store scopes on oauth clients, too

rather than roles, matching tokens because oauth clients are mostly involved with issuing tokens, they don't have roles themselves (their owners do). This deprecates the `oauth_roles` config on Spawners and Services, in favor of `oauth_allowed_scopes`. The ambiguously named `oauth_scopes` is renamed to `oauth_access_scopes`.
2025-10-11 20:13:02 +00:00 · 2022-04-28 16:43:16 +02:00
parent f2085fdf0f
commit 62b38934e5
20 changed files with 260 additions and 105 deletions
--- a/jupyterhub/user.py
+++ b/jupyterhub/user.py
@@ -666,28 +666,11 @@ class User:
        client_id = spawner.oauth_client_id
        oauth_provider = self.settings.get('oauth_provider')
        if oauth_provider:
-            allowed_roles = spawner.oauth_roles
-            if callable(allowed_roles):
-                allowed_roles = allowed_roles(spawner)
-
-            # allowed_roles config is a list of strings
-            # oauth provider.allowed_roles is a list of orm.Roles
-            if allowed_roles:
-                allowed_role_names = allowed_roles
-                allowed_roles = list(
-                    self.db.query(orm.Role).filter(orm.Role.name.in_(allowed_roles))
-                )
-                if len(allowed_roles) != len(allowed_role_names):
-                    missing_roles = set(allowed_role_names).difference(
-                        {role.name for role in allowed_roles}
-                    )
-                    raise ValueError(f"No such role(s): {', '.join(missing_roles)}")
-
            oauth_client = oauth_provider.add_client(
                client_id,
                api_token,
                url_path_join(self.url, url_escape_path(server_name), 'oauth_callback'),
-                allowed_roles=allowed_roles,
+                allowed_scopes=spawner._get_oauth_allowed_scopes(),
                description="Server at %s"
                % (url_path_join(self.base_url, server_name) + '/'),
            )