For detailed changes from the prior release, click on the version number, and
its link will bring up a GitHub listing of changes. Use git log
on the
command line for details.
16.0.7 - 2023-08-21
- [Google] admin_users should like before v16 list final usernames #673 (@consideRatio, @jinserk, @GeorgianaElena)
The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.
(GitHub contributors page for this release)
@consideRatio (activity) | @jinserk (activity) | @GeorgianaElena (activity)
16.0.6 - 2023-08-17
16.0.6 is a bugfix release, fixing a crash on startup when combining enable_auth_state with Google, Globus, or Bitbucket. The group membership fields are lists, which were switched to sets in 16.0, but that is not allowed by JupyterHub's JSON serialization of auth_state.
- [Google, Globus, Bitbucket] Ensure auth_state is JSON serializable (lists are, not sets) #668 (@consideRatio, @minrk)
- GitHub/GitLab typo #669 (@tico24, @consideRatio)
The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.
(GitHub contributors page for this release)
@consideRatio (activity) | @minrk (activity) | @tico24 (activity)
16.0.5 - 2023-08-15
- [Google, Globus] handle auth_model is None in google, globus #665 (@minrk, @consideRatio)
The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.
(GitHub contributors page for this release)
@consideRatio (activity) | @minrk (activity)
16.0.4 - 2023-08-11
- [Google] Fix regression in v16 of no longer stripping username's domain if
hosted_domain
has a single entry #661 (@consideratio, @minrk, @taylorgibson)
- Add ORCID iD example configuration #657 (@matthewwiese, @manics)
- Fix typo in authenticator class for google #653 (@stes, @consideRatio)
The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.
(GitHub contributors page for this release)
@consideRatio (activity) | @manics (activity) | @matthewwiese (activity) | @minrk (activity) | @NickolausDS (activity) | @stes (activity) | @taylorgibson (activity)
16.0.3 - 2023-07-08
- docs: update v16 changelog to capture missed change about allow_all #651 (@consideRatio)
16.0.2 - 2023-07-06
- [Generic] breaking fix: change basic_auth default to False #648 (@consideRatio)
- [Generic] Deprecate tls_verify in favor of validate_server_cert #647 (@consideRatio)
16.0.1 - 2023-07-05
- Ensure login_service remain configurable #644 (@consideRatio)
- docs: fix redirection config typo for getting-started #642 (@consideRatio)
16.0.0 - 2023-07-05
The project has been refactored greatly to make it easier to use, understand, and maintain its code and documentation. This release has several breaking changes and deprecations you should read through before upgrading.
This changelog entry has been updated to capture previously undocumented changes
and new changes in 16.0.2, please upgrade directly to 16.0.2 or higher.
- Support for Python 3.7 has been dropped, Python 3.8+ is now required.
- [All] If no configuration allows a user, then users are no longer allowed by
default. The new config {attr}
.OAuthenticator.allow_all
can be configured True to allow all users. - [All] Users are now allowed based on either being part of:
{attr}
.OAuthenticator.admin_users
, {attr}.OAuthenticator.allowed_users
, an Authenticator specific config allowing a group/team/organization, or by being an existing user if new config {attr}.OAuthenticator.allow_existing_users
is configured. - [All] Existing users (listed via
/hub/admin
) will now only be allowed if {attr}.OAuthenticator.allow_existing_users
is True, while before existing users were allowed if {attr}.OAuthenticator.allowed_users
was configured. - [Google] If {attr}
.GoogleOAuthenticator.admin_google_groups
is configured, users logging in not explicitly there or in {attr}.OAuthenticator.admin_users
will get their admin status revoked. - [Generic, Google] {attr}
.GenericOAuthenticator.allowed_groups
, {attr}.GenericOAuthenticator.allowed_groups
{attr}.GoogleOAuthenticator.allowed_google_groups
, and {attr}.GoogleOAuthenticator.admin_google_groups
are now Set based configuration instead of List based configuration. It is still possible to set these with lists as as they are converted to sets automatically, but anyone reading and adding entries must now use set logic and not list logic. [Google] Authentication state's(reverted in 16.0.6 as JupyterHub's auth_state must be JSON-serializable and doesn't allow sets)google_groups
is now a set, not a list.- [CILogon] {attr}
.CILogonOAuthenticator.allowed_idps
is now required config, andshown_idps
,username_claim
,additional_username_claims
were removed. - [Okpy] The public functions
OkpyOAuthenticator.get_auth_request
andOkpyOAuthenticator.get_user_info_request
were removed. - [OpenShift] The config
ca_certs
was removed. Use {attr}.OAuthenticator.http_request_kwargs
with aca_certs
key instead. OpenShift's defaultca_certs
remains unchanged. - [Generic] {attr}
.GenericOAuthenticator.basic_auth
behavior changed in 16.0.0 and defaults to False in version 16.0.2.
