Role and scope doesn't seem to be taking effect

When I try to call the hub/api/info end point using my user’s API token, the logs show:

[D 2022-08-15 15:29:32.822 JupyterHub scopes:301] Authenticated with token <APIToken('0RWN...', user='adpatter', client_id='jupyterhub-user-adpatter')>
[D 2022-08-15 15:29:32.823 JupyterHub scopes:491] Checking access via scope read:hub
[D 2022-08-15 15:29:32.823 JupyterHub scopes:386] No access to /hub/api/info via read:hub
[W 2022-08-15 15:29:32.824 JupyterHub scopes:499] Not authorizing access to /hub/api/info. Requires any of [read:hub], not derived from scopes [access:servers!server=adpatter/]
[W 2022-08-15 15:29:32.824 JupyterHub web:1796] 403 GET /hub/api/info ( Action is not authorized with current scopes; requires any of [read:hub]
[W 2022-08-15 15:29:32.825 JupyterHub log:189] 403 GET /hub/api/info (adpatter@ 13.53ms

However, I have my roles configured like this:

c.JupyterHub.load_roles = [
        'name': SERVICE_NAME,
        'groups': [SERVICE_NAME],
        'services': [SERVICE_NAME],
        'scopes': ['read:hub', f'access:services!service={SERVICE_NAME}']
        'name': 'user_role',
        'users': ['adpatter'],
        'scopes': ['read:hub']

It is my understanding that the read:hub scope should permit reading from the API endpoint.

Does anyone have any ideas for why this isn’t working?

Thank you.

When I look at /hub/api/user for adpatter, I see this:

{'admin': True, 'groups': ['shared-notebook'], 'name': 'adpatter', 'kind': 'user', 'session_id': '4200c8c742f042efabae1b571941da15', 'scopes': ['access:services!service=shared-notebook']}

adpatter is a member of the SERVICE_NAME group; however, it appears that the user only got one of the assigned scopes. It’s not clear to me why this is happening.

Are you using the token from the JUPYTERHUB_API_TOKEN environment variable in a singleuser server, or are you creating a new one (Understanding token scope difference)?

1 Like

I think what you want to set is the service.oauth_roles (more finely tuned as service.oauth_client_allowed_scopes in jupyterhub 3.0). This designates the permissions of the oauth tokens issued by the service. These are the tokens a user uses to talk to services, and represent the actions a service is allowed to take on an authenticated user’s behalf. The default is to only allow talking to the service itself.

1 Like