Configurable post_logout_url in the Authenticator base class

[consideRatio]

Proposed change

To expose configuration of the Authenticator base class on where to redirect users that click on the Logout button and successfully logs out.

I open this issue as I'm closing this feature request in z2jh: jupyterhub/zero-to-jupyterhub-k8s#1475

Alternative options

To override the authenticator class wanted, and overriding the logout_url function.

Who would use this feature?

I'm not sure, but I can see it be relevant.

(Optional): Suggest a solution

To expose a traitlet with some name, which is made use of in the Authenticator base class default implementation of the logout_url function. The name would preferable have logout_url I think, but as the function is named that instead of for example get_logout_url we must use another name I think.

[minrk]

I'm not sure it makes sense to customize the logout url itself via configuration. The primary effect of this, I would expect, is not actually logging the user out when visiting logout links on pages. Satisfying the request in jupyterhub/zero-to-jupyterhub-k8s#1475 certainly would have the effect that the user is not logged out from JupyterHub if they visit an external page instead of logging out. They might be logged out of something else, but not JupyterHub itself.

logout_url as a method is overrideable instead because it only makes sense if used in combination with a custom Authenticator subclass that defines a new handler, which in turn specifies a new URL that needs to be returned by get_logout_url. The logout URL also must be a local /hub/ url path, not an external site, if it's going to do its job of clearing cookies and the like. Subclassing is the right level to define this kind of customization of behavior, I think.

However, I think what might be requested is instead a post-logout redirect, that is a place to go after logging out, not instead of logging out.

Here would be an example that might get closer to what the linked issue is after:

from traitlets import Unicode

from jupyterhab.handlers.base import LogoutHandler
from jupyterhub.auth import Authenticator
from jupyterhub.utils import url_path_join

# custom logout handler that redirects to another page after finishing the default logout process

class CustomLogoutHandler(LogoutHandler):
    async def render_logout_page(self):
        # redirect to our post_logout_url instead of serving the "you have been logged out" page
        if self.authenticator.post_logout_url:
            self.redirect(self.authenticator.post_logout_url)
        else:
            await super().render_logout_page()

# configure our custom authenticator to
# 1. serve the custom handler
# 2. tell jupyterhub to use it
# 3. define the post-logout configuration value understood by our custom handler

class MyAuthenticator(Authenticator):
    post_logout_url = Unicode(help="URL to redirect to after logging out from jupyterhub").tag(config=True)
    def logout_url(self, base_url):
        # on logout, use our custom logout handler instead of default
        return url_path_join(base_url, "customlogout")
    def get_handlers(self):
        # tell the application to serve our custom logout handler
        return super().get_handlers() + [("/customlogout", CustomLogoutHandler)]


# now we can set
c.MyAuthenticator.post_logout_url = "https://my.site/bye"

If that's the case, then I think we can consider this a feature request to add something like this c.Authenticator.post_logout_url configurable on the base class.

How does that sound?

[consideRatio]

@minrk that sounds excellent, thank you for the thorough write up!

[jeff-loislab]

I landed here looking for this same functionality today; I'm very excited to see this getting consideration.

[z3ky]

Would love to have this feature to trigger the logout from keycloak after jupyterhub logout