URL Token parameter now disabled?

I could have sworn I saw documentation on how using ?token=abc in the URL as a parameter is now blocked by OAuth and there’s a configuration to disable this. If it exists, can anyone point me to it?

Wanted to test the behavior since you’ll need to login/authenticate via the browser even after adding the token param into the URL. It may also be affecting websocket authentication for me.

There was a bug in some older versions of JupyterHub/Z2JH:

Which version are you using?

Oh interesting.

JupyterHub Helm Chart: v4.0.1-0.dev.git.6874.h2390243c
JupyterHub: v5.2.1

Added the JUPYTERHUB_SINGLEUSER_EXTENSION=0 env var to our custom KubeSpawner environments, but behavior didn’t change.

Hitting this URL with the token param in incognito browser used to authenticate correctly, but now it redirects to our Auth0 login page:
https://jh-server.com/user/andrew@example.com/test-server/lab?token=abc

Also seems like server side Node WebSocket has authentication issues whereas client side WebSocket seems to work fine. I’m assuming cookies/xsrf may be involved.

# Example error log on single user server when attempting to connect via WebSocket.
Couldn't authenticate WebSocket connection                                                                                                                                                 
notebook [I 2025-01-07 12:58:21.289 ServerApp] Setting new xsrf cookie for b':bDamMN8DPtF33En-AnhilPG=' {'path': '/user/andrew@example.com/test-server/', 'max_age': 3600} 

Found the doc! Upgrading to JupyterHub 5 — JupyterHub documentation

The env var JUPYTERHUB_ALLOW_TOKEN_IN_URL specified actually fixed our issues here. Seems like the default behavior is messing with some authentication processes that aren’t browser based.

1 Like