupyterHub admin page (/hub/admin).
With this enabled, all users present in the JupyterHub database are allowed to login. This has the effect of any user who has _previously_ been allowed to login via any means will continue to be allowed until the user is deleted via the /hub/admin page or REST API.
Warning
Before enabling this you should review the existing users in the JupyterHub admin panel at
/hub/admin
. You may find users existing there because they have previously been declared in config such asallowed_users
or allowed to sign in.Warning
When this is enabled and you wish to remove access for one or more users previously allowed, you must make sure that they are removed from the jupyterhub database. This can be tricky to do if you stop allowing a group of externally managed users for example.
With this enabled, JupyterHub admin users can visit
/hub/admin
or use JupyterHub’s REST API to add and remove users to manage who can login.Added in version 16.0.
Changed in version 16.0: Before this config was available, the default behavior was to allow existing users if
allowed_users
was configured with one or more user.
- allowed_groups c.LocalCILogonOAuthenticator.allowed_groups = Set()#
Allow login from all users in these UNIX groups.
Changed in version 5.0:
allowed_groups
may be specified together with allowed_users, to grant access by group OR name.
- allowed_idps c.LocalCILogonOAuthenticator.allowed_idps = Dict()#
A dictionary of the only entity IDs that will be allowed to be used as login options. See https://cilogon.org/idplist for the list of
EntityIDs
of each IdP.It can be used to enable domain stripping, adding prefixes to the usernames and to specify an identity provider specific username claim.
For example:
c.CILogonOAuthenticator.allowed_idps = { "https://idpz.utorauth.utoronto.ca/shibboleth": { "username_derivation": { "username_claim": "email", "action": "strip_idp_domain", "domain": "utoronto.ca", }, "allow_all": True, "default": True, }, "http://google.com/accounts/o8/id": { "username_derivation": { "username_claim": "email", "action": "prefix", "prefix": "google", }, "allowed_domains": ["uni.edu", "something.org"], }, "https://github.com/login/oauth/authorize": { "username_derivation": { "username_claim": "preferred_username", "action": "prefix", "prefix": "github", }, # allow_all or allowed_domains not specified for ths idp, # this means that its users must be explicitly allowed # with a config such as allowed_users or admin_users. }, } c.Authenticator.admin_users = ["github-user1"] c.Authenticator.allowed_users = ["github-user2"]
This is a description of the configuration you can pass to
allowed_idps
.default
: bool (optional)Determines the identity provider to be pre-selected in a list for users arriving to CILogons login screen.
username_derivation
: string (required)username_claim
: string (required)The claim in the
userinfo
response from which to define the JupyterHub username. Examples include:eppn
,email
. What keys are available will depend on the scopes requested.
action
: stringWhat action to perform on the username. Available options are “strip_idp_domain”, which will strip the domain from the username if specified and “prefix”, which will prefix the hub username with “prefix:”.
domain:
string (required if action is strip_idp_domain)The domain after “@” which will be stripped from the username if it exists and if the action is “strip_idp_domain”.
prefix
: string (required if action is prefix)The prefix which will be added at the beginning of the username followed by a semi-column “:”, if the action is “prefix”.
allow_all
: bool (defaults to False)Configuring this allows all users authenticating with this identity provider.
allowed_domains
: list of stringsAllows users associated with a listed domain to sign in.
Use of wildcards
*
and a bit more is supported via Python’sfnmatch
function since version 16.2. Settingallowed_domains
to["jupyter.org", "*.jupyter.org"]
would for example allow users withjovyan@jupyter.org
orjovyan@hub.jupyter.org
usernames.The domain the user is associated with is based on the username by default in version 16, but this can be reconfigured to be based on a claim in the
userinfo
response viaallowed_domains_claim
. The domain is treated case insensitive and can either be directly specified by the claim’s value or extracted from an email string.
allowed_domains_claim
: string (optional)This configuration represents the claim in the
userinfo
response to identify a domain that could allow a user to sign in viaallowed_domains
.The claim can defaults to the username claim in version 16, but this will change to “email” in version 17.
Added in version 16.2.
Changed in version 15.0: Changed format from a list to a dictionary.
- allowed_scopes c.LocalCILogonOAuthenticator.allowed_scopes = List()#
Allow users who have been granted all these scopes to log in.
We request all the scopes listed in the ‘scope’ config, but only a subset of these may be granted by the authorization server. This may happen if the user does not have permissions to access a requested scope, or has chosen to not give consent for a particular scope. If the scopes listed in this config are not granted, the user will not be allowed to log in.
The granted scopes will be part of the access token (fetched from self.token_url). See https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 for more information.
See the OAuth documentation of your OAuth provider for various options.
- allowed_users c.LocalCILogonOAuthenticator.allowed_users = Set()#
Set of usernames that should be allowed to login.
