GitHub authentication for Organization Teams

Cross-posting a GitHub issue we created here (https://github.com/jupyterhub/oauthenticator/issues/265)

We are currently creating many new organizations on github for week-long tutorials to grant time-limited access to hubs. Having team-based authentication could help with a few scenarios:

1. medium/large github organizations with application-specific hubs (https://github.com/pangeo-data)
2. could also be a really useful feature for resource access based on team membership within a github organization (for example, mapping team name to group id on the hub)?

how are other groups doing this? using a different authenticator? we could potential get a PR started for functionality but could use some direction:

On a related note,

Is there a simple way to get a list of emails for users who have gone through GitHub oauth? After reading through the GitHub docs and API docs, I’m not finding straightforward instructions for this.

As someone administering a hub currently with 70 users, I’d assumed that the Oauth App would retain that information somewhere. Or maybe it is embedded in the JupyterHub somewhere that admins have access to?

You could look at what is stored in the user DB of your hub. I don’t think I know where I’d look in the OAuth app/GitHub API to find this info.

It looks like the GitHub OAuthenticator requests limited user information including any public email address: https://github.com/jupyterhub/oauthenticator/blob/64e3f59606906c3cddd369327c884da4c9413bc1/oauthenticator/github.py#L152-L164

but I don’t think it’ll be stored in the JupyterHub DB unless you’ve configured authentication state persistence: https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#authentication-state

If a user’s email isn’t public you’ll need the user:email OAuth scope: https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/, and probably a second API call: https://developer.github.com/v3/users/emails/