oauthenticator.cilogon

CILogon OAuthAuthenticator for JupyterHub

Uses OAuth 2.0 with cilogon.org (override with CILOGON_HOST)

Caveats:

  • For user whitelist/admin purposes, username will be the ePPN by default. This is typically an email address and may not work as a Unix userid. Normalization may be required to turn the JupyterHub username into a Unix username.
  • Default username_claim of ePPN does not work for all providers, e.g. generic OAuth such as Google. Use c.CILogonOAuthenticator.username_claim = ‘email’ to use email instead of ePPN as the JupyterHub username.
class oauthenticator.cilogon.CILogonOAuthenticator(**kwargs)
additional_username_claims c.CILogonOAuthenticator.additional_username_claims = List()

Additional claims to check if the username_claim fails.

This is useful for linked identities where not all of them return the primary username_claim.

admin_users c.CILogonOAuthenticator.admin_users = Set()

Set of users that will have admin rights on this JupyterHub.

Admin users have extra privileges:
  • Use the admin panel to see list of users logged in
  • Add / remove users in some authenticators
  • Restart / halt the hub
  • Start / stop users’ single-user servers
  • Can access each individual users’ single-user server (if configured)

Admin access should be treated the same way root access is.

Defaults to an empty set, in which case no user has admin access.

auth_refresh_age c.CILogonOAuthenticator.auth_refresh_age = Int(300)

The max age (in seconds) of authentication info before forcing a refresh of user auth info.

Refreshing auth info allows, e.g. requesting/re-validating auth tokens.

See refresh_user() for what happens when user auth info is refreshed (nothing by default).

auto_login c.CILogonOAuthenticator.auto_login = Bool(False)

Automatically begin the login process

rather than starting with a “Login with…” link at /hub/login

To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().

New in version 0.8.

blacklist c.CILogonOAuthenticator.blacklist = Set()

Blacklist of usernames that are not allowed to log in.

Use this with supported authenticators to restrict which users can not log in. This is an additional blacklist that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

enable_auth_state c.CILogonOAuthenticator.enable_auth_state = Bool(False)

Enable persisting auth_state (if available).

auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.

Encrypting auth_state requires the cryptography package.

Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.

If encryption is unavailable, auth_state cannot be persisted.

New in JupyterHub 0.8

idp c.CILogonOAuthenticator.idp = Unicode('')

The idp attribute is the SAML Entity ID of the user’s selected identity provider.

See https://cilogon.org/include/idplist.xml for the list of identity providers supported by CILogon.

idp_whitelist c.CILogonOAuthenticator.idp_whitelist = List()

A list of IDP which can be stripped from the username after the @ sign.

oauth_callback_url c.CILogonOAuthenticator.oauth_callback_url = Unicode('')

Callback URL to use. Typically https://{host}/hub/oauth_callback

post_auth_hook c.CILogonOAuthenticator.post_auth_hook = Any(None)

An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.

This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the authentication dict reguardless of changes to it.

This maybe a coroutine.

Example:

import os, pwd
def my_hook(authenticator, handler, authentication):
    user_data = pwd.getpwnam(authentication['name'])
    spawn_data = {
        'pw_data': user_data
        'gid_list': os.getgrouplist(authentication['name'], user_data.pw_gid)
    }

    if authentication['auth_state'] is None:
        authentication['auth_state'] = {}
    authentication['auth_state']['spawn_data'] = spawn_data

    return authentication

c.Authenticator.post_auth_hook = my_hook
refresh_pre_spawn c.CILogonOAuthenticator.refresh_pre_spawn = Bool(False)

Force refresh of auth prior to spawn.

This forces refresh_user() to be called prior to launching a server, to ensure that auth state is up-to-date.

This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.

If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.

scope c.CILogonOAuthenticator.scope = List()

The OAuth scopes to request.

See cilogon_scope.md for details. At least ‘openid’ is required.

skin c.CILogonOAuthenticator.skin = Unicode('')

The skin attribute is the name of the custom CILogon interface skin for your application.

Contact help@cilogon.org to request a custom skin.

strip_idp_domain c.CILogonOAuthenticator.strip_idp_domain = Bool(False)

Remove the IDP domain from the username. Note that only domains which appear in the idp_whitelist will be stripped.

username_claim c.CILogonOAuthenticator.username_claim = Unicode('eppn')

The claim in the userinfo response from which to get the JupyterHub username

Examples include: eppn, email

What keys are available will depend on the scopes requested.

See http://www.cilogon.org/oidc for details.

username_map c.CILogonOAuthenticator.username_map = Dict()

Dictionary mapping authenticator usernames to JupyterHub users.

Primarily used to normalize OAuth user names to local users.

username_pattern c.CILogonOAuthenticator.username_pattern = Unicode('')

Regular expression pattern that all valid usernames must match.

If a username does not match the pattern specified here, authentication will not be attempted.

If not set, allow any username.

whitelist c.CILogonOAuthenticator.whitelist = Set()

Whitelist of usernames that are allowed to log in.

Use this with supported authenticators to restrict which users can log in. This is an additional whitelist that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

class oauthenticator.cilogon.LocalCILogonOAuthenticator(**kwargs)

A version that mixes in local system user creation

add_user_cmd c.LocalCILogonOAuthenticator.add_user_cmd = Command()

The command to use for creating users as a list of strings

For each element in the list, the string USERNAME will be replaced with the user’s username. The username will also be appended as the final argument.