If unspecified, grants no access. You must set at least one other
allow
configuration if any users are to have permission to access the Hub.Any usernames in
admin_users
will also be allowed to login.
- any_allow_config c.LocalCILogonOAuthenticator.any_allow_config = Bool(False)#
Is there any allow config?
Used to show a warning if it looks like nobody can access the Hub, which can happen when upgrading to JupyterHub 5, now that
allow_all
defaults to False.Deployments can set this explicitly to True to suppress the “No allow config found” warning.
Will be True if any config tagged with
.tag(allow_config=True)
or starts withallow
is truthy.Added in version 5.0.
- auth_refresh_age c.LocalCILogonOAuthenticator.auth_refresh_age = Int(300)#
The max age (in seconds) of authentication info before forcing a refresh of user auth info.
Refreshing auth info allows, e.g. requesting/re-validating auth tokens.
See
refresh_user()
for what happens when user auth info is refreshed (nothing by default).
- auth_state_groups_key c.LocalCILogonOAuthenticator.auth_state_groups_key = Union()#
Determine groups this user belongs based on contents of auth_state.
Can be a string key name (use periods for nested keys), or a callable that accepts the auth state (as a dict) and returns the groups list. Callables may be async.
Requires
manage_groups
to also beTrue
.Added in version 17.0: Previously available as
GenericOAuthenticator.claim_groups_key
- authorize_url c.LocalCILogonOAuthenticator.authorize_url = Unicode('')#
The URL to where the user is to be redirected initially based on the OAuth2 protocol. The user will be redirected back with an authorization grant code after authenticating successfully with the identity provider.
For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps A-B.
- auto_login c.LocalCILogonOAuthenticator.auto_login = Bool(False)#
Automatically begin the login process
rather than starting with a “Login with…” link at
/hub/login
To work,
.login_url()
must give a URL other than the default/hub/login
, such as an oauth handler or another automatic login handler, registered with.get_handlers()
.Added in version 0.8.
- auto_login_oauth2_authorize c.LocalCILogonOAuthenticator.auto_login_oauth2_authorize = Bool(False)#
Automatically begin login process for OAuth2 authorization requests
When another application is using JupyterHub as OAuth2 provider, it sends users to
/hub/api/oauth2/authorize
. If the user isn’t logged in already, and auto_login is not set, the user will be dumped on the hub’s home page, without any context on what to do next.Setting this to true will automatically redirect users to login if they aren’t logged in only on the
/hub/api/oauth2/authorize
endpoint.Added in version 1.5.
- basic_auth c.LocalCILogonOAuthenticator.basic_auth = Bool(False)#
Whether or to use HTTP Basic authentication instead of form based authentication in requests to
token_url
.When using HTTP Basic authentication, a HTTP header is set with the
client_id
andclient_secret
encoded in it.When using form based authentication, the
client_id
andclient_secret
is put in the HTTP POST request’s body.Changed in version 16.0.0: This configuration now toggles between HTTP Basic authentication and form based authentication when working against the
token_url
.Previously when this was configured True, both would be used contrary to a recommendation in OAuth 2.0 documentation.
Changed in version 16.0.2: The default value for this configuration for GenericOAuthenticator changed from True to False.
- blocked_users c.LocalCILogonOAuthenticator.blocked_users = Set()#
Set of usernames that are not allowed to log in.
Use this with supported authenticators to restrict which users can not log in. This is an additional block list that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.
Changed in version 5.2: Users blocked via
blocked_users
that may have logged in in the past have all permissions and group membership revoked and all servers stopped at JupyterHub startup. Previously, User permissions (e.g. API tokens) and servers were unaffected and required additional administrator operations to block after a user is added toblocked_users
.Changed in version 1.2:
Authenticator.blacklist
renamed toblocked_users
- cilogon_host c.LocalCILogonOAuthenticator.cilogon_host = Unicode('cilogon.org')#
Used to determine the default values for
authorize_url
,token_url
, anduserdata_url
.
- client_id c.LocalCILogonOAuthenticator.client_id = Unicode('')#
The client id of the OAuth2 application registered with the identity provider.
- client_secret c.LocalCILogonOAuthenticator.client_secret = Unicode('')#
The client secret of the OAuth2 application registered with the identity provider.
- create_system_users c.LocalCILogonOAuthenticator.create_system_users = Bool(False)#
If set to True, will attempt to create local system users if they do not exist already.
Supports Linux and BSD variants only.
- custom_403_message c.LocalCILogonOAuthenticator.custom_403_message = Unicode('Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.')#
The message to be shown when user was not allowed
- delete_invalid_users c.LocalCILogonOAuthenticator.delete_invalid_users = Bool(False)#
Delete any users from the database that do not pass validation
When JupyterHub starts,
.add_user
will be called on each user in the database to verify that all users are still valid.If
delete_invalid_users
is True, any users that do not pass validation will be deleted from the database. Use this if users might be deleted from an external system, such as local user accounts.If False (default), invalid users remain in the Hub’s database and a warning will be issued. This is the default to avoid data loss due to config changes.
