A new major version of OAuthenticator has been released with significant changes, make sure to read the changelog before upgrading!
1 Like
Hello @consideRatio and thank to you and all contributors for this new release !
My gitlab oauth no longer worked starting from OAuthenticator version 16.
This was my configuration :
from oauthenticator.gitlab import GitLabOAuthenticator
authenticator = GitLabOAuthenticator
authenticator.client_id = "*************************"
authenticator.client_secret = "******************"
authenticator.oauth_callback_url = "https://jupyterhub.mydomain.fr/hub/oauth_callback"
# Scope is the minimum set of permissions needed for jupyterhub.
authenticator.scope = ["openid", "read_user", "read_api"]
c.JupyterHub.authenticator_class = authenticator
I have nothing useful in the logs :
[W 2023-07-07 13:24:10.420 JupyterHub auth:533] User '****' not allowed.
[W 2023-07-07 13:24:10.421 JupyterHub base:841] Failed login for unknown user
But, I think it’s related to https://github.com/jupyterhub/oauthenticator/pull/594 . So I added the line authenticator.allowed_gitlab_groups = {"My-Group"} and now it works again. Maybe I missed something but I don’t see anything in the changelog about this.
The PR that was breaking in your case was https://github.com/jupyterhub/oauthenticator/pull/625. In your config you had not configured explicitly what users to allow, so all users were allowed by default. In oauthenticator 16 that has to be declared explicitly with allow_all = True.
Maybe I missed something but I don’t see anything in the changelog about this.
Nice catch, I agree, there is nothing there saying that allow_all is required to allow all authenticated users! I’ll try patch the changelog, thank you soo much for writing about this @Bastiencoco!!
Updated in docs: update v16 changelog to capture missed change about allow_all by consideRatio · Pull Request #651 · jupyterhub/oauthenticator · GitHub, where 16.0.3 is made to include this documentation fix.
1 Like
Maybe the example in the doc should be updated @consideRatio too : GitLab Setup — OAuthenticator , what do you think ?
Or a note, something like “Default behavior is to block every users. You must set allow_all or allowed_gitlab_groups or …, checkout the documentation for more information…”
Just a note for those using the new oauthenticator version 16.0.7 on jupyterhub version 3.1.1 in centos 7.x, if the LocalAzureAdOAuthenticator is not allowing login for normal users with messages like below:
[W 2023-09-21 10:42:43.684 JupyterHub auth:532] User ‘my.userid’ not allowed.
[W 2023-09-21 10:42:43.684 JupyterHub base:825] Failed login for unknown user
Then the fix was to add the parameter in the /etc/jupyterhub/jupyterhub_config.py under the authentication section:
c.AzureAdOAuthenticator.allow_all = True
This parameter was not required in earlier oauthenticator versions before 16.x.