You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
EarthScope wants to restrict access to profiles based on specific scopes granted to them.
I think the sustainable pathway to this is to do this based on group membership. This matches with a lot of the new work going on upstream. We can start this out in Earthscope, but eventually be able to expand this in other places. It also will eventually help us get rid of the hacky setup for restricting access to profiles based on GitHub Teams (
jupyterhub/oauthenticator#708 was merged a couple months ago, allowing OAuthenticator to manage JupyterHub groups based on results from the OAuth2 provider. This I believe will be deployed whenever #3818 goes out. This allows us some more information about group management.
Switch to using GenericOAuthenticator for using Auth0
jupyterhub/oauthenticator#708 is specifically for GenericOAuthenticator. In #3883, we move EarthScope from Auth0Authenticator to GenericOAuthenticator, so we can make use of this feature.
Note: While there's upstream work from me to move this functionality away from just GenericOAuthenticator (jupyterhub/oauthenticator#735), I definitely do not want us to block this work on that. Those changes will be made in a backwards compatible way, and we can roll them out as and when that gets released.
Enable mapping granted scopes to JupyterHub user groups
This would be setting the equivalent of the following config:
EarthScope wants to restrict access to profiles based on specific scopes granted to them.
I think the sustainable pathway to this is to do this based on group membership. This matches with a lot of the new work going on upstream. We can start this out in Earthscope, but eventually be able to expand this in other places. It also will eventually help us get rid of the hacky setup for restricting access to profiles based on GitHub Teams (
infrastructure/helm-charts/basehub/values.yaml
Line 979 in 120e88d
https://2i2c.freshdesk.com/a/tickets/1453 has additional information, and is our ongoing conversation with them.
The steps here are:
✅ Deploy latest OAuthenticator
jupyterhub/oauthenticator#708 was merged a couple months ago, allowing OAuthenticator to manage JupyterHub groups based on results from the OAuth2 provider. This I believe will be deployed whenever #3818 goes out. This allows us some more information about group management.
Switch to using
GenericOAuthenticator
for using Auth0jupyterhub/oauthenticator#708 is specifically for GenericOAuthenticator. In #3883, we move EarthScope from Auth0Authenticator to GenericOAuthenticator, so we can make use of this feature.
Note: While there's upstream work from me to move this functionality away from just GenericOAuthenticator (jupyterhub/oauthenticator#735), I definitely do not want us to block this work on that. Those changes will be made in a backwards compatible way, and we can roll them out as and when that gets released.
Enable mapping granted scopes to JupyterHub user groups
This would be setting the equivalent of the following config:
This should turn scopes granted by oauth2 into groups, and we should be able to see that in the JupyterHub admin UI.
Enable restricting scopes based on JupyterHub user groups
This would likely be a straight port of our GitHub code (
infrastructure/helm-charts/basehub/values.yaml
Line 979 in 120e88d
Tasks
The text was updated successfully, but these errors were encountered: