The separation of single-user and hub authentication has been both a convenience and a problem. There are various circumstances where “logging out” from the Hub itself may not immediately log you out from a single-user session (See the latest security advisor for JupyterHub 1.5.0).
A session-id is used to invalidate tokens for a single browser session, and in most cases visiting logout will indeed log you out everywhere, but the session-id is only used for invalidation, it is not enforced. Only the tokens themselves are checked. This means if your single-user cookie is associated with a different session id or no session id (there are various ways for this to happen), it will still be accepted until you log out explicitly from the single-user server, or the oauth token expires.
I would like to make logout more reliable by adding enforcement of session id, such that changing or clearing the session id would immediately invalidate all cookie-based authentication, whether they contain valid tokens or not. However, there is one supported use case that runs afoul of this change: giving users a link to their server with token credentials: https://hub.example/user/name/lab?token=abc123. That works now, because the singleuser auth persists tokens passed from the URL into a cookie. However, no session id is set in this case, so session id enforcement would prevent the cookies used on subsequent requests from being accepted.
I’d like to solicit feedback from folks who use this pattern, so we can get a sense of the best path forward:
- would a supported hub endpoint, like
/hub/login?token=...&next=/hub/user-redirect/...be sufficient, so that it requires you to login to the hub itself? - For deployments that use these links, is decoupling from Hub auth desirable such that turning off strict_session_id via an option is sufficient?
I’ve drafted a proposal here: Strict session id checking by minrk · Pull Request #3683 · jupyterhub/jupyterhub · GitHub