For detailed changes from the prior release, click on the version number, and its link will bring up a GitHub listing of changes. Use git log on the command line for details.
git log
The main change in 0.11 is a refactoring of classes to remove mixins, reducing the amount of boilerplate needed. In addition, there are some fixes to the Azure AD Authenticator. This should be a fully backward-compatible change, except in cases where some subclasses were importing these now-unneeded mixin classes, such as GitHubLoginHandler, GitHubMixin, etc.
All options should now be configurable via the standard jupyterhub config file. There should no longer be any options that are only configurable via environment variable.
This release also removes the latest Authenticators added in 0.10 (AzureAdB2COAuthenticator, AWSCognitoOAuthenticator, YandexOAuthenticator), which were released without being fully supported and which can be achieved through configuration of existing classes, such as AzureAd and Generic.
AzureAd
Generic
We don’t plan to accept further contributions of new providers if they can be achieved through customization or configuration of existing classes. Rather, contributors are encouraged to provide example documentation for using new providers, or pull requests addressing gaps necessary to do so with the GenericOAuthenticator.
(full changelog)
[AzureAD] Don’t pass resource when requesting a token #328 (@craigminihan)
Remove mixins, per-Authenticator LoginHandler classes #323 (@minrk)
[AzureAD] Add support for setting login_service #319 (@zevaryx)
skeleton of sphinx docs #316 (@minrk)
(GitHub contributors page for this release)
@consideRatio | @craigminihan | @Dmitry1987 | @manics | @minrk | @NickolausDS | @zevaryx
Add AzureAdB2COAuthenticator #307 (@linkcd)
Add support for GenericOAuthenticator.username_key to hold a callable value #305 (@eslavich)
GenericOAuthenticator.username_key
Add AzureAdOAuthenticator.username_claim config field #280 (@jeff-sternberg)
AzureAdOAuthenticator.username_claim
Add AWSCognitoAuthenticator #269 (@jmartinc89)
AWSCognitoAuthenticator
mediawiki: utf-8 > binary strings, req. mwoauth>=0.3.7 #297 (@consideRatio)
Fixed Globus Logout Handler, added test #288 (@NickolausDS)
Include inherited members in GitLab auth checks, requires GitLab 12.4 or newer, but will fall back to previous behavior for older GitLab versions. #283 (@vindvaki)
Fixed content index in readme, and fixed typo in comments #310 (@linkcd)
Add scopes documentation to auth0 example #303 (@jbradenbrown)
Add py3.8 for CI testing #302 (@consideRatio)
Travis: Deploy releases to pypi #301 (@manics)
Disable MediaWiki’s mwoauth==0.3.5 due to a regression #295 (@consideRatio)
Add RELEASE.md #294 (@consideRatio)
Add PyPI/Travis build badges to README.md #293 (@consideRatio)
Fix project name typo #292 (@kinow)
Use traitlet.default for Azure AD tenant_id #282 (@jeff-sternberg)
Add clarifying comment into README code block #279 (@raethlein)
switch to asyncio coroutines from tornado coroutines (requires Python 3.5)
add GenericOAuthenticator.userdata_token_method configurable
GenericOAuthenticator.userdata_token_method
add GenericOAuthenticator.basic_auth configurable
GenericOAuthenticator.basic_auth
support for OpenShift 4.0 API changes
Validate login URL redirects to avoid Open Redirect issues.
Provide better error messages
Allow auth scope to be array or strings
GitHubOAuthenticator: More efficient org_whitelist check
GitHubOAuthenticator
org_whitelist
Use pytest-asyncio instead of pytest-tornado
CILogon: New additional_username_claims config for linked identities, fallback to the primary username claim
GitLabOAuthenticator: New project_id_whitelist config to whitelist users who have Developer+ access to the project
GitLabOAuthenticator
project_id_whitelist
GoogleOAuthenticator: Allow email domains (hosted_domain) to be a list
GoogleOAuthenticator
hosted_domain
Add jupyterhub-authenticator entrypoints for jupyterhub 1.0.
