Google OAuth with Whitelist

We want to use Google OAuth and whitelist email addresses at the same time. The documentation makes it sound possible, but we haven’t gotten it to work.

It seems that any user can log in via an email address from our organization, whether they are on the whitelist or not.

This is what our config.yaml looks like:

  type: google
      - <username>

    jupyterlab: |
      c.Spawner.cmd = ['jupyter-labhub']

I’m not sure if this information would help, but our cluster is set up so that nginx forwards traffic from public IP addresses to the EXTERNAL-IP's of the services on the cluster. So traffic to JupyterHub’s publicly accessible IP is forwarded to the EXTERNAL-IP of the LoadBalancer of JupyterHub, proxy-public.

Thank you!


Turns out that whitelisting with Google OAuth was working, with the caveat that any user who previous logged in before and is not whitelisted could still log in.

1 Like

This is something that should probably be mentioned in the docs.

Just an option if you still have any problems. We looked at the same solution as a quick fix before an automated check on a Big Query table and we found the same problem, whitelist was stored in jupyterhub.sqlite database and any removal from there needed a restart of JupyterHub.

We came up with the following for a pre_spawn_hook which checks the whitelist every time a spawn request is needed, so its real time checking of the whitelist;

# Create custom whitelist
# Spawner process to check users have access against a whitelist of people
def checkUserAccess(spawner):
# authenticated starts as false, always
    authenticated = False
# Open the whitelist file which we can store in GCS
    with open('/opt/jupyterhub/OAuth/whitelist') as f:
# Loop through line by line
        for line in f:
            if not line in ['\n', '\r\n']:
# Split the line if we have more than one column, default delimiter is space
                line_indiv = line.split()
# Pull the whitelist name we want to check against, always first column
                white_name = line_indiv[0]
# If whitelist name matches the spawner username, we authenticate
                if white_name ==
                    authenticated = True
# If we cant authenticate, open a file that doesn't exist to cause spawner to fail
    if authenticated == False:

# attach the hook function to the spawner
c.Spawner.pre_spawn_hook = checkUserAccess

Hopefully it might help, but basics are, put the username (or email address) in /opt/jupyterhub/OAuth/whitelist

1 Like