Support Authentication for BinderHub

[yuvipanda]

Since binderhub is already a JupyterHub service, we should be able to support authentication there without too much trouble (I think?). This should be great for private installs, and allow us to leverage all the JupyterHub authenticators. It'd also remove our strict requirement on NullAuthenticator in the hub.

Authentication should be optional though, so we can still run fully open binders, and API users of these don't have to go through a fake auth scheme.

What are the missing pieces, @minrk?

[betatim]

The auth would have to happen before the user can click build so we need a handler in binderhub right? This handler would then talk to the jupyterhub auth system. Does the jhub API let me get things that are in the auth_state? I'm thinking GitHub tokens that then allow repo2docker to clone a private repo. Or using e.g. the openhumans OAuth to auth users and then inject tokens into the running pod so they can access private APIs for data.

[yuvipanda]

http://jupyterhub.readthedocs.io/en/latest/api/services.auth.html is the docs on this I believe.

The OpenHumans use case should already be doable once we have auth, since it's just injecting stuff into the running container (which we can already do in JupyterHub). Am unsure about auth_state availability in the API though.

[minrk]

I'll have to do a little checking for how to run a Hub-authenticated service outside the Hub. I think right now, they are confined to services run at hub.url/services/:name, but this is mostly artificial, so we can think carefully about what we want to allow.

One question: is this an authenticated Binder, totally dedicated to binder applications, or is it Binder as an additional functionality on top of a regular Hub deployment? I think coexisting would be challenging.

The main things that will need work are:

1. make sure hub-authenticated services can run on other domains/urls (this requires changes to JupyterHub), or run binderhub at hub.url/services/binder
2. the launch sequence will need to change from creating temporary users to creating named servers for real, existing users (retrieved from the authenticated launch request)
3. switch culling to servers-only, not users
4. switch launch, ideally, to jupyterhub-singleuser instead of jupyter-notebook, but this isn't strictly necessary.

[betatim]

(Can we use bhub and jhub instead of hub and hub? Not always but often I get lost in which hub we are talking about :) )

[yuvipanda]

My hope is that we can merge binderhub helm chart into z2jh at some point, completely eliminating the 'do I need a binderhub or jupyterhub?' confusion.

[jhamman]

Can this be closed based on #666? Is there some additional documentation coming on how to use binderhub authentication?

[betatim]

Additional documentation from the experience of deploying it would be great. Maybe when you use this on the pangeo binder you can take notes while setting it up and contribute those as docs.

[manics]

Looks like the docs were updated at some point: https://binderhub.readthedocs.io/en/latest/authentication.html
Close this now?