jupyterhub-authenticator
Cleanup & bugfixes
Add azuread.AzureADOAuthenticator
azuread.AzureADOAuthenticator
Add CILogonOAuthenticator.idp_whitelist and CILogonOAuthenticator.strip_idp_domain options
CILogonOAuthenticator.idp_whitelist
CILogonOAuthenticator.strip_idp_domain
Add GenericOAuthenticator.tls_verify and GenericOAuthenticator.extra_params options
GenericOAuthenticator.tls_verify
GenericOAuthenticator.extra_params
Add refresh token and scope to generic oauthenticator auth state
Better error messages when GitHub oauth fails
Stop normalizing mediawiki usernames, which can be case-sensitive
Fixes for group-membership checks with GitLab
Bugfixes in various authenticators
Deprecate GITLAB_HOST in favor of GITLAB_URL, since we expect https:// in the url, not just the host.
https://
0.7.3 is a security fix for CVE-2018-7206. It fixes handling of gitlab_group_whitelist when using GitLabOAuthenticator. The same fix is backported to 0.6.2.
gitlab_group_whitelist
Fix CILogon OAuth 2 implementation. ePPN claim is used for default username (typically institutional email). CILogonOAuthenticator.username_claim can be used to change which field is used for JupyterHub usernames.
CILogonOAuthenticator.username_claim
GenericOAuthenticator.login_service is now configurable.
GenericOAuthenticator.login_service
default to GitLab API version 4 and allow v3 via GITLAB_API_VERSION=3 environment variable.
Add GlobusOAuthenticator.revoke_tokens_on_logout and GlobusOAuthenticator.logout_redirect_url config for further clearing of credentials on JupyterHub logout.
GlobusOAuthenticator.revoke_tokens_on_logout
GlobusOAuthenticator.logout_redirect_url
fix regression in 0.7.0 preventing authentication via providers other than GitHub, MediaWiki
0.7.0 adds significant new functionality to all authenticators.
CILogon now uses OAuth 2 instead of OAuth 1, to be more consistent with the rest.
All OAuthenticators support auth_state when used with JupyterHub 0.8. In every case, the auth_state is a dict with two keys: access_token and the user-info reply identifying the user. For instance, GitHubOAuthenticator auth_state looks like:
auth_state
access_token
{ 'acces_token': 'abc123', 'github_user': { 'username': 'fake-user', 'email': 'fake@email.com', ... } }
auth_state can be passed to Spawners by defining a .pre_spawn_start method. See examples/auth_state for an example.
.pre_spawn_start
All OAuthenticators have a .scope trait, which is a list of string scopes to request. See your OAuth provider’s documentation for what scopes you may want. This is useful in conjunction with auth_state, which may be used to pass access tokens to Spawners via environment variables. .scope can control what permissions those tokens will have. In general, OAuthenticator default scopes should only have read-only access to identify users.
.scope
GITHUB_HTTP environment variable can be used to talk to HTTP-only GitHub Enterprise deployments.
0.6.2 is a security fix for CVE-2018-7206. It fixes handling of gitlab_group_whitelist when using GitLabOAuthenticator.
0.6.1 has bugfixes for new behaviors in 0.6.0
Use .login_url and next_url from JupyterHub if defined (JupyterHub 0.8)
.login_url
next_url
Fix empty login_url where final login redirect could be omitted
Fix mediawiki authenticator, which broke in 0.6.0
Encode state as base64 instead of JSON, for easier passing in URLs
Support for changes in upcoming JupyterHub 0.8
Refactor to share more code across providers
Deprecated GITHUB_CLIENT_ID and other provider-specific environment variables for common options. All OAuthenticators support the same OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, and OAUTH_CALLBACK_URL environment variables.
New authenticators:
auth0
globus
okpy
openshift
generic - a generic implementation that can work with any OAuth2 provider
Fixes in BitbucketOAuthenticator.check_whitelist
Add GitLabOAuthenticator
Fix typo preventing Google OAuth from working in 0.4.0
Enable username normalization (for mixed-case names on GitHub, requires JupyterHub 0.5). This removes GitHubOAuthenticator.username_map introduced in 0.3, because the oauth2 Authenticator has .username_map as of 0.5.
GitHubOAuthenticator.username_map
.username_map
Add Google authenticator
Allow specifying OAuth scope
Add GitHubOAuthenticator.username_map for mapping GitHub usernames to system usernames.
Add mediawiki authenticator
First release