Following on this github issue since it seems to be an expected behaviour
Since tokens and cookies operate independently, an expired or deleted cookie does not directly cause a token to expire. I was wondering if we can make users to login back again before they are allowed to execute more code on the singleuser server if the cookie is expired / doesn’t exist
Thanks!
Depending on what exactly you want to achieve, you could try setting
c.JupyterHub.oauth_token_expires_in or configuring the refresh user options.
From the video in Show pop up to login again if cookies are expired · Issue #17103 · jupyterlab/jupyterlab · GitHub I think this is about open websocket connections not needing to re-authorize if credentials have expired/been revoked because credentials are only needed to open the initial connection. In the example, I think all credentials are properly unavailable and refreshing the page will result in all the correct unauthenticated behavior.
The server might be able to periodically re-validate websocket request credentials and close the connection if they stop validating. I’m not sure how easy that will be, given how authentication works (there are not new requests associated with the websocket connection, and tokens are not sent with messages, only the initial connection, and the initial connection may be cookie-authenticated, not token authenticated, and there is no good way on hte server to check if the cookie sent a while ago has been revoked or expired).
The client might be able to close the connection when other request fail, but that’s not really a security measure, since a client could just as easily not do that.
Thanks both!
My question was related with minrk response, but looks like it might be tricky to implement. Indeed after a reload it asks for login again
Not really a security concern since we can just shutdown the server from admin panel if we find anything suspicious. We just found that we get an increase of 403 warnings after credentials expire (after a day in our case according to company policy), but some users might be using their server for more than that and there is not a really good way to renew their credentials from jupyter lab like a pop up asking to login back again
Warnings include:
403 GET /user/<user>/api/kernels (@<IP>) 1.57ms
403 GET /user/<user>/api/events/subscribe (@<IP>) 2.54ms
Not sure if the following trace belongs to the two warnings but I get:
Traceback (most recent call last):
File "/opt/nbt/venvs/jupyter-server/lib/python3.10/site-packages/tornado/web.py", line 1788, in _execute
result = method(*self.path_args, **self.path_kwargs)
File "/opt/nbt/venvs/jupyter-server/lib/python3.10/site-packages/tornado/web.py", line 3289, in wrapper
url = self.get_login_url()
File "/opt/nbt/venvs/jupyter-server/lib/python3.10/site-packages/jupyterhub/singleuser/extension.py", line 146, in get_login_url
login_url = original_get_login_url()
File "/opt/nbt/venvs/jupyter-server/lib/python3.10/site-packages/jupyter_server/base/handlers.py", line 783, in get_login_url
raise web.HTTPError(403)
tornado.web.HTTPError: HTTP 403: Forbidden
Everything keeps working, but I’m guessing it is forbidden since the credentials are expired