- enable_auth_state c.LocalCILogonOAuthenticator.enable_auth_state = Bool(False)#
Enable persisting auth_state (if available).
auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.
Encrypting auth_state requires the cryptography package.
Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.
If encryption is unavailable, auth_state cannot be persisted.
New in JupyterHub 0.8
- enable_pkce c.LocalCILogonOAuthenticator.enable_pkce = Bool(True)#
Enable Proof Key for Code Exchange (PKCE) for the OAuth2 authorization code flow. For more information, see RFC 7636.
PKCE can be used even if the authorization server does not support it. According to section 3.1 of RFC 6749:
The authorization server MUST ignore unrecognized request parameters.
Additionally, section 5 of RFC 7636 states:
As the OAuth 2.0 [RFC6749] server responses are unchanged by this specification, client implementations of this specification do not need to know if the server has implemented this specification or not and SHOULD send the additional parameters as defined in Section 4 to all servers.
Note that S256 is the only code challenge method supported. As per section 4.2 of RFC 6749:
If the client is capable of using “S256”, it MUST use “S256”, as “S256” is Mandatory To Implement (MTI) on the server.
- extra_authorize_params c.LocalCILogonOAuthenticator.extra_authorize_params = Dict()#
Extra GET params to send along with the initial OAuth request to the OAuth provider.
- group_whitelist c.LocalCILogonOAuthenticator.group_whitelist = Set()#
DEPRECATED: use allowed_groups
- http_request_kwargs c.LocalCILogonOAuthenticator.http_request_kwargs = Dict()#
Extra default kwargs passed to all HTTPRequests.
# Example: send requests through a proxy c.OAuthenticator.http_request_kwargs = { "proxy_host": "proxy.example.com", "proxy_port": 8080, } # Example: validate against certain root certificates c.OAuthenticator.http_request_kwargs = { "ca_certs": "/path/to/a.crt", }
See
tornado.httpclient.HTTPRequest
for all kwargs options you can pass. Note that the HTTP client making these requests istornado.httpclient.AsyncHTTPClient
.
- idp c.LocalCILogonOAuthenticator.idp = Unicode('')#
Removed in version 15.0: Use
allowed_idps
.
- idp_whitelist c.LocalCILogonOAuthenticator.idp_whitelist = List()#
Removed in version 0.12: Use
allowed_idps
.
- login_service c.LocalCILogonOAuthenticator.login_service = Unicode('OAuth 2.0')#
Name of the login service or identity provider that this authenticator is using to authenticate users.
This config influences the text on a button shown to unauthenticated users before they click it to login, assuming
auto_login
isn’t configured True.The login button’s text will be “Login with <login_service>”.
- logout_redirect_url c.LocalCILogonOAuthenticator.logout_redirect_url = Unicode('')#
When configured, users are not presented with the JupyterHub logout page, but instead redirected to this destination.
- manage_groups c.LocalCILogonOAuthenticator.manage_groups = Bool(False)#
Let authenticator manage user groups
If True, Authenticator.authenticate and/or .refresh_user may return a list of group names in the ‘groups’ field, which will be assigned to the user.
All group-assignment APIs are disabled if this is True.
- manage_roles c.LocalCILogonOAuthenticator.manage_roles = Bool(False)#
Let authenticator manage roles
If True, Authenticator.authenticate and/or .refresh_user may return a list of roles in the ‘roles’ field, which will be added to the database.
When enabled, all role management will be handled by the authenticator; in particular, assignment of roles via
JupyterHub.load_roles
traitlet will not be possible.Added in version 5.0.
- modify_auth_state_hook c.LocalCILogonOAuthenticator.modify_auth_state_hook = Callable(None)#
Callable to modify
auth_state
Will be called with the Authenticator instance and the existing auth_state dictionary and must return the new auth_state dictionary:
auth_state = [await] modify_auth_state_hook(authenticator, auth_state)
This hook is called before populating group membership, so can be used to make additional requests to populate additional fields which may then be consumed by
auth_state_groups_key
to populate groups.This hook may be async.
- oauth_callback_url c.LocalCILogonOAuthenticator.oauth_callback_url = Unicode('')#
Callback URL to use.
When registering an OAuth2 application with an identity provider, this is typically called the redirect url.
Should very likely be set to
https://[your-domain]/hub/oauth_callback
.
- otp_prompt c.LocalCILogonOAuthenticator.otp_prompt = Any('OTP:')#
The prompt string for the extra OTP (One Time Password) field.
Added in version 5.0.
- post_auth_hook c.LocalCILogonOAuthenticator.post_auth_hook = Any(None)#
An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.