- [Generic, Auth0]
username_key
is deprecated and is replaced by {attr}.OAuthenticator.username_claim
. - [Generic] {attr}
.GenericOAuthenticator.extra_params
is deprecated and is replaced by {attr}.OAuthenticator.token_params
. - [Generic, OpenShift]
GenericOAuthenticator.tls_verify
andOpenShiftOAuthenticator.validate_cert
are deprecated and are replaced by {attr}.OAuthenticator.validate_server_cert
.
The authenticators are no longer overriding the authenticate
method, but
instead relying on the OAuthenticator base class authenticate
method which
calls a few lower level methods that can be overridden if needed. Like this, a
lot of code has been absorbed into the OAuthenticator base class that was
previously duplicated across authenticators.
To learn more about this new structure the provider specific authenticator
classes rely on, please for now inspect the source code for the
OAuthenticator.authenticate
and
OAuthenticator.check_allowed
methods.
Plans on writing more thorough documentation about this new structure is tracked
in issue #634.
- [All] breaking: add allow_existing_users config defaulting to False #631 (@consideRatio, @minrk)
- [All] breaking, add allow_all config defaulting to False (CILogon: require allowed_idps) #625 (@consideRatio, @GeorgianaElena)
- [All] Add
http_request_kwargs
config option #578 (@manics, @consideRatio, @minrk)
- [All] Authorize
allowed_users
,admin_users
, or other allowed/admin groups #594 (@GeorgianaElena, @consideRatio, @minrk, @manics, @floriandeboissieu)
- Fix Content-Type header, should be x-www-form-urlencoded for token request, and not passed for other GET requests #599 (@jabbera, @GeorgianaElena, @consideRatio)
- Adjust the params of the access token request when basic auth is enabled #568 (@GeorgianaElena, @consideRatio)
- [OAuthLoginHandler] Fix tornado.auth.OAuth2Mixin.authorize_redirect
extra_params
parameter's name #551 (@GeorgianaElena, @consideRatio)
- [OpenShift] Remove ca_certs, deprecate validate_cert, fix unreleased regression #640 (@consideRatio, @manics)
- maint: cleanup 0.7 workaround and adjust two non-exposed func names #630 (@consideRatio, @minrk)
- refactor: separate deprecated config for readability #628 (@consideRatio, @minrk)
- maint: remove unused file common.py #624 (@consideRatio, @GeorgianaElena)
- maint: use tbump when making releases, update flake8/pytest/pytest-cov config #623 (@consideRatio, @minrk)
- Don't send POST params on query string also #610 (@jabbera, @manics, @consideRatio)
- Reverts unreleased changes making scope, username_claim, ..._url not configurable #608 (@GeorgianaElena, @consideRatio)
- maint: import Callable traitlet from jupyterhub #603 (@consideRatio, @GeorgianaElena, @manics)
- maint: cleanup already removed awscogito, azureadb2c, yandex #602 (@consideRatio, @GeorgianaElena)
- Fix bug in implementation of not yet released basic_auth config #601 (@consideRatio, @GeorgianaElena)
- [Maintainance] Remove dynamic defaults when not needed and rm the io_loop #595 (@GeorgianaElena, @minrk)
- Drop support for Python 3.7 #593 (@consideRatio, @GeorgianaElena, @minrk)
- maint: replace test-requirements.txt with opt. dependencies #590 (@consideRatio, @GeorgianaElena)
- dependabot: monthly updates of github actions #588 (@consideRatio, @GeorgianaElena)
