Make it more clear in the docs how setting a password for the first time works and how a user can change its password

[iapyeh]

Describe the bug I would like to let user to set their own password

To Reproduce

1. open the url http://tljh.jupyter.org/en/latest/howto/auth/firstuse.html
2. do "sudo tljh-config set auth.type firstuseauthenticator.FirstUseAuthenticator" and "sudo tljh-config reload", (But even user logout-and-login again, he does not been asked to provide a new password as what described in about url)
3. follow the steps : 1. delete user 2. request to login again

Expected behavior

The deleted user can set his own password as described in the document.

But before it is deleted, the user can login without password. After it is deleted by admin, the user always failed to login.

If the user is added again, it seems nothing changed. the user can login without password. The user still failed to find a place to set his password.

Compute Information

• Operating System: Ubuntu 18.4
• JupyterHub Version: just installed last week.

[GeorgianaElena]

Hey @iapyeh! The way FirstUseAuthenticator works is that it allows setting a password when a user (added by the admin) first logins. Until https://github.com/jupyterhub/firstuseauthenticator/pull/21 gets merged and a new release is made, setting an empty password is valid.

• do "sudo tljh-config set auth.type firstuseauthenticator.FirstUseAuthenticator" and "sudo tljh-config reload"

This step is needed when one wants to switch back to FirstUseAuthenticator from a different authenticator, because FirstUseAuthenticator is TLJH's default authenticator.

• But even user logout-and-login again, he does not been asked to provide a new password as what described in about url

The user is not explicitly asked to set a new password (through a special login page or anything like this). The password the user uses when they first login is their password from then on (including no password at all).

• But before it is deleted, the user can login without password.

The reason why the user can login without a password is because when they first logged into TLJH they haven't set any password (i.e. in the login page they just entered their username and the password field was empty).

• After it is deleted by admin, the user always failed to login.

This usually happens when the user account wasn't manually created and TLJH isn't allowed to create users by itself (ref: http://tljh.jupyter.org/en/latest/howto/auth/firstuse.html#allowing-anyone-to-log-in-to-your-jupyterhub)

• If the user is added again, it seems nothing changed. the user can login without password. The user still failed to find a place to set his password.

This is the intended behavior. The place for a new user to set their password, is the login page.

Tip: If a user has set an empty password by mistake or wants to change its password, it can also be done by accessing <your_server_ip>/hub/auth/change-password.

We should definitely make it more clear in the TLJH docs the way the authenticator works and also have an easy-to-find section about changing the password through /hub/auth/change-password, so thanks a lot for opening this issue :sun_with_face: