GitlabOAuth subgroup authentication problems

Hey everyone,

I’m having a 403 error when trying to authenticate. This is my config:

hub:
    config:
        Authenticator:
            admin_users:
            - ***
        GitLabOAuthenticator:
            client_id: ***
            client_secret: ***
            oauth_callback_url: ***
            allowed_gitlab_groups:
            - aSubgroup
            scope:
            - read_user
            - read_api
            - read_repository
            - openid
            - profile
            - email
        JupyterHub:
            authenticator_class: gitlab

If I add the parent group, instead of a subgroup, then I can authenticate. I’m part of both groups. I’m an owner of the subgroup, and only a maintainer in the parent group. I’m also the admin user.

Is there any way to authenticate using the subgroup instead of the parent group? What am I missing?

On the off chance that some features didn’t land in your jupyterhub yet, what versions of gitlab and oauthenticator do you have?

I’m using the Helm chart version 1.1.1 and I’m using GitLab Enterprise Edition 14.2.0-pre

OK, that ought to be enough

Do you specify the full subgroup path (parent_group/subgroup)? Can you try providing the group numerical id instead of its name (the ID visible at the gitlab group page)?

I’ve tried:

• parentGroupId/subGroupId
• parentGroupName/subGroupName
• subGroupId
• subGroupName
• groupId
• groupName

Using the groupId and groupName works fine. Everything else, fails.

Uhh, that seems weird, and I’m really unsure what is happening here.

Perhaps as an extra check, can you try getting the endpoint yourself? It should be something like https://your.gitlab.domain/api/v4/groups/<subgroup_id or parentGroupName%2FsubGroupName>/members/all/<your_id>?

Yup, I’m there on both endpoints…

I’m out of my depth here, sorry. The only remaining option that comes to mind is modifying the oauthenticator source so that you can see the query and the response in the logs.