403 whitelist issues with github auth

[rsignell-usgs]

I'm just capturing this github auth 403 whitelist problem in case other folks deploying pangeo find it useful.

On pangeo.esipfed.org, we initially were whitelisting users via the auth: admin section in jupyter-config.yaml, which makes them admin users, and that worked fine -- people on this list had no problem logging in.

  auth:
    admin:
      access: true
      users:
        - jreadey
        - rsignell-usgs

    type: github
    github:
      clientId: "SECRET"
      clientSecret: "SECRET"
      callbackUrl: "http://pangeo.esipfed.org/hub/oauth_callback"
      org_whitelist:
        - "HDFGroup"
        - "pangeo-data"
        - "USGS-CMG"
    scopes:
      - "read:org"

I then decided to add org_whitelist: entries, and this caused people who logged out to get 403 errors when they tried to log back in.

Looking at the logs for the hub pod:

helm list
kubectl get pods -n esip-dev 
kubectl -n esip-dev logs hub-5647fc9dcd-m86gx

revealed that it said "User rsignell-usgs is not in org whitelist" even though I was listed as an admin, and also was a member of a whitelisted org. When I went to confirm my membership in the org on github, I saw that my membership in the org was "private", and when I switched it to "public" I was able to finally login.

[mrocklin]

cc @choldgraf in case he finds this interesting from an upstream documentation perspective. @choldgraf when would you like issues to be raised upstream at https://github.com/jupyterhub/zero-to-jupyterhub-k8s ?

[choldgraf]

most definitely! this would be a useful one to iron out, thanks for the ping @mrocklin ! Do you all want to open an issue or shall I?

[mrocklin]

@rsignell-usgs do you have any interest in reporting this upstream?

[rsignell-usgs]

closing here.