We had a similar use case, this worked for us:
from jupyterhub.auth import PAMAuthenticator
class RefreshingPAMAuthenticator(PAMAuthenticator):
async def refresh_user(self, user, handler=None):
self.log.debug(f"RefreshingPAMAuthenticator refresh_user for {user.name}")
return False
c.JupyterHub.authenticator_class = RefreshingPAMAuthenticator
c.RefreshingPAMAuthenticator.auth_refresh_age = 300
The code above will every user to login after 300 seconds. Change the age as needed.
We’ve added extra logic in the refresh_user function to refresh kerberos tickets, and only force the login once they are expired and not refreshable anymore