GitHub OAuth allowed_organizations?

ana-v-espinoza · March 6, 2025, 1:09am

Hello all,

I’m deploying a JupyterHub with Kubernetes and am trying to allow access to users based on GitHub organization membership, but am getting a 403 Forbidden error on login.

I’ve created the GitHub OAuth app and have added the following in my config file:

hub:
    GitHubOAuthenticator:
      client_id: "xxx"
      client_secret: "xxx"
      oauth_callback_url: "xxx"
      allowed_organizations:
        - "xxx"
      scope:
        - "read:org"
        - "read:user"
    JupyterHub:
      authenticator_class: github

The GitHub OAuth docs on allowed_organizations tells me all I need is the read:org scope. Of course, I am part of the GitHub org that I’ve added to the allow list.

I’m using the most recent helm chart version 4.1.0.

Is there something obvious that I’m missing?

Thanks,

ana v. e.

mahendrapaipuri · March 6, 2025, 8:27am

Could you share the logs of JupyterHub, if possible in debug mode? Does it work if you use allowed_users instead of allowed_organizations?

ana-v-espinoza · March 6, 2025, 4:17pm

Hello Mahendra,

The non-debug logs are what you might expect: I successfully authenticate with GitHub, but I am not authorized to access the JupyterHub.

However, once I’ve done as you suggest and looked at the debug logs, I think I see the problem:

[D 2025-03-06 16:08:35.760 JupyterHub github:313] Checking GitHub organization membership: ana-v-espinoza in <org>?
[D 2025-03-06 16:08:36.000 JupyterHub github:331] ana-v-espinoza does not appear to be a member of <org> (status=404): User does not exist or is not a ***public*** member of the organization
[W 2025-03-06 16:08:36.000 JupyterHub github:186] User ana-v-espinoza is not part of allowed_organizations
[W 2025-03-06 16:08:36.000 JupyterHub auth:732] User 'ana-v-espinoza' not allowed.

The emphasis on “public” is mine. Sure enough, it seems like my status as a member of that org isn’t public.

Thank you for the suggestion to take a look at the debug-level logs.

Best,

ana v. e.

ana-v-espinoza · March 6, 2025, 7:21pm

In case somebody is looking for a “full” solution to this problem, to change the visibility of my organization membership from private to public, I followed the official GitHub docs on the matter:

consideRatio · March 6, 2025, 11:58pm

It is not a great user experience to be asked to do these steps, but thankfully there is an option to it with the approval by an admin of the allowed github orgs permission.

Details on doing this are documented by @sgibson91 with 2i2c.org in GitHub Orgs and Teams — Infrastructure Guide !

It would be great to have that good documentation about this in the oauthenticator project!

Topic		Replies	Views
JupyterHub on K8s: 403 Forbidden for Users Added via Admin Page but not the Helm Chart Config Zero to JupyterHub on Kubernetes jupyterhub , help-wanted	4	384	June 24, 2024
Github Organizations User Permissions Zero to JupyterHub on Kubernetes how-to , help-wanted	1	536	March 19, 2022
All users are disallowed with empty allowed_users JupyterHub	4	2979	August 24, 2024
JupyterHub (v0.8.2) Github Authorization not working JupyterHub	4	436	October 14, 2019
GitHub authentication for Organization Teams JupyterHub	3	714	June 24, 2019

GitHub OAuth allowed_organizations?

Related topics