- maint: declare optional dependencies for version constraints #581 (@consideRatio, @GeorgianaElena)
- Add missing requirements #577 (@manics, @minrk)
- [CILogonOAuthenticator] Add profile to default scope, fix detail following recent refactoring #575 (@GeorgianaElena, @consideRatio)
- maint: drop support for python 3.6 #559 (@consideRatio, @manics)
- Update .gitignore #558 (@consideRatio, @minrk)
- maint: add and run pre-commit hooks pyupgrade and autoflake #555 (@consideRatio, @GeorgianaElena, @manics)
- use importlib-metadata to load entrypoints for docs #542 (@minrk, @consideRatio)
- Refactor oauthenticators #526 (@GeorgianaElena, @minrk, @consideRatio, @yuvipanda)
- docs: coalesce v16 upgrade page into changelog, improve helpstrings #637 (@consideRatio, @manics)
- docs: a major refresher of the documentation #627 (@consideRatio, @GeorgianaElena)
http_request_kwargs
: link to TornadoHTTPRequest
doc #614 (@manics, @consideRatio)- docs: update broken links #604 (@consideRatio)
- docs: fix readme badge for tests #597 (@consideRatio)
- Fix broken link about GCP service account keys #586 (@GeorgianaElena, @consideRatio)
- Document the notable changes of the refactorization #569 (@GeorgianaElena, @consideRatio)
- Refactor the documentation structure #561 (@GeorgianaElena, @consideRatio, @minrk)
- All docs to MyST markdown 🚀 #554 (@GeorgianaElena, @consideRatio)
- ci: transition to use codecov github action #589 (@consideRatio)
- ci: add dependabot for github actions and update misc versions in workflows #566 (@consideRatio, @GeorgianaElena, @Sheila-nk)
The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.
(GitHub contributors page for this release)
@Bougakov (activity) | @consideRatio (activity) | @floriandeboissieu (activity) | @GeorgianaElena (activity) | @jabbera (activity) | @jimdigriz (activity) | @kianaf (activity) | @manics (activity) | @minrk (activity) | @Sheila-nk (activity) | @yuvipanda (activity)
(changelog:version-15)=
15.1.0 - 2022-09-08
- [Auth0] Add
auth0_domain
config #534 (@drhagen) - [CILogon] Add allowed_domains to allowed_idps config for a possiblity to restrict access based on idp + domain #518 (@GeorgianaElena)
- Update documentation theme and fix autodoc #524 (@GeorgianaElena)
(GitHub contributors page for this release)
@consideRatio | @dingobar | @drhagen | @GeorgianaElena | @manics | @minrk | @terrencegf | @yuvipanda
15.0.1 - 2022-06-09
- [Bitbucket] Fix for changes to bitbucket API - /teams removed and /workspaces to be used #477 (@Marcalberga)
- [CILogon] Don't make action a required field of CILogonOAuthenticator.allowed_idps follow-up #517 (@GeorgianaElena)
- [CILogon] Don't make action a required field of CILogonOAuthenticator.allowed_idps #516 (@GeorgianaElena)
(GitHub contributors page for this release)
@consideRatio | @GeorgianaElena | @Marcalberga | @welcome
15.0.0 - 2022-06-03
If you are using AzureAD, MediaWiki, and CILogon authenticators, make sure to read about the breaking changes.
CILogonOAuthenticator
has breaking changes and come with a migration guide. These changes resolve the known vulnerability GHSA-r7v4-jwx9-wx43. Your hub will fail to start if you do not follow the migration guide.
pyjwt
version 2.4.0 or greater is now required when use with authentication classes that needs it:AzureAdOAuthenticator
,MWOAuthenticator
.
