search

jupyterhub / oauthenticator

OAuth + JupyterHub Authenticator = OAuthenticator
https://oauthenticator.readthedocs.io
BSD 3-Clause "New" or "Revised" License
414 stars 365 forks source link

google auth in oauthenticator 16.x changes username format #660

Closed taylorgibson closed 1 year ago

taylorgibson commented 1 year ago

Bug description

When upgrading jupyterhub to helm chart 3.0.0-beta.3.git.6268.h16086582, which contains version 16 of oauthenticator, usernames are parsed differently on log in when using google authenticator. Previously, only the portion of the email address before the domain name was used to identify and name a user, and now the full email address is used. For example, taylorgibson is now taylorgibson@example.com. Jupyterhub views these as two distinct users, and therefore a new account is created. Users are unable to access storage allocated to the old version of the username since it is viewed as a separate account.

I can confirm that downgrading to a previous version (helm chart 3.0.0-alpha.1.git.6194.h835c3fa8) reverts the behavior to what I would expect. The only changes in the config.yaml file between the two versions was the addition/removal of the allow_all: true required with version 16. You can see the relevant configuration portion below in this issue.

I have not tried upgrading to the latest helm charts released today (3.0.0-beta.3.git.6273.hae30a841) to see if the bug persists.

Expected behaviour

When users log in using Google OAuth, only the username (portion before the @) portion of the Google account email adddress is be used as the Jupyterhub user name.

Actual behaviour

When users log in using Google OAuth, the entire Google account email address is used as the Jupyterhub user name.

How to reproduce

  1. Upgrade Jupyterhub with a helm chart version that uses oauthenticator 16.x (I used 3.0.0-beta.3.git.6268.h16086582)
  2. Log in using Google authenticator

Your personal set up

Full environment ``` # paste output of `pip freeze` or `conda list` here ```
Configuration ``` hub: config: Authenticator: admin_users: - gibson GoogleOAuthenticator: client_id: client_secret: oauth_callback_url: https://datahub.ncssm.edu/hub/oauth_callback hosted_domain: - ncssm.edu allow_all: true admin_users: - gibson login_service: NCSSM Account JupyterHub: authenticator_class: google ```
Logs ``` # paste relevant logs here, if any ```
welcome[bot] commented 1 year ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

consideRatio commented 1 year ago

Thank you @taylorgibson for the clear issue report!

I've tracked this to a regression introduced in 16.0.0 from #594 in 3309dd5d.

consideRatio commented 1 year ago

@taylorgibson thank you soo much for reporting this, it was a breaking regression, so fixing it is also a breaking change in a way. Thanks to your report this fix could land in the z2jh 3.0.0 and tljh 1.0.0 (the littlest jupyterhub, single machine distribution) releases directly!