Can we initialise oauth_client when initialise JupyterLab, to support the case that Jupyter Api called when server not yet spawned

[linlol]

Hi team, I use JupyterHub in k8s with our internal OAuth

In my case, I developed an GET API (denoted as /base_url/sample) protected via @tornado.web.authenticate which is supposed to be called directly from browser

Behaviour would be tricky if jupyterLab pod isn't yet spawned, the behaviour would be like this.

1. Hub noticed that server/pod is not yet spawned, thus redirect user to hub's home page /${prefix}/hub/home
2. User select correct profile to spawn server
3. After spawn, user would be redirected to /base_url/sample with 403 error, the reason is that user is redirect but /oauth_callback is not yet requested, thus, user's oauth_client_id is not yet set in cookie

Is there any workarounds to avoid this behaviour with proper protection?

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[minrk]

Can you share the actual 403 error and more of how the service is setup? If a page is decorated with @web.authenticated, it will redirect through OAuth by default instead of stopping at 403. At least if it's using JupyterHub's HubOAuthenticated mixin.

[linlol]

@minrk thanks for sharing that and sorry for late response...

Yes I would have a further look at customisation on our end, let's may close it first