For Linux, the default value is:

[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–disabled-password’]

To specify a custom home directory, set this to:

[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–home’, ‘/customhome/USERNAME’, ‘–disabled-password’]

This will run the command:

adduser -q –gecos “” –home /customhome/river –disabled-password river

when the user ‘river’ is created.

additional_username_claims c.LocalCILogonOAuthenticator.additional_username_claims = List()

Additional claims to check if the username_claim fails.

This is useful for linked identities where not all of them return the primary username_claim.

admin_users c.LocalCILogonOAuthenticator.admin_users = Set()

Set of users that will have admin rights on this JupyterHub.

Admin users have extra privileges:
  • Use the admin panel to see list of users logged in
  • Add / remove users in some authenticators
  • Restart / halt the hub
  • Start / stop users’ single-user servers
  • Can access each individual users’ single-user server (if configured)

Admin access should be treated the same way root access is.

Defaults to an empty set, in which case no user has admin access.

auth_refresh_age c.LocalCILogonOAuthenticator.auth_refresh_age = Int(300)

The max age (in seconds) of authentication info before forcing a refresh of user auth info.

Refreshing auth info allows, e.g. requesting/re-validating auth tokens.

See refresh_user() for what happens when user auth info is refreshed (nothing by default).

auto_login c.LocalCILogonOAuthenticator.auto_login = Bool(False)

Automatically begin the login process

rather than starting with a “Login with…” link at /hub/login

To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().

New in version 0.8.

blacklist c.LocalCILogonOAuthenticator.blacklist = Set()

Blacklist of usernames that are not allowed to log in.

Use this with supported authenticators to restrict which users can not log in. This is an additional blacklist that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

create_system_users c.LocalCILogonOAuthenticator.create_system_users = Bool(False)

If set to True, will attempt to create local system users if they do not exist already.

Supports Linux and BSD variants only.

enable_auth_state c.LocalCILogonOAuthenticator.enable_auth_state = Bool(False)

Enable persisting auth_state (if available).

auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.

Encrypting auth_state requires the cryptography package.

Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.

If encryption is unavailable, auth_state cannot be persisted.

New in JupyterHub 0.8

group_whitelist c.LocalCILogonOAuthenticator.group_whitelist = Set()

Whitelist all users from this UNIX group.

This makes the username whitelist ineffective.

idp c.LocalCILogonOAuthenticator.idp = Unicode('')

The idp attribute is the SAML Entity ID of the user’s selected identity provider.

See https://cilogon.org/include/idplist.xml for the list of identity providers supported by CILogon.

idp_whitelist c.LocalCILogonOAuthenticator.idp_whitelist = List()

A list of IDP which can be stripped from the username after the @ sign.

oauth_callback_url c.LocalCILogonOAuthenticator.oauth_callback_url = Unicode('')

Callback URL to use. Typically https://{host}/hub/oauth_callback

post_auth_hook c.LocalCILogonOAuthenticator.post_auth_hook = Any(None)

An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.

This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the authentication dict reguardless of changes to it.

This maybe a coroutine.

Example:

import os, pwd
def my_hook(authenticator, handler, authentication):
    user_data = pwd.getpwnam(authentication['name'])
    spawn_data = {
        'pw_data': user_data
        'gid_list': os.getgrouplist(authentication['name'], user_data.pw_gid)
    }

    if authentication['auth_state'] is None:
        authentication['auth_state'] = {}
    authentication['auth_state']['spawn_data'] = spawn_data

    return authentication

c.Authenticator.post_auth_hook = my_hook
refresh_pre_spawn c.LocalCILogonOAuthenticator.refresh_pre_spawn = Bool(False)

Force refresh of auth prior to spawn.

This forces refresh_user() to be called prior to launching a server, to ensure that auth state is up-to-date.

This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.

If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.

scope c.LocalCILogonOAuthenticator.scope = List()

The OAuth scopes to request.

See cilogon_scope.md for details. At least ‘openid’ is required.

skin c.LocalCILogonOAuthenticator.skin = Unicode('')

The skin attribute is the name of the custom CILogon interface skin for your application.

Contact help@cilogon.org to request a custom skin.

strip_idp_domain c.LocalCILogonOAuthenticator.strip_idp_domain = Bool(False)

Remove the IDP domain from the username. Note that only domains which appear in the idp_whitelist will be stripped.

username_claim c.LocalCILogonOAuthenticator.username_claim = Unicode('eppn')

The claim in the userinfo response from which to get the JupyterHub username

Examples include: eppn, email

What keys are available will depend on the scopes requested.

See http://www.cilogon.org/oidc for details.

username_map c.LocalCILogonOAuthenticator.username_map = Dict()

Dictionary mapping authenticator usernames to JupyterHub users.

Primarily used to normalize OAuth user names to local users.

username_pattern c.LocalCILogonOAuthenticator.username_pattern = Unicode('')

Regular expression pattern that all valid usernames must match.

If a username does not match the pattern specified here, authentication will not be attempted.

If not set, allow any username.

whitelist c.LocalCILogonOAuthenticator.whitelist = Set()

Whitelist of usernames that are allowed to log in.

Use this with supported authenticators to restrict which users can log in. This is an additional whitelist that further restricts users, beyond whatever restrictions the authenticator has in place.

If empty, does not perform any additional restriction.

oauthenticator.bitbucket oauthenticator.generic