GitHub Oauth limit users with "authorization" mechanism similar to native authentication

[alvinhuff]

Hello,

Thanks for all your hardwork getting TLJH working with Github Oauth after a couple of false starts on my part users authentication works smoothly. But now I would like to limit who can authenticate to TLJH instance as I have limited resources and this is for an online class. Is there anyway to enable "authorization" similar to that of the native authentication?
e.g. The user can "sign up" with thier github account, but then they must be authorized by an admin. That way only students in the class get access to the resources. I would like to not have to be to restrictive with the cpu and ram allocations in order to keep the vm stable.

Thanks in advance,

alvin

[dennismckinnon]

I also have this question. I would like to use google for OAuth but I also want to restrict (whitelist) the emails that can sign up.

[lee-hodg]

I would like to know also.

Looking at the docs for Oauthenticator Github
suggest we should be able to restrict users with something like

sudo tljh-config set auth.GitHubOAuthenticator.allowed_users <allowed-user-1>
sudo tljh-config reload hub

but this didn't seem to prevent other usernames for me.

[lee-hodg]

I also tried doing this via the custom config snippets

# /opt/tljh/config/jupyterhub_config.d/oauth_config.py file
c = get_config()
c.GitHubOAuthenticator.allowed_users = {'some-allowed-user'}
c.GitHubOAuthenticator.blocked_users = {'some-blocked-user'}

Since these are the values the GithubOAuthenticator supposedly takes, see here

Despite doing a sudo tljh-config reload hub I was still allowed to login as the blocked user, even despite him not existing on the system before.

[lee-hodg]

In this end this was simply because tljh appears to be using the oauthenticator version that still uses the whitelist param instead of the more up-to-date version with allowed_users.

What worked:

sudo tljh-config set auth.GitHubOAuthenticator.whitelist <allowed-user-1>
sudo tljh-config reload

Config

The working config file looked like

auth:
  type: oauthenticator.github.GitHubOAuthenticator
  GitHubOAuthenticator:
    client_id: XXXX
    client_secret: XXXX
    oauth_callback_url: XXX
    whitelist:
    - allowed-user-1

Test

You can test by first going to https://jupyter.yourcompany.com/hub/admin and deleting the user in question and also deleting
them from the linux system with sudo deluser --remove-home jupyter-allowed-user-1, now change the whitelist to be say some-other-user, you will see in the admin user list that some-other-user is present and has "never" logged in and you will see "allowed-user-1" is not. If you try to authenticate with Github and the allowed-user-1 you should see a 403 forbidden.
If now you switch back to allowed-user-1 you can login successfully as expected.

[chintanp]

@lee-hodg So if I understand you correctly unless the whitelist parameter is set with a value, TLJH assumes whitelist=* and allows everyone with a GitHub account to log in?

[lee-hodg]

@chintanp no, in the end, setting the parameter whitelist works, however as you can see here that is deprecated in favour of allowed_users in the GitHubOAuthenticator.

It appears to me that tljh is using an older version of GitHubOAuthenticator, so still uses the "whitelist" parameter name and not the more modern "allowed users".....This can be confusing if you just look at their docs and try to set things up.

[consideRatio]

TLJH indeed have an outdated version of the oauthenticator package. It will be updated by #719 but hasn't yet been updated.

I'll close this issue as I see no concrete action points besides making sure to update oauthenticator as done in that PR, as well as reviewing our docs to be compliant with that upgrade.