Using GoogleOAuthenticator and allowed_groups on TLJH instance

I’ve been through the TLJH docs and can’t find how to configure the GoogleOAuthenticator to allow only certain Google groups. The auth section of /opt/tljh/config/config.yaml on my VM instance is as follows:

    login_service: Foo
    client_id: *********************
    client_secret: **********
        - GROUP_NAME
    google_service_account_keys: '/usr/local/oauth_client_id.json'
    gsuite_administrator: "__jupyterhub__"

There are two issues. One is that I had to manually edit /opt/tljh/config/config.yaml to add the references instead of using tljh-config since I couldn’t figure out how to use tljh-config to add keys with periods like The other is that, once so configured (if the above is indeed correct), I get the following when I try to login to the instance:

Traceback (most recent call last):
  File "/opt/tljh/hub/lib/python3.10/site-packages/tornado/", line 1786, in _execute
    result = await result
  File "/opt/tljh/hub/lib/python3.10/site-packages/oauthenticator/", line 231, in get
    user = await self.login_user()
  File "/opt/tljh/hub/lib/python3.10/site-packages/jupyterhub/handlers/", line 760, in login_user
    authenticated = await self.authenticate(data)
  File "/opt/tljh/hub/lib/python3.10/site-packages/jupyterhub/", line 469, in get_authenticated_user
    authenticated = await maybe_future(self.authenticate(handler, data))
  File "/opt/tljh/hub/lib/python3.10/site-packages/oauthenticator/", line 224, in authenticate
    user_info = await self._add_google_groups_info(user_info, google_groups)
  File "/opt/tljh/hub/lib/python3.10/site-packages/oauthenticator/", line 293, in _add_google_groups_info
    credentials = self._service_client_credentials(
  File "/opt/tljh/hub/lib/python3.10/site-packages/oauthenticator/", line 232, in _service_client_credentials
Could not import google.oauth2's service_account you may need to run pip install oauthenticator[googlegroups] or not declare google groups

oauthenticator[googlegroups] is indeed installed. On investigation I found the underlying error is ModuleNotFoundError: No module named 'google' when _service_client_credentials runs from google.oauth2 import service_account.

How do you setup groups-based Google auth?

I solved this by creating the directory /opt/tljh/config/jupyterhub_config.d and adding a .py file that included the following:

c.GoogleOAuthenticator.allowed_google_groups = {'': ['allowed_group_name', another_allowed_group_name]} 

See the JupyterHub Google Oauthenticator docs for details.

Re the import error, this was resolved by adding the package to the hub .venv:

cd /opt/tljh/hub
source bin/activate
pip install oauthenticator[googlegroups]

I had tried this once, but only after running some other pip installs outside the environment which messed some things up.