When connecting to a server for the first time, users must go through an “authorise access page”:
This is presumably authorizing the authenticator to see your credentials.
I’m not sure this page makes sense for PAM setups. Is there a way to disable it?
This happens only when you are either accessing an external service or admin (or users with enough privileges) access other user’s servers. This does not happen when you spawn a regular JupyterLab/notebook instances.
When do you get this dialog?
When do you get this dialog?
When accessing other user’s servers.
Some info on the use case:
I have a Jupyter Hub deployment where users are able to access each other’s servers.
This is intended to:
The authorize page is a bit of an encumbrance where cross-user activity is common.
We’re using the PAM authenticator (which already knows user credentials) so we are authorizing the authenticator to see information that it already possesses.
This is more of a OAuth2 thing than PAM. As accessing other users servers is equivalent to letting a third-party app to access the user data, the user needs to perform this authorization action.
For external services, you can skip it using oauth_no_cofirm config parameter in service definition. But I am not sure if it is configurable for the single user servers spawned by JupyterHub.
Thanks for pointing me in the right direction.
The oauth_no_confirm config doesn’t appear to be intended to disable this authorization step for single-user servers as you suggested. Although, I think you can use if for this purpose if you generate an entry in oauth_no_cofirm_list for every user on the hub, although there is no configuration to do this and you will get a warning in the log for each user on hub startup.
Overriding the needs_oauth_confirm method bypasses the configuration allowing us to turn this feature off completely, but requires a shim to JupyterHub.init_handlers to work:
import jupyterhub.app
import jupyterhub.apihandlers.auth
class DisableConfirmationOAuthAuthorizeHandler(
jupyterhub.apihandlers.auth.OAuthAuthorizeHandler
):
def needs_oauth_confirm(self, *args, **kwargs):
# never show the authorize page (i.e. implicitly authorize all
# authenticators to see user's credentials)
return False
class DisableConfirmationJupyterHub(jupyterhub.app.JupyterHub):
def init_handlers(self):
# modify the authorize handler to use the patched class
jupyterhub.app.apihandlers.default_handlers = [
(
route,
(
DisableConfirmationOAuthAuthorizeHandler
if route == '/api/oauth2/authorize'
else handler
),
)
for route, handler in jupyterhub.app.apihandlers.default_handlers
]
super().init_handlers()
jupyterhub.app.JupyterHub = DisableConfirmationJupyterHub
I understand why this page is there, it just doesn’t make much sense for my particular deployment and becomes a bit of an encumbrance as this authorization has to be performed for every server you connect to and cross-user activity is very common for our use case.
Would be happy to contribute a disable_oauth_confirm configuration if this is a feature the maintainers would be happy to accept.
I’d be open to a global oauth_no_confirm flag, if you want to make a PR, thanks for offering! I wouldn’t necessarily recommend it since it means users can share links that will grant themselves impersonation permissions without any confirmation from their target user beyond clicking a link, but I know every deployment is different, and there isn’t always anything sensitive accessible with those credentials (in the default config, these credentials can’t do much for a reason).