Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Globus] Users with the same userid in different identity domains map to the same user #527

Open
rmoreas opened this issue Jul 16, 2022 · 4 comments
Labels

Comments

@rmoreas
Copy link

rmoreas commented Jul 16, 2022

Bug description

When using the GlobusOAuthenticator without restricting the identity provider, users with the same userid at different
identity providers are mapped to the same JupyterHub user.

Expected behaviour

Users coming from different identity providers should be mapped to different users in JupyterHub.

Actual behaviour

Example: A user with a google account [email protected] and another user with userid [email protected], will both be mapped to user john.doe in JupyterHub.

The relevant code is at

def get_username(self, user_data):

How to reproduce

Create a google account with the same userid as your institutional userid. For example, if your institutional identity is "[email protected]", then create a Google account [email protected].

Log in with both accounts, both will have access to the same user u1234567 on JupyterHub.

@rmoreas rmoreas added the bug label Jul 16, 2022
@welcome
Copy link

welcome bot commented Jul 16, 2022

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@manics
Copy link
Member

manics commented Jul 16, 2022

@rmoreas
Copy link
Author

rmoreas commented Jul 18, 2022

I didn't, but I think this will not make much a difference because the email domain is also chopped to form the username which results in the same issue.

@NickolausDS
Copy link
Contributor

I believe originally disabling the identity provider restriction altogether used to raise an exception and was not allowed, but was relaxed in favor of some use-cases where admins wanted to use multiple identity providers but take on the task of generating unique usernames themselves. However, these two things aren't mutually exclusive. If an admin disables the identity provider restriction, then get_username also needs to be overridden to ensure the uniqueness of users in JupyterHub.

A simple solution would be to update the OAuthenticator docs to warn admins about overriding get_username when disabling the identity provider restriction. Alternatively, the default get_username method could be changed to include the domain to preserve the uniqueness of the original identity provider. I think a problem with the latter approach is it violates the constraints of some alternative use-cases, such as re-using JupyterHub usernames as POSIX users on a local POSIX filesystem, where [email protected] contains both invalid characters and may also result in usernames which are too long. I'm curious what the Jupyter folks think of the latter approach, and if there are any other constraints where splitting the domain is preferable.

@consideRatio consideRatio changed the title [GlobusOAuthenticator] Users with the same userid in different identity domains map to the same user [Globus] Users with the same userid in different identity domains map to the same user Apr 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants