-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[All] Make username_claim
callable (except for CILogon), like it has been in Generic
#717
[All] Make username_claim
callable (except for CILogon), like it has been in Generic
#717
Conversation
While trying to use Auth0 for authentication in one of our hubs, we discovered that the most useful username_claim (`sub`) produces usernames that look like `oauth2|cilogon|http://cilogon.org/servera/users/43431` (when using auth0 with CILogon). The last part of `sub` is generally whatever is passed on to auth0, so it's going to be different for different users. I had thought `username_claim` was a callable, but turns out that's only true for GenericOAuthenticator. I think it's pretty useful for every authenticator, so I've just moved that functionality out to the base class instead. I also added a test to verify it works. The test is in GenericOAuthenticator because it was the easiest place to put it, but it works across authenticators. This also means it is fully backwards compatible.
for more information, see https://pre-commit.ci
I'd like to hash out if we really prefer to make existing config Below I'll make a case for adding new config instead of expanding use of Codebase overviewThe
The It picks the username based on config such as The Defined in the Why I hesitate on making
|
@yuvipanda and other reviewers, could you try to rank how the strategies below based on what you think will be best?
|
I'm in favour of minimising the number of configuration properties. How confident are you that |
Thanks for thinking about this, @consideRatio. I generally think we should not be introducing regexes wherever possible (https://blog.codinghorror.com/regular-expressions-now-you-have-two-problems/). So while I understand the positives of it allowing YAML based config, I think overall introducing regexes to something as sensitive as username validation is not something we should do. Regexes are very very easy to get wrong, and very hard to debug, and escaping mismatches can cause security issues here. So I don't think we should be using regexes here. I think the pattern of I do understand your concern a bout the property itself being called So from #717 (comment) (which is very helpful btw), I'd say we should just not do (1). My preference is for (0), but instead of (2) let me propose a different alternative. Proposal #4We have a callable called My preference would be still to just move the functionality as is from GenericOAuthenticator to OAuthenticator (what this PR does), for the following reasons:
So my ordering would be your option (0) and then my proposed option (4). |
Thanks for reasoning with me about options, i think option 4 leaves open questions related to having also a function named user_info_to_username. Okay so going with 0 feels more okay to me now that this has been deliberated on a bit more. Review feedback for this PR assuming continued path on option 0:
|
Companion to jupyterhub#717 Fixes jupyterhub#712
Thanks @consideRatio. I've cleaned up the extra redefention in |
username_claim
callable in all Authenticators, not just GenericOAuthenticator
Anything else I can do to get this merged? :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This all looks good to me @yuvipanda!
username_claim
callable in all Authenticators, not just GenericOAuthenticatorusername_claim
callable in all Authenticators except CILogon, like it has been in Generic
Thank you @yuvipanda for taking time to reason about things! I've opened #728 and updated the title to reflect that CILogon isn't providing a |
username_claim
callable in all Authenticators except CILogon, like it has been in Genericusername_claim
callable (except for CILogon), like it has been in Generic
While trying to use Auth0 for authentication in one of our hubs, we discovered that the most useful username_claim (
sub
) produces usernames that look likeoauth2|cilogon|http://cilogon.org/servera/users/43431
(when using auth0 with CILogon). The last part ofsub
is generally whatever is passed on to auth0, so it's going to be different for different users.I had thought
username_claim
was a callable, but turns out that's only true for GenericOAuthenticator. I think it's pretty useful for every authenticator, so I've just moved that functionality out to the base class instead. I also added a test to verify it works. The test is in GenericOAuthenticator because it was the easiest place to put it, but it works across authenticators. This also means it is fully backwards compatible.