How to get user's scope from a hub-managed service?

JupyterHub
,
1

Hi all,

I’m converting this plugin GitHub - plasmabio/tljh-repo2docker: Plugin for The Littlest JupyterHub to build multiple user environments with repo2docker into a hub service.
I follow the documentation here (Scopes in JupyterHub — JupyterHub documentation) to create an admin scope for my service:

#jupyterhub_config.py

c.JupyterHub.custom_scopes = {
    "custom:admin:tljh_repo2docker": {
        "description": "Admin access to myservice",
    },
}

c.JupyterHub.load_roles = [
    {
        "name": 'service-admin',
        "scopes":["custom:admin:tljh_repo2docker"],
        "users": ["alice"]
    }
]

Then in my handler, I fetch the user model with:

class BaseHandler(HubOAuthenticated, web.RequestHandler):

    async def fetch_user(self) -> UserModel:
        user = self.current_user
        print(users)

The returned user model is just:

{
    "kind": "user",
    "groups": [],
    "admin": true,
    "name": "alice",
    "session_id": "e534e0fc9ffa48d28e524089dc8b9a42",
    "scopes": [
        "access:services!service=tljh_repo2docker",
        "read:users:groups!user=alice",
        "read:users:name!user=alice"
    ]
}

Do you know how can I get the custom scope that I assigned to user alice?

2

What scopes/permissions are assigned to your service?

3

The scopes requested by the service and ultimately assigned to oauth tokens when users visit the service are governed by oauth_client_allowed_scopes. By default, it’s just enough to identify the user, not take any action on their behalf, but you can request more:

c.JupyterHub.services = [
    {
        "name": "tljh-srvice",
        "oauth_client_allowed_scopes": [
            "custom:admin:tljh_repo2docker",
        ],
    },
]

Note: you will be granted a subset of the requested scopes, so you still have to check what scopes a request is made with.

4

Thank @manics and @minrk, updating the service config with oauth_client_allowed_scopes makes it work nicely!