Our authenticators default to allowing all authenticated users if no set of allowed users are configured.
I think this default should change to not allow all authenticated users in those situations. At the same time, it should be possible to allow all authenticated users.
To accomplish this, I suggest we don't allow any user unless explicitly allowed by some config, and then also introduce the allow_all config defaulting to False, allowing all users to be allowed.
Related
This is a practical proposal on how to address #609
manics
commented
1 year ago
Our authenticators default to allowing all authenticated users if no set of allowed users are configured.
I think this default should change to not allow all authenticated users in those situations. At the same time, it should be possible to allow all authenticated users.
To accomplish this, I suggest we don't allow any user unless explicitly allowed by some config, and then also introduce the
allow_allconfig defaulting to False, allowing all users to be allowed.Related
allow_allconfig in the Authenticator base class, https://github.com/jupyterhub/jupyterhub/issues/4484