Is it possible to avoid exposing token in GET parameter in JupyterHub

Hi everyone,

We’re deploying JupyterHub in our organization, one of the requirement is to pass a penetration testing. The testing has one finding: Sensitive information passed as GET parameter, and we don’t have a clue how to fix

To reproduce the issue, just trying to visit some non-existent page: /user/<user_id>/notexists, then the return page will contains some link with ‘token’ parameter like /user/<user_id>/lab?token=xxxxx:

token_exposed1266×921 46.1 KB

After some searching I believe this is documented here: Security in the Jupyter Server — Jupyter Server documentation , seems the token is used to authenticate the underlie jupyter-server?

We’re using SAML to authenticate user in the hub. So I want to know more about the process after authentication and how the token got generated and passed around between the components (e.g. the hub, the single user server). And most importantly, is it possible to avoid exposing the token in URL?

Could someone help me pls, thanks in advanced.

The token probably shouldn’t be there in that link. A custom template can be used to remove it, but it’s not in a small overrideable block, so you would have to override the whole page.html template, which you can do. Removed here.

In JupyterHub, this token is issued when the user visits the server after successful authentication via oauth, and stored (encrypted) in a cookie. The token you see on the page is the token stored in the same browser’s cookie, and different for any visitor to the sever. It is the token with which JupyterLab authenticates all API requests, typically via the Authorization: Bearer <token> header. More information on JupyterHub’s oauth tokens in the docs.

@minrk Thank you so much. Let me check.