Thanks for the logs! I think we have our lead. The code that’s supposed to prevent login redirects for api requests appears to be preventing the actual 302 redirect (it’s successfully turning it into 403), but only after the process has begun with setting state cookies, etc. So that would result in setting lots of oauth cookies that never get used. I’ll have to look into what’s going on there.
The short-term workaround ought to be to run jupyterhub not as an Server Extension, but the older subclass implementation by setting:
JUPYTERHUB_SINGLEUSER_EXTENSION=0
in the single-user env. No other behavior should be different.