BinderHub Authentication with OAuth - 403 Forbidden to Access binder

I have upgraded z2jh deployment to the latest version (2.0.0) which features jupyterHub 3.0.0. As written in all changelogs and upgrade guides, there have been changes in RBACs . Now, it is necessary to assign roles to the people accessing BinderHub/JupyterHub in order to even access the service. The user gets default user role which permits something. However, in our case, everyone who tries to access binderhub is presented with

403 : Forbidden
You do not have permission to access JupyterHub service binder

The authentication used to work without any problems before the upgrade, without any further configuration.

Hub pod logs include

[D 2022-11-15 12:36:24.580 JupyterHub provider:415] Validating client id service-...

[D 2022-11-15 12:36:24.585 oauthlib.oauth2.rfc6749.grant_types.authorization_code authorization_code:363] Validating redirection uri for client service-...

[D 2022-11-15 12:36:24.585 oauthlib.oauth2.rfc6749.grant_types.base base:230] Using provided redirect_uri

[D 2022-11-15 12:36:24.588 JupyterHub provider:490] validate_redirect_uri: client_id=service..., redirect_uri=

[D 2022-11-15 12:36:24.590 oauthlib.oauth2.rfc6749.grant_types.base base:171] Validating access to scopes ['read:users:groups!user', 'read:users:name!user', 'access:services!service=binder'] for client 'service-....

[D 2022-11-15 12:36:24.591 JupyterHub provider:614] Allowing request for scope(s) for service-...: access:services!service=binder,read:users:groups!user,read:users:name!user

[E 2022-11-15 12:36:24.592 JupyterHub auth:271] User <User(xhejtman 0/1 running)> not allowed to access JupyterHub service binder

[W 2022-11-15 12:36:24.592 JupyterHub web:1796] 403 GET /hub/api/oauth2/authorize?client_id=redirect_uri=oauth_callback&response_type=code&state= You do not have permission to access JupyterHub service binder

[D 2022-11-15 12:36:24.593 JupyterHub base:1342] No template for 403

We don’t want to block anyone from using binderhub/jupyterhub, everyone should be allowed to use the service without any restrictions. I thought that it would be enough to add role for one group each user has and assign “access:services” scope to that role, e.g.

          - "access:services"
          - "users:activity"
          - "" <- one group everyone has

but this did not help and later I learned that these groups correspond to internal JH groups. I do not want to create any internal JH groups as it does not make sense - we have hundreds of users who are eligible to use the service based on their membership in this one group propagated from IdP. I found that it is possible to propagate groups from Authenticator ( but I don’t think this options is doing anything. Our configuration is as following

        authenticator_class: generic-oauth
        auth_enabled: false
        manage_groups: true
        token_url: https://login....
        userdata_url: https://login....
        client_id: service-...
        client_secret: ...
          state: state
        username_key: preferred_username
          - "openid"
          - "profile"
          - "eduperson_entitlement"
        login_service: "e-INFRA CZ AAI"
        allowed_groups: [""]
        claim_groups_key: "eduperson_entitlement"

Later I tadded admin role just for my username for debugging but I am unable to find out how to allow ALL AUTHENTICATED USERS to use binderhub (or ALL AUTHENTICATED USERS WHO HAVE THAT ONE GROUP). Can I use the groups from OAuth anyhow? If yes, how can I enable all users with that one specific group to use the service?

Thanks for help!

I found that it is possible to propagate groups from Authenticator

Yes, but it’s up to the authenticator to support this. One option is to extend GenericOAuthenticator to return the group(s).

Alternatively you could try setting the default user scopes:

1 Like

Hello @manics ,
thanks for a reply. Setting default scopes as suggested in issue

solves the problem. However, it would be good to add this information and information on how to propagate groups from Authenticators to hub to documentation. It would be very helpful!

For others: If you want to allow all authenticated users to access binder and spawn a notebook, add:

          - self
          - "access:services"
1 Like

I’ve opened a PR to add the info: Auth requires `jupyterhub.hub.loadRoles` by manics · Pull Request #1578 · jupyterhub/binderhub · GitHub
I was waiting for someone to confirm it worked