OAuthenticator 16 is released

A new major version of OAuthenticator has been released with significant changes, make sure to read the changelog before upgrading!

1 Like

Hello @consideRatio and thank to you and all contributors for this new release !

My gitlab oauth no longer worked starting from OAuthenticator version 16.

This was my configuration :

from oauthenticator.gitlab import GitLabOAuthenticator
authenticator = GitLabOAuthenticator
authenticator.client_id = "*************************"
authenticator.client_secret = "******************"
authenticator.oauth_callback_url = "https://jupyterhub.mydomain.fr/hub/oauth_callback"
# Scope is the minimum set of permissions needed for jupyterhub.
authenticator.scope = ["openid", "read_user", "read_api"]
c.JupyterHub.authenticator_class = authenticator

I have nothing useful in the logs :

[W 2023-07-07 13:24:10.420 JupyterHub auth:533] User '****' not allowed.
[W 2023-07-07 13:24:10.421 JupyterHub base:841] Failed login for unknown user

But, I think it’s related to https://github.com/jupyterhub/oauthenticator/pull/594 . So I added the line authenticator.allowed_gitlab_groups = {"My-Group"} and now it works again. Maybe I missed something but I don’t see anything in the changelog about this.

The PR that was breaking in your case was [All] breaking, add allow_all config defaulting to False (CILogon: require allowed_idps) by consideRatio · Pull Request #625 · jupyterhub/oauthenticator · GitHub. In your config you had not configured explicitly what users to allow, so all users were allowed by default. In oauthenticator 16 that has to be declared explicitly with allow_all = True.

Maybe I missed something but I don’t see anything in the changelog about this.

Nice catch, I agree, there is nothing there saying that allow_all is required to allow all authenticated users! I’ll try patch the changelog, thank you soo much for writing about this @Bastiencoco!!

Updated in docs: update v16 changelog to capture missed change about allow_all by consideRatio · Pull Request #651 · jupyterhub/oauthenticator · GitHub, where 16.0.3 is made to include this documentation fix.

1 Like

Maybe the example in the doc should be updated @consideRatio too : GitLab Setup — OAuthenticator , what do you think ?
Or a note, something like “Default behavior is to block every users. You must set allow_all or allowed_gitlab_groups or …, checkout the documentation for more information…”

Just a note for those using the new oauthenticator version 16.0.7 on jupyterhub version 3.1.1 in centos 7.x, if the LocalAzureAdOAuthenticator is not allowing login for normal users with messages like below:
[W 2023-09-21 10:42:43.684 JupyterHub auth:532] User ‘my.userid’ not allowed.
[W 2023-09-21 10:42:43.684 JupyterHub base:825] Failed login for unknown user

Then the fix was to add the parameter in the /etc/jupyterhub/jupyterhub_config.py under the authentication section:
c.AzureAdOAuthenticator.allow_all = True

This parameter was not required in earlier oauthenticator versions before 16.x.