JupyterHub issue with Authentication

[zkatona]

Dear Mr. Dumpleton,

I use OAuth 2.0 authentication against OpenShift with JupyterHub. I experience the issue that JupyterHub does not force the users to authenticate again after logout, but only if the logout happened shortly after a login. I guess it must have something to do with missing invalidation of cookies at JupyterHub's side. Additional Info:

• OpenShift Master: v3.10.83
• Kubernetes Master: v1.10.0+b81c8f8
• jupyterhub-quickstart:3.0.5

However, the same issue is present with - jupyterhub-quickstart:1.0.3 and OpenShift 3.6.

Any ideas what could be the solution for this?

Thank you for your help in advance!

Cheers,

Zoltán

[GrahamDumpleton]

As far as I have been able to work out in the past when saw this, it is how JupyterHub works. It seems the cookie is left behind and is still accepted up to the time the prior login has been cleared from the cache. See:

• https://jupyterhub.readthedocs.io/en/stable/api/services.auth.html

May be related to c.HubAuth.cache_max_age setting in part.