Open Bougakov opened 1 year ago
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:
I have figured out that I had to manually run this command:
set auth.GitHubOAuthenticator.allowed_users john@gmail.com, jane@gmail.com
To explicitly restrict access to only these accounts. The manual should be explicit about this - otherwise the security implication is overlooked.
@Bougakov, recently I've been going through the TLJH Google auth docs trying to figure out something similar: how to set up auth for just a few users like you need, and also how to set up Google Group-based auth. I'll be putting in a PR to add some instructions to the Authenticate using Google section of the TLJH docs. I will share here when I'm done.
@Bougakov see https://github.com/jupyterhub/the-littlest-jupyterhub/pull/898. The TLJH Google auth docs are now explicit about this and include extra information. It also looks like this default setup may change in the future.
Bug description
I have installed TLJH using the provided manual and enabled Google Auth. Recently, I've discovered that this auth method allows ANYONE with a Google account to access my installation. I found someone with an address
babymarinsz@gmail.com
has managed to access it and install a cryptocurrency miner by running these commands in the terminal:Expected behaviour
The manual should be written in a way that the user by default ends up with only allowing a specific set of Google Accounts (john@gmail.com, jane@gmail.com) or Google Apps Domains (@example.com) whitelisted. There must be an explicit action taken by the user to extend the auth permissions to anyone with a Google Account.
Your personal set up
I am using the-littlest-jupyterhub.
I am using Ubuntu on a Digital Ocean droplet.
I am looking for advice on how to restrict access to only Google Workspace accounts from a list of particular domains. Thank you.