Enabling authentication for BinderHub allows you to control who can access your Hub, e.g. through GitHub organisations. However, allowing access to private repos is a separate process since logging into the Hub and then starting a Binder instance are separate events. I think we are waiting on this PR to have finer control over private repos.
Basically, someone (an admin) has to provide an access token to BinderHub that allows it to authenticate to the repo-provider in order to clone “as BinderHub” (but it’s really cloning as the person who created the token). Hence if I provided my access token to BinderHub, anyone who could log into my Hub could clone my private repos regardless of whether they had access through the repo provider’s interface or not. The above PR is trying to dynamically forward a logged in user’s credentials to BinderHub in order to clone “as them” instead.