I could have sworn I saw documentation on how using ?token=abc in the URL as a parameter is now blocked by OAuth and there’s a configuration to disable this. If it exists, can anyone point me to it?
Wanted to test the behavior since you’ll need to login/authenticate via the browser even after adding the token param into the URL. It may also be affecting websocket authentication for me.
Also seems like server side Node WebSocket has authentication issues whereas client side WebSocket seems to work fine. I’m assuming cookies/xsrf may be involved.
# Example error log on single user server when attempting to connect via WebSocket.
Couldn't authenticate WebSocket connection
notebook [I 2025-01-07 12:58:21.289 ServerApp] Setting new xsrf cookie for b':bDamMN8DPtF33En-AnhilPG=' {'path': '/user/andrew@example.com/test-server/', 'max_age': 3600}
The env var JUPYTERHUB_ALLOW_TOKEN_IN_URL specified actually fixed our issues here. Seems like the default behavior is messing with some authentication processes that aren’t browser based.