Custom Authenticator to use Globus OAuth2 with JupyterHub
oauthenticator.globus.
GlobusOAuthenticator
The Globus OAuthenticator handles both authorization and passing transfer tokens to the spawner.
admin_users
Set of users that will have admin rights on this JupyterHub.
Admin access should be treated the same way root access is.
Defaults to an empty set, in which case no user has admin access.
allow_refresh_tokens
Allow users to have Refresh Tokens. If Refresh Tokens are not allowed, users must use regular Access Tokens which will expire after a set time. Set to False for increased security, True for increased convenience.
auth_refresh_age
The max age (in seconds) of authentication info before forcing a refresh of user auth info.
Refreshing auth info allows, e.g. requesting/re-validating auth tokens.
See refresh_user() for what happens when user auth info is refreshed (nothing by default).
refresh_user()
auto_login
Automatically begin the login process
rather than starting with a “Login with…” link at /hub/login
To work, .login_url() must give a URL other than the default /hub/login, such as an oauth handler or another automatic login handler, registered with .get_handlers().
New in version 0.8.
blacklist
Blacklist of usernames that are not allowed to log in.
Use this with supported authenticators to restrict which users can not log in. This is an additional blacklist that further restricts users, beyond whatever restrictions the authenticator has in place.
If empty, does not perform any additional restriction.
enable_auth_state
Enable persisting auth_state (if available).
auth_state will be encrypted and stored in the Hub’s database. This can include things like authentication tokens, etc. to be passed to Spawners as environment variables.
Encrypting auth_state requires the cryptography package.
Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one (or more, separated by ;) 32B encryption keys. These can be either base64 or hex-encoded.
If encryption is unavailable, auth_state cannot be persisted.
New in JupyterHub 0.8
exclude_tokens
Exclude tokens from being passed into user environments when they start notebooks, Terminals, etc.
globus_local_endpoint
If Jupyterhub is also a Globus endpoint, its endpoint id can be specified here.
identity_provider
Restrict which institution a user can use to login (GlobusID, University of Hogwarts, etc.). This should be set in the app at developers.globus.org, but this acts as an additional check to prevent unnecessary account creation.
logout_redirect_url
URL for logging out.
oauth_callback_url
Callback URL to use. Typically https://{host}/hub/oauth_callback
post_auth_hook
An optional hook function that you can implement to do some bootstrapping work during authentication. For example, loading user account details from an external system.
This function is called after the user has passed all authentication checks and is ready to successfully authenticate. This function must return the authentication dict reguardless of changes to it.
This maybe a coroutine.
Example:
import os, pwd def my_hook(authenticator, handler, authentication): user_data = pwd.getpwnam(authentication['name']) spawn_data = { 'pw_data': user_data 'gid_list': os.getgrouplist(authentication['name'], user_data.pw_gid) } if authentication['auth_state'] is None: authentication['auth_state'] = {} authentication['auth_state']['spawn_data'] = spawn_data return authentication c.Authenticator.post_auth_hook = my_hook
refresh_pre_spawn
Force refresh of auth prior to spawn.
This forces refresh_user() to be called prior to launching a server, to ensure that auth state is up-to-date.
This can be important when e.g. auth tokens that may have expired are passed to the spawner via environment variables from auth_state.
If refresh_user cannot refresh the user auth data, launch will fail until the user logs in again.
revoke_tokens_on_logout
Revoke tokens so they cannot be used again. Single-user servers MUST be restarted after logout in order to get a fresh working set of tokens.
scope
The OAuth scopes to request. See the OAuth documentation of your OAuth provider for options. For GitHub in particular, you can see github_scopes.md in this repo.
username_map
Dictionary mapping authenticator usernames to JupyterHub users.
Primarily used to normalize OAuth user names to local users.
username_pattern
Regular expression pattern that all valid usernames must match.
If a username does not match the pattern specified here, authentication will not be attempted.
If not set, allow any username.
whitelist
Whitelist of usernames that are allowed to log in.
Use this with supported authenticators to restrict which users can log in. This is an additional whitelist that further restricts users, beyond whatever restrictions the authenticator has in place.
LocalGlobusOAuthenticator
A version that mixes in local system user creation
add_user_cmd
The command to use for creating users as a list of strings
For each element in the list, the string USERNAME will be replaced with the user’s username. The username will also be appended as the final argument.
For Linux, the default value is:
[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–disabled-password’]
To specify a custom home directory, set this to:
[‘adduser’, ‘-q’, ‘–gecos’, ‘”“’, ‘–home’, ‘/customhome/USERNAME’, ‘–disabled-password’]
This will run the command:
adduser -q –gecos “” –home /customhome/river –disabled-password river
when the user ‘river’ is created.
create_system_users
If set to True, will attempt to create local system users if they do not exist already.
Supports Linux and BSD variants only.
group_whitelist
Whitelist all users from this UNIX group.
This makes the username whitelist ineffective.