store scopes on oauth clients, too

rather than roles, matching tokens because oauth clients are mostly involved with issuing tokens, they don't have roles themselves (their owners do). This deprecates the `oauth_roles` config on Spawners and Services, in favor of `oauth_allowed_scopes`. The ambiguously named `oauth_scopes` is renamed to `oauth_access_scopes`.
2025-10-12 12:33:02 +00:00 · 2022-04-28 16:43:16 +02:00
parent f2085fdf0f
commit 62b38934e5
20 changed files with 260 additions and 105 deletions
--- a/examples/service-whoami/jupyterhub_config.py
+++ b/examples/service-whoami/jupyterhub_config.py
@@ -14,11 +14,11 @@ c.JupyterHub.services = [
        # only requesting access to the service,
        # and identification by name,
        # nothing more.
-        # Specifying 'oauth_roles' as a list of role names
+        # Specifying 'oauth_allowed_scopes' as a list of scopes
        # allows requesting more information about users,
        # or the ability to take actions on users' behalf, as required.
-        # The default 'token' role has the full permissions of its owner:
-        # 'oauth_roles': ['token'],
+        # the 'inherit' scope means the full permissions of the owner
+        # 'oauth_allowed_scopes': ['inherit'],
    },
 ]