This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the auth_model dict reguardless of changes to it. The hook is called with 3 positional arguments:
(authenticator, handler, auth_model)
.This may be a coroutine.
Example:
import os import pwd def my_hook(authenticator, handler, auth_model): user_data = pwd.getpwnam(auth_model['name']) spawn_data = { 'pw_data': user_data 'gid_list': os.getgrouplist(auth_model['name'], user_data.pw_gid) } if auth_model['auth_state'] is None: auth_model['auth_state'] = {} auth_model['auth_state']['spawn_data'] = spawn_data return auth_model c.Authenticator.post_auth_hook = my_hook
- refresh_pre_spawn c.LocalCILogonOAuthenticator.refresh_pre_spawn = Bool(False)#
Force refresh of auth prior to spawn.
This forces
refresh_user()
to be called prior to launching a server, to ensure that auth state is up-to-date.This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.
If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.
- request_otp c.LocalCILogonOAuthenticator.request_otp = Bool(False)#
Prompt for OTP (One Time Password) in the login form.
Added in version 5.0.
- reset_managed_roles_on_startup c.LocalCILogonOAuthenticator.reset_managed_roles_on_startup = Bool(False)#
Reset managed roles to result of
load_managed_roles()
on startup.- If True:
stale managed roles will be removed,
stale assignments to managed roles will be removed.
Any role not present in
load_managed_roles()
will be considered ‘stale’.The ‘stale’ status for role assignments is also determined from
load_managed_roles()
result:user role assignments status will depend on whether the
users
key is defined or not:if a list is defined under the
users
key and the user is not listed, then the user role assignment will be considered ‘stale’,if the
users
key is not provided, the user role assignment will be preserved;
service and group role assignments will be considered ‘stale’:
if not included in the
services
andgroups
list,if the
services
andgroups
keys are not provided.
Added in version 5.0.
- scope c.LocalCILogonOAuthenticator.scope = List()#
OAuth scopes to request.
openid
andorg.cilogon.userinfo
is required.Read more about CILogon scopes in https://www.cilogon.org/oidc.
- shown_idps c.LocalCILogonOAuthenticator.shown_idps = List()#
Removed in version 16.0: Use
allowed_idps
.
- skin c.LocalCILogonOAuthenticator.skin = Unicode('')#
The
skin
attribute is the name of the custom CILogon interface skin for your application.Contact help@cilogon.org to request a custom skin.
- strip_idp_domain c.LocalCILogonOAuthenticator.strip_idp_domain = Bool(False)#
Removed in version 15.0: Use
allowed_idps
.
- token_params c.LocalCILogonOAuthenticator.token_params = Dict()#
Extra parameters for first POST request exchanging the OAuth code for an Access Token
- token_url c.LocalCILogonOAuthenticator.token_url = Unicode('')#
The URL to where this authenticator makes a request to acquire an access token based on the authorization code received by the user returning from the
authorize_url
.For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps C-D.
- uids c.LocalCILogonOAuthenticator.uids = Dict()#
Dictionary of uids to use at user creation time. This helps ensure that users created from the database get the same uid each time they are created in temporary deployments or containers.
- userdata_from_id_token c.LocalCILogonOAuthenticator.userdata_from_id_token = Bool(False)#
Extract user details from an id token received via a request to
token_url
, rather than making a follow-up request to the userinfo endpointuserdata_url
.Should only be used if
token_url
uses HTTPS, to ensure token authenticity.For more context, see Authentication using the Authorization Code Flow in the OIDC Core standard document.
- userdata_params c.LocalCILogonOAuthenticator.userdata_params = Dict()#
Userdata params to get user data login information.
- userdata_token_method c.LocalCILogonOAuthenticator.userdata_token_method = Unicode('header')#
Method for sending access token in userdata request.
Supported methods: header, url.
- userdata_url c.LocalCILogonOAuthenticator.userdata_url = Unicode('')#
The URL to where this authenticator makes a request to acquire user details with an access token received via a request to the
token_url
.For more context, see the Protocol Flow section in the OAuth2 standard document, specifically steps E-F.
Incompatible with
userdata_from_id_token
.
- username_claim c.LocalCILogonOAuthenticator.username_claim = Unicode('')#
Removed in version 16.0: Use
allowed_idps
.
- username_map c.LocalCILogonOAuthenticator.username_map = Dict()#
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
- username_pattern c.LocalCILogonOAuthenticator.username_pattern = Unicode('')#
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
- validate_server_cert c.LocalCILogonOAuthenticator.validate_server_cert = Bool(False)#
Determines if certificates are validated.
Only set this to False if you feel confident it will not be a security concern.
- whitelist c.LocalCILogonOAuthenticator.whitelist = Set()#
Deprecated, use
Authenticator.allowed_users