revoke user tokens at end of class

[kcranston]

tl;dr

At the end of a class, we should ensure that students no longer have access to the hub:

• remove users from the hub settings and
• go into the GitHub App for the hub and revoke user tokens

Long version

Authentication to the hub is managed by a GitHub App for each hub. Adding a github username to the hubname.yaml file (under auth.admin.users or auth.whitelist.users) allows that user to authenticate. Removing a username from that file does not revoke access, though, because they still have a valid authentication token via the GitHub App. So, at the end of each class, we should edit the yaml file and also revoke all user tokens. You can do this through the Settings for the EarthLab organization: under Developer Settings, select the App and clicking the Revoke all user tokens button.

This also needs to be added to the docs about removing hubs.

[lwasser]

oh! so is our login protocol different now? or it's still github but i add users in a different yaml file than before? it sounds like it's different because previously i could just remove them from the list and within a few days they'd lose access. this reminds me i will shut down the ea hub this morning

[lwasser]

@kcranston ok i think i need a run through of how this works. does the authentication list in the yaml file no longer work?

[kcranston]

From what I understand, the authentication process has multiple steps, which go something like this:

• user hits the hub url
• hub redirects to github login page
• user enters authentication info
• github generates temporary token, redirects back to hub, sending the temp token to the hub
• hub uses temp token to ask github for an authentication token
• hub checks if user is on the whitelist

So, if a user already has an authentication token, the whitelist is not checked. If you remove a user from the whitelist, they may still be able to log in if they have an unexpired token (and I do not know how long before tokens expire). This happened in the fall, when I reinstated a hub and @nkorinek was able to log in without being on the whitelist!

[lwasser]

ok so for the ea-hub i did remove a few users from the whitelist. do i then need to remove their tokens?

[lwasser]

oh wait . this is what i have to revoke all tokens is that right? i think i remember this conversation. so if i revoke all tokens then the users on the whitelist can still get onto the hub. is that correct?