Hi all,
I seem unable to find any documentation on how to use the refresh token issued together with an oauth access token to actually refresh the token. I’d assume that this happens through another POST request to the token endpoint, but I don’t know which parameters I have to provide for this to work. Any help or link to an example would be great!
Which Authenticator are you using?
JupyterHub doesn’t issue refresh tokens at this point. Are you perhaps thinking of the OAuth provider used to login to jupyterhub (It’s confusing, but there are usually two OAuth providers involved here - your OAuthenticator that users login with, assuming you are using an OAuth source of users, and JupyterHub itself, which acts as an OAuth provider for notebook servers).
If you are asking about refreshing the token stored in auth_state, this would be implemented in Authenticator.refresh_user
, which would need to make the appropriate requests to the OAuth provider.
Hi @minrk,
thanks a lot for your answer. I’m thinking of JupyterHub as an OAuth provider. We are indeed using GitLab for logging into JupyterHub, but that’s not what I was talking about.
I did look into the code in the meantime and I also concluded that refreshing OAuth access tokens is not yet implemented and that the OAuth access tokens do not expire. Is this correct?
Correct, but…
JupyterHub has two kinds of tokens: OAuth access tokens, and API tokens. OAuth access tokens should expire by default at one hour (they do not yet, but will in the next release). API tokens support expiry, but do not expire by default. OAuth access tokens are used in the cookies for browser authentication to a given server. API tokens are used for e.g. the server itself to call back to the Hub (for example, completing the oauth flow to issue these oauth tokens).
I do eventually want to merge these and eliminate the distinction. Tasks involved in that:
- define OAuth scopes for APIs
- implement scope-based auth for token-authenticated requests
- implement refresh_token mechanism and use it in jupyterhub-singleuser
- enable token expiry by default
Cool - thanks a lot for the explanation. Looking forward to those improvements!