Cannot refetch token generated via API

alishobeiri · December 2, 2023, 8:20pm

Hi everyone,

I am trying to fetch a token I previously created via the Jupyter Hub REST API.

However, when I fetch the tokens for the user at the route:

/hub/api/users/52f15d0b-fba8-4026-9bd1-02abb03438fa/tokens

I get the following reply:

{
            "user": "52f15d0b-fba8-4026-9bd1-02abb03438fa",
            "id": "a958",
            "kind": "api_token",
            "roles": [],
            "scopes": [
                "servers!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "read:servers!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "read:tokens!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "read:users:name!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "users:activity!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "read:users:groups!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "delete:servers!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "access:servers!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "read:users:activity!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "tokens!user=52f15d0b-fba8-4026-9bd1-02abb03438fa",
                "read:users!user=52f15d0b-fba8-4026-9bd1-02abb03438fa"
            ],
            "created": "2023-12-02T17:15:36.162131Z",
            "last_activity": "2023-12-02T18:27:43.084793Z",
            "expires_at": null,
            "note": "Requested via api by user admin",
            "session_id": null,
            "oauth_client": "JupyterHub"
        }

It does not include the token field for me to reuse the token.

manics · December 3, 2023, 3:01pm

The token is only returned the first time, when you create it.

alishobeiri · December 4, 2023, 12:05am

Thanks a lot, that is very helpful.

What is the expected design pattern with the token? Is it expected that it is only used once and never again?

minrk · December 4, 2023, 8:42am

As is standard practice for token-issuing services (GitHub, PyPI, Google, etc.), you can only see the token one time when you create it. It’s then up to you to store it appropriately for re-use, if needed (e.g. in a password manager, cookie, or other safe secret storage). The issuing service only stores a hash of the token, so it can check if a request is made with the token, but it does not have the information it needs to retrieve the token a second time. This way a compromise of the database cannot reveal any existing tokens.

alishobeiri · December 4, 2023, 5:57pm

Thanks a lot, that is very helpful!

Topic		Replies	Views
Token to Token ID REST API with Jupyterhub Zero to JupyterHub on Kubernetes	7	226	April 17, 2024
Enable to fetch user info using REST API JupyterHub jupyterhub , help-wanted	6	322	February 21, 2024
Service Token invalidation JupyterHub jupyterhub	5	442	June 2, 2022
Can anyone tell me how to get a token without /hub/api/authorizations/token? JupyterHub jupyterhub , how-to	0	486	June 3, 2020
Jupyterhub API Token: How to get an authenticated token on a running single user server programmatically JupyterHub jupyterhub , how-to	1	1008	June 7, 2022

Cannot refetch token generated via API

Related topics