[read.servers] not authorized when using ldap authenticator and systemdspawner:

We have a jupyterhub instance set up using ldap authenticator and systemdspawner.

Since updating our jupyterhub, our users can still create servers, but are stuck on the login screen because they seem to lack the [read: servers] scope.
Also they are no longer able to stop their server because they miss the [delete:servers] scope.

The error also occurs without using a reverse proxy.

It is unclear to me how I can assign these scopes to all users. Is there a default group I can use, is there a way to add these scopes in either ldapauthenticator or systemdspawner?

c.JupyterHub.ip = '0.0.0.0'
c.JupyterHub.port = 8080
c.JupyterHub.base_url = 'xxx'

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'

c.LDAPAuthenticator.server_address = 'xx'

c.LDAPAuthenticator.bind_dn_template = [
    "uid={username},ou=people,xxx"
]

c.LDAPAuthenticator.allowed_groups = [
    "xxx"
]

c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'

c.SystemdSpawner.mem_limit = '16G'
c.SystemdSpawner.cpu_limit = 2.0
c.SystemdSpawner.isolate_tmp = True
c.SystemdSpawner.isolate_devices = True
c.SystemdSpawner.disable_user_sudo = True
c.SystemdSpawner.dynamic_users = True
c.SystemdSpawner.cmd = ['/opt/jupyter-spawner-hook.sh']

c.SystemdSpawner.extra_paths = [
    '/opt/conda/bin',
]

c.Spawner.default_url = '/lab'

# still not working correctly
c.FileContentsManager.delete_to_trash = True
c.FileContentsManager.always_delete_dirBool = True

# fixes https://github.com/jupyterhub/systemdspawner/issues/76
c.SystemdSpawner.unit_extra_properties = {'RuntimeDirectoryPreserve': 'no'}

Looks like my initial analysis was wrong and that this is a reverse proxy issue anyway.

I was hit by this issue: Disable CORS scheme and port validation inside JupyterHub · Issue #4056 · jupyterhub/jupyterhub · GitHub