diff --git a/docs/source/tutorials/provider-specific-setup/providers/bitbucket.md b/docs/source/tutorials/provider-specific-setup/providers/bitbucket.md index c7b21221..957e2a72 100644 --- a/docs/source/tutorials/provider-specific-setup/providers/bitbucket.md +++ b/docs/source/tutorials/provider-specific-setup/providers/bitbucket.md @@ -1,7 +1,7 @@ -# BitBucket Setup +# Bitbucket Setup -You need to have an BitBucket OAuth application registered ahead of time, see -BitBucket's official documentation about [registering an app]. +You need to have an Bitbucket OAuth application registered ahead of time, see +Bitbucket's official documentation about [registering an app]. [registering an app]: https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/ @@ -18,7 +18,7 @@ c.OAuthenticator.client_secret = "[your oauth2 application secret]" ## Additional configuration -BitBucketOAuthenticator expands OAuthenticator with the following config that may +BitbucketOAuthenticator expands OAuthenticator with the following config that may be relevant to read more about in the configuration reference: -- {attr}`.BitBucketOAuthenticator.allowed_teams` +- {attr}`.BitbucketOAuthenticator.allowed_teams` diff --git a/oauthenticator/azuread.py b/oauthenticator/azuread.py index c533740e..f7e31d83 100644 --- a/oauthenticator/azuread.py +++ b/oauthenticator/azuread.py @@ -17,6 +17,10 @@ class AzureAdOAuthenticator(OAuthenticator): def _login_service_default(self): return os.environ.get("LOGIN_SERVICE", "Azure AD") + @default("username_claim") + def _username_claim_default(self): + return "name" + tenant_id = Unicode( config=True, help=""" @@ -32,10 +36,6 @@ def _login_service_default(self): def _tenant_id_default(self): return os.environ.get('AAD_TENANT_ID', '') - @default("username_claim") - def _username_claim_default(self): - return "name" - @default("authorize_url") def _authorize_url_default(self): return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/authorize" diff --git a/oauthenticator/bitbucket.py b/oauthenticator/bitbucket.py index f6915288..5d18c4fc 100644 --- a/oauthenticator/bitbucket.py +++ b/oauthenticator/bitbucket.py @@ -46,7 +46,7 @@ def _userdata_url_default(self): allowed_teams = Set( config=True, help=""" - Allow members of selected BitBucket teams to sign in. + Allow members of selected Bitbucket teams to sign in. """, ) diff --git a/oauthenticator/generic.py b/oauthenticator/generic.py index fd0c87d6..e0be5fe7 100644 --- a/oauthenticator/generic.py +++ b/oauthenticator/generic.py @@ -44,13 +44,29 @@ def _login_service_default(self): allowed_groups = Set( Unicode(), config=True, - help="Automatically allow members of selected groups", + help=""" + Allow members of selected groups to sign in. + + When configuring this you may need to configure `claim_groups_key` as + well as it determines the key in the `userdata_url` response that is + assumed to list the groups a user is a member of. + """, ) admin_groups = Set( Unicode(), config=True, - help="Groups whose members should have Jupyterhub admin privileges", + help=""" + Allow members of selected groups to sign in and consider them as + JupyterHub admins. + + If this is set and a user isn't part of one of these groups or listed in + `admin_users`, a user signing in will have their admin status revoked. + + When configuring this you may need to configure `claim_groups_key` as + well as it determines the key in the `userdata_url` response that is + assumed to list the groups a user is a member of. + """, ) username_key = Union( diff --git a/oauthenticator/gitlab.py b/oauthenticator/gitlab.py index eb48e0b4..51522fe5 100644 --- a/oauthenticator/gitlab.py +++ b/oauthenticator/gitlab.py @@ -72,10 +72,6 @@ def _default_gitlab_url(self): return gitlab_url - @default("gitlab_api") - def _default_gitlab_api(self): - return f"{self.gitlab_url}/api/v{self.gitlab_api_version}" - @default("authorize_url") def _authorize_url_default(self): return f"{self.gitlab_url}/oauth/authorize" @@ -104,6 +100,10 @@ def _gitlab_api_version_default(self): """, ) + @default("gitlab_api") + def _default_gitlab_api(self): + return f"{self.gitlab_url}/api/v{self.gitlab_api_version}" + @default("userdata_url") def _userdata_url_default(self): return f"{self.gitlab_api}/user" diff --git a/oauthenticator/globus.py b/oauthenticator/globus.py index 41273990..872c04b3 100644 --- a/oauthenticator/globus.py +++ b/oauthenticator/globus.py @@ -88,13 +88,17 @@ def _token_url_default(self): revocation_url = Unicode( "https://auth.globus.org/v2/oauth2/token/revoke", config=True, - help="Globus URL to revoke live tokens.", + help=""" + Globus URL to revoke live tokens. + """, ) globus_groups_url = Unicode( "https://groups.api.globus.org/v2/groups/my_groups", config=True, - help="Globus URL to get list of user's Groups.", + help=""" + Globus URL to get list of user's Groups. + """, ) identity_provider = Unicode( @@ -179,7 +183,7 @@ def _revoke_tokens_on_logout_default(self): allowed_globus_groups = Set( config=True, help=""" - Allow members of selected Google groups to sign in. Globus groups should + Allow members of selected Globus groups to sign in. Globus groups should be specified using their UUIDs. If this is configured, the default value of the scope configuration is diff --git a/oauthenticator/google.py b/oauthenticator/google.py index 9ed6e939..d95ee7cd 100644 --- a/oauthenticator/google.py +++ b/oauthenticator/google.py @@ -153,14 +153,6 @@ def _cast_hosted_domain(self, proposal): return [proposal.value.lower()] return [hd.lower() for hd in proposal.value] - login_service = Unicode( - os.environ.get('LOGIN_SERVICE', 'Google'), - config=True, - help=""" - Google Apps hosted domain string, e.g. My College - """, - ) - async def update_auth_model(self, auth_model): """ Fetch and store `google_groups` in auth state if `allowed_google_groups` diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index 02cc3ed0..27a7bd28 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -463,7 +463,8 @@ def _validate_server_cert_default(self): http_request_kwargs = Dict( config=True, - help="""Extra default kwargs passed to all HTTPRequests. + help=""" + Extra default kwargs passed to all HTTPRequests. For example, to use a HTTP proxy for all requests: diff --git a/oauthenticator/openshift.py b/oauthenticator/openshift.py index 580b8ea6..6844a80a 100644 --- a/oauthenticator/openshift.py +++ b/oauthenticator/openshift.py @@ -13,11 +13,15 @@ class OpenShiftOAuthenticator(OAuthenticator): - login_service = "OpenShift" + user_auth_state_key = "openshift_user" - scope = ['user:info'] + @default("scope") + def _scope_default(self): + return ["user:info"] - user_auth_state_key = "openshift_user" + @default("login_service") + def _login_service_default(self): + return os.environ.get("LOGIN_SERVICE", "OpenShift") @default("username_claim") def _username_claim_default(self): @@ -27,7 +31,10 @@ def _username_claim_default(self): os.environ.get('OPENSHIFT_URL') or 'https://openshift.default.svc.cluster.local', config=True, - help="""""", + help=""" + Used to determine the default values for `openshift_auth_api_url` and + `openshift_rest_api_url`. + """, ) allowed_groups = Set( @@ -50,14 +57,22 @@ def _username_claim_default(self): ca_certs = Unicode( config=True, - help="""""", + help=""" + Path to a certificate authority (CA) certificate file. Used to trust the + certificates from a specific CA. + """, ) + # FIXME: validate_cert is defined here, but OAuthenticator also defines + # validate_server_cert. If both should exist separately its too + # confusing without further documentation, and if only one should + # exist the one here should be deprecated in favor of the other. + # validate_cert = Bool( True, config=True, help=""" - Set to False to disable certificate validation + Set to False to disable certificate validation. """, ) @@ -70,7 +85,10 @@ def _ca_certs_default(self): openshift_auth_api_url = Unicode( config=True, - help="""""", + help=""" + Used to determine the default values for `authorize_url` and + `token_url`. + """, ) @default("openshift_auth_api_url") @@ -82,15 +100,6 @@ def _openshift_auth_api_url_default(self): return resp_json.get('issuer') - openshift_rest_api_url = Unicode( - config=True, - help="""""", - ) - - @default("openshift_rest_api_url") - def _openshift_rest_api_url_default(self): - return self.openshift_url - @default("authorize_url") def _authorize_url_default(self): return f"{self.openshift_auth_api_url}/oauth/authorize" @@ -99,6 +108,19 @@ def _authorize_url_default(self): def _token_url_default(self): return f"{self.openshift_auth_api_url}/oauth/token" + openshift_rest_api_url = Unicode( + config=True, + help=""" + Used to determine the default value for `userdata_url`. + + Defaults to the `openshift_url`. + """, + ) + + @default("openshift_rest_api_url") + def _openshift_rest_api_url_default(self): + return self.openshift_url + @default("userdata_url") def _userdata_url_default(self): return f"{self.openshift_rest_api_url}/apis/user.openshift.io/v1/users/~"