- [GitHub] Add populate_teams_in_auth_state option #498 (@yuvipanda, @consideRatio, @GeorgianaElena, @manics)
- Allow and document custom 403 messages and pages #484 (@GeorgianaElena, @yuvipanda)
- [GitHub] fix implementation of populate_teams_in_auth_state #504 (@consideRatio, @yuvipanda)
- [Auth0] Fix AUTH0_SUBDOMAIN default setting #502 (@alejandrosame, @yuvipanda)
- maint: unpin extras_require googlegroups dependencies #508 (@consideRatio, @missingcharacter)
- breaking maint: require pyjwt>=2 and mwoauth>=0.3.8 (to reduce complexity) #506 (@consideRatio, @yuvipanda, @GeorgianaElena, @halfak)
- Use isort for import formatting #497 (@yuvipanda, @consideRatio)
- General maintenance and fix of pre-commit ci failure #479 (@consideRatio, @minrk, @GeorgianaElena)
- Remove custom stylesheet and bump sphinx version #465 (@diego-plan9, @consideRatio)
- Support pyjwt >= 2 in tests #461 (@diego-plan9, @minrk, @consideRatio)
- docs/ci: use myst, fix broken links, add linkcheck test, remove deprecated distutils, avoid 2x job triggers #511 (@consideRatio, @GeorgianaElena)
- docs/source/getting-started: mention openid scope for AzureAD + MFA #478 (@rkdarst, @consideRatio)
- Fix My Service authenticator class names in documentation #457 (@sgaist, @consideRatio)
(GitHub contributors page for this release)
@alejandrosame | @brianaydemir | @consideRatio | @diego-plan9 | @GeorgianaElena | @halfak | @kkaraivanov1 | @manics | @minrk | @missingcharacter | @rkdarst | @sgaist | @yuvipanda
14.2.0 - 2021-08-09
- [GitHub] Add syntax to allow specific teams in a GitHub organization #449 (@j0nnyr0berts)
(GitHub contributors page for this release)
@consideRatio | @dhirschfeld | @j0nnyr0berts | @jabbera | @manics | @sgibson91
14.1.0 - 2021-07-19
- [Globus] Add config to manage: allowed, admin, and blocked users through Globus groups #441 (@rpwagner)
- [Globus] Add config username_from_email #440 (@rpwagner)
- [Auth0] Add config username_key - maps identity providers response to a JH username #439 (@GeorgianaElena)
- [All] Support custom logout url (logout_redirect_url) #437 (@GeorgianaElena)
- [GitLab] Fix missing use validate_server_cert config for some web requests #443 (@wOvAN)
- [GitHub] Set JH user's email with non-public email if needed and granted scope to do so #442 (@satra)
- pre-commit configured and executed #434 (@consideRatio)
- ci: unpin pyjwt in test-requirements.txt #431 (@consideRatio)
- docs: update to async/await in example #435 (@consideRatio)
- Add reference to external FeiShuAuthenticator #427 (@harrywang)
- Note that whitelist should be used if not in 1.2 #422 (@mafloh)
(GitHub contributors page for this release)
@consideRatio | @GeorgianaElena | @harrywang | @holdenk | @mafloh | @manics | @minrk | @NickolausDS | @rpwagner | @satra | @wOvAN
14.0.0 - 2021-04-09
- Support username_claim in Google OAuth #401 (@dtaniwaki)
- added allowed_groups and admin_groups to generic.py #395 (@mcmartins)
- [Google] Allow for checking of google_groups for admin only #358 (@dwilliams782)
- Add
.fetch(req)
method to base OAuthenticator #415 (@minrk) - [OpenShift] add allowed_groups and admin_groups #410 (@wseaton)
- Clear cookie on logout #404 (@dtaniwaki)
- Test oldest dependencies and bump jupyterhub required to 1.2 #413 (@consideRatio)
- [Generic] Remove userdata_method configuration supposedly not relevant #376 (@consideRatio)
- docs: cleanup userdata_method from docs #416 (@consideRatio)
- allowed_project_ids is the valid name #409 (@manning-ncsa)
(GitHub contributors page for this release)
@consideRatio | @dhirschfeld | @dtaniwaki | @dwilliams782 | @holdenk | @manics | @manning-ncsa | @mcmartins | @minrk | @support | @welcome | @wseaton
0.13.0 - 2021-02-04
- Ensure oauthenticator.tests is packaged #407 (@manics)
- Auth0: Add refresh and id tokens to auth_state #393 (@biomath-vlad)
- PyJWT 2.0 compliant #402 (@rragundez)
(GitHub contributors page for this release)
@biomath-vlad | @consideRatio | @kianaf | @manics | @rragundez | @yuvipanda
- Fix exception when enable_auth_state is enabled but user.encrypted_auth_state is None #391 (@rkevin-arch)
(GitHub contributors page for this release)
@consideRatio | @minrk | @rkevin-arch | @snickell
0.12.2 - 2020-11-30
Security fix for GHSA-384w-5v3f-q499: Deprecated c.Authenticator.whitelist
configuration was ignored instead of mapped to newer c.Authenticator.allowed_users
when used with JupyterHub 1.2 and OAuthenticator 0.12.0-0.12.1.
