[OAuth or Generic] Implement refresh_user

[minrk]

Proposed change

Implement JupyterHub's refresh_user method to refresh /re-validate auth state. The upstream method was added specifically to allow Authenticators like oauthenticator to ensure auth state is up-to-date with upstream prior to spawn to avoid stale auth info.

Who would use this feature?

Deployments where user environments are passed access tokens from auth state, especially those where access tokens expire.

(Optional): Suggest a solution

1. Ideally, we would refactor the access_token -> auth model into a common method(s) in all OAuthenticators, e.g. token_to_user(token). I'm not sure how generic this is going to be.
2. validate current token to make sure it's still valid (maybe new base check_token method)?
3. refresh with refresh_token, if available
4. return None if it's not valid and not refreshable (forces re-login)
5. return updated auth model, if valid in case of changes, e.g. group/admin changes
6. enable refresh_pre_spawn by default if self.enable_auth_state.

[jabbera]

@minrk I'm thinking this might be useful to me and I might implement it, but it's not clear if it will solve my problem. Maybe you can clear it up?

I use Azure AD auth paired with kubespawner. I pass my access token to my notebooks hosts and the access token goes bad after 10 hours. If I request offline_access in my scope I can get a refresh token. However the refresh_user method is called in hubs context I believe? How can this ip me update my access token in my notebook?

[minrk]

This won't, or at least isn't enough on its own, to solve the problem in the container.

If you pass the refresh token to the container, you can do the refresh from there, e.g. in a server extension or kernel-level code, depending on how you want to use it. I believe @betatim has had a working version of refreshing tokens for some provider.

[GeorgianaElena]

Hey @Wykiki and @jthiltges! Thank you so much for your PRs #490 and #475 that implement the refresh_user.

In a recent maintenance effort, the repository has been refactored (#526) and the oauthenticators now use a common authentication model that more or less match @minrk's first point in the suggestion solution from the top comment.

This highly improves the maintainability of the repo. For example this refresh_user can now be implemented at an OAuthenticator level, for all the available oautheticators to use.

However, this means that your PRs would need to be rebased against the recent changes.

Would any of you be willing to do this work and implement refresh_user at an OAuthenticator level, for all of the available oautheticators to use?

Disclaimer: #526 changed lots of code at once and because of this, some potential issues might get exposed in the process.