0.12.1 - 2020-11-20
- Remove support for python 3.5 #384 (@consideRatio)
- migrate from travis to github actions #383 (@minrk)
- CI: Stop testing py35 and don't test on tagged commits #379 (@consideRatio)
(GitHub contributors page for this release)
@consideRatio | @manics | @minrk
0.12.0 - 2020-10-26
- [OpenShift] Enable cert verification for self-signed certs and auto-load auth api URL #363 (@vpavlin)
- [Globus] Support custom username handling #357 (@NickolausDS)
- [Google] Adding refresh_token #350 (@missingcharacter)
- [Google] Added optional support for google groups #341 (@missingcharacter)
- [All] Added extra_authorize_params to pass extra params in the initial request to the identity provider #338 (@NickolausDS)
- [GitLab] Improve subgroup support #333 (@akhmerov)
- [All] Let auth cookie be influenced by JupyterHub's cookie_options configuration #378 (@Wh1isper)
- [GitHub] Respect validate_server_cert attribute #354 (@nvs-abhilash)
- [Generic] tls verify not being honored at the httprequest level when internal_ssl is enabled #326 (@sstarcher)
- Rename OAuthenticator.whitelist to allow #366 (@GeorgianaElena)
- Python package extra dependencies updated #343 (@missingcharacter)
- [Generic] Fix failing GenericOAuthenticator tests #339 (@GeorgianaElena)
- [Globus] Remove the need for globus_sdk as a python dependency #337 (@NickolausDS)
- Add changelog for 0.12.0 release #377 (@consideRatio)
- [Globus] Docs: explain identity_provider better #362 (@NickolausDS)
- [OpenShift] Docs: fix broken link for OpenShift OAuth service accounts #352 (@nscozzaro)
- Docs: Updating sphinx and pandas_sphinx_theme references #345 (@missingcharacter)
- [Google] Added optional support for google groups #341 (@missingcharacter)
- [Globus] Remove the need for globus_sdk as a python dependency #337 (@NickolausDS)
- Update docs #336 (@GeorgianaElena)
- [Generic] Usage example for Nextcloud #268 (@arneki)
(GitHub contributors page for this release)
@ablekh | @akhmerov | @Analect | @arneki | @bellackn | @betatim | @CJCShadowsan | @cmseal | @consideRatio | @d0m84 | @daniel-ciocirlan | @dmpe | @dmvieira | @GeorgianaElena | @ghezalsherdil | @guimou | @gweis | @hardik42 | @hbuttguavus | @jamescross91 | @linkcd | @louis-she | @manics | @meeseeksmachine | @michec81 | @minrk | @missingcharacter | @mransley | @NickolausDS | @nscozzaro | @nvs-abhilash | @patback66 | @PaulMazzuca | @RAbraham | @sampathkethineedi | @saurav-bhagat | @shivan10 | @SolarisYan | @sstarcher | @support | @umar-sik | @vpavlin | @welcome | @Wh1isper | @willingc | @yuvipanda | @zhiyuli
0.11.0 - 2020-01-30
The main change in 0.11 is a refactoring of classes to remove mixins, reducing the amount of boilerplate needed. In addition, there are some fixes to the Azure AD Authenticator. This should be a fully backward-compatible change, except in cases where some subclasses were importing these now-unneeded mixin classes, such as GitHubLoginHandler, GitHubMixin, etc.
All options should now be configurable via the standard jupyterhub config file. There should no longer be any options that are only configurable via environment variable.
This release also removes the latest Authenticators added in 0.10
(AzureAdB2COAuthenticator, AWSCognitoOAuthenticator, YandexOAuthenticator),
which were released without being fully supported and
which can be achieved through configuration of existing classes,
such as AzureAd
and Generic
.
We don't plan to accept further contributions of new providers if they can be achieved through customization or configuration of existing classes. Rather, contributors are encouraged to provide example documentation for using new providers, or pull requests addressing gaps necessary to do so with the GenericOAuthenticator.
- [AzureAD] Don't pass resource when requesting a token #328 (@craigminihan)
- Remove mixins, per-Authenticator LoginHandler classes #323 (@minrk)
- [AzureAD] Add support for setting login_service #319 (@zevaryx)
- skeleton of sphinx docs #316 (@minrk)
(GitHub contributors page for this release)
@consideRatio | @craigminihan | @Dmitry1987 | @manics | @minrk | @NickolausDS | @zevaryx
0.10.0 - 2019-11-27
- Add AzureAdB2COAuthenticator #307 (@linkcd)
- Add support for
GenericOAuthenticator.username_key
to hold a callable value #305 (@eslavich) - Add
AzureAdOAuthenticator.username_claim
config field #280 (@jeff-sternberg) - Add
AWSCognitoAuthenticator
#269 (@jmartinc89)
- mediawiki: utf-8 > binary strings, req. mwoauth>=0.3.7 #297 (@consideRatio)
- Fixed Globus Logout Handler, added test #288 (@NickolausDS)
- Include inherited members in GitLab auth checks, requires GitLab 12.4 or newer, but will fall back to previous behavior for older GitLab versions. #283 (@vindvaki)
- Fixed content index in readme, and fixed typo in comments #310 (@linkcd)
- Add scopes documentation to auth0 example #303 (@jbradenbrown)
- Add py3.8 for CI testing #302 (@consideRatio)
- Travis: Deploy releases to pypi #301 (@manics)
- Disable MediaWiki's mwoauth==0.3.5 due to a regression #295 (@consideRatio)
- Add RELEASE.md #294 (@consideRatio)
- Add PyPI/Travis build badges to README.md #293 (@consideRatio)
- Fix project name typo #292 (@kinow)
- Use traitlet.default for Azure AD tenant_id #282 (@jeff-sternberg)
- Add clarifying comment into README code block #279 (@raethlein)
0.9.0 - 2019-07-30
- switch to asyncio coroutines from tornado coroutines (requires Python 3.5)
- add
GenericOAuthenticator.userdata_token_method
configurable - add
GenericOAuthenticator.basic_auth
configurable - support for OpenShift 4.0 API changes
0.8.2 - 2019-04-16
- Validate login URL redirects to avoid Open Redirect issues.
0.8.1 - 2019-02-28
- Provide better error messages
- Allow auth scope to be array or strings
GitHubOAuthenticator
: More efficientorg_whitelist
check- Use pytest-asyncio instead of pytest-tornado
- CILogon: New additional_username_claims config for linked identities, fallback to the primary username claim
GitLabOAuthenticator
: Newproject_id_whitelist
config to whitelist users who have Developer+ access to the projectGoogleOAuthenticator
: Allow email domains (hosted_domain
) to be a list- Add
jupyterhub-authenticator
entrypoints for jupyterhub 1.0. - Cleanup & bugfixes
0.8.0 - 2018-08-10
- Add
azuread.AzureADOAuthenticator
- Add
CILogonOAuthenticator.idp_whitelist
andCILogonOAuthenticator.strip_idp_domain
options - Add
GenericOAuthenticator.tls_verify
andGenericOAuthenticator.extra_params
options - Add refresh token and scope to generic oauthenticator auth state
- Better error messages when GitHub oauth fails
- Stop normalizing mediawiki usernames, which can be case-sensitive
- Fixes for group-membership checks with GitLab
- Bugfixes in various authenticators
- Deprecate GITLAB_HOST in favor of GITLAB_URL, since we expect
https://
in the url, not just the host.
0.7.3 - 2018-02-16
0.7.3 is a security fix for CVE-2018-7206.
It fixes handling of gitlab_group_whitelist
when using GitLabOAuthenticator.
The same fix is backported to 0.6.2.
0.7.2 - 2017-10-27
- Fix CILogon OAuth 2 implementation. ePPN claim is used for default username
(typically institutional email).
CILogonOAuthenticator.username_claim
can be used to change which field is used for JupyterHub usernames. GenericOAuthenticator.login_service
is now configurable.- default to GitLab API version 4 and allow v3 via GITLAB_API_VERSION=3 environment variable.
- Add
GlobusOAuthenticator.revoke_tokens_on_logout
andGlobusOAuthenticator.logout_redirect_url
config for further clearing of credentials on JupyterHub logout.
0.7.1 - 2017-10-04
- fix regression in 0.7.0 preventing authentication via providers other than GitHub, MediaWiki
0.7.0 - 2017-10-02
0.7.0 adds significant new functionality to all authenticators.
-
CILogon now uses OAuth 2 instead of OAuth 1, to be more consistent with the rest.
-
All OAuthenticators support
auth_state
when used with JupyterHub 0.8. In every case, the auth_state is a dict with two keys:access_token
and the user-info reply identifying the user. For instance, GitHubOAuthenticator auth_state looks like:{ 'acces_token': 'abc123', 'github_user': { 'username': 'fake-user', 'email': 'fake@email.com', ... } }
auth_state can be passed to Spawners by defining a
.pre_spawn_start
method. See examples/auth_state for an example. -
All OAuthenticators have a
.scope
trait, which is a list of string scopes to request. See your OAuth provider's documentation for what scopes you may want. This is useful in conjunction withauth_state
, which may be used to pass access tokens to Spawners via environment variables..scope
can control what permissions those tokens will have. In general, OAuthenticator default scopes should only have read-only access to identify users. -
GITHUB_HTTP environment variable can be used to talk to HTTP-only GitHub Enterprise deployments.
0.6.2 - 2018-02-16
0.6.2 is a security fix for CVE-2018-7206.
It fixes handling of gitlab_group_whitelist
when using GitLabOAuthenticator.
0.6.1 - 2017-08-11
0.6.1 has bugfixes for new behaviors in 0.6.0
- Use
.login_url
andnext_url
from JupyterHub if defined (JupyterHub 0.8) - Fix empty login_url where final login redirect could be omitted
- Fix mediawiki authenticator, which broke in 0.6.0
- Encode state as base64 instead of JSON, for easier passing in URLs
0.6.0 - 2017-07-25
- Support for changes in upcoming JupyterHub 0.8
- Refactor to share more code across providers
- Deprecated GITHUB_CLIENT_ID and other provider-specific environment variables for common options. All OAuthenticators support the same OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, and OAUTH_CALLBACK_URL environment variables.
- New authenticators:
- auth0
- globus
- okpy
- openshift
- generic - a generic implementation that can work with any OAuth2 provider
0.5.1 - 2016-10-05
- Fixes in BitbucketOAuthenticator.check_whitelist
0.5.0 - 2016-09-02
- Add GitLabOAuthenticator
0.4.1 - 2016-05-18
- Fix typo preventing Google OAuth from working in 0.4.0
0.4.0 - 2016-05-11
- Enable username normalization (for mixed-case names on GitHub, requires JupyterHub 0.5).
This removes
GitHubOAuthenticator.username_map
introduced in 0.3, because the oauth2 Authenticator has.username_map
as of 0.5.
0.3 - 2016-04-20
- Add Google authenticator
- Allow specifying OAuth scope
- Add
GitHubOAuthenticator.username_map
for mapping GitHub usernames to system usernames.
0.2 - 2016-01-04
- Add mediawiki authenticator
- First release