use API token for oauth client secret

rather than a separate single-purpose secret

since we need the token anyway, use it for the secret handshake as well

jupyterhub/app.py

@@ -1086,7 +1086,7 @@ class JupyterHub(Application):
 
                 client_store.add_client(
                     client_id=service.oauth_client_id,
-                    client_secret=service.oauth_client_secret,
+                    client_secret=service.api_token,
                     redirect_uri=host + url_path_join(service.prefix, 'oauth_callback'),
                 )
             else:

jupyterhub/services/auth.py

@@ -418,17 +418,7 @@ class HubOAuth(HubAuth):
     def _client_id(self):
         return os.getenv('JUPYTERHUB_CLIENT_ID', '')
     
-    oauth_client_secret = Unicode(
-        help="""The OAuth client secret for this application.
-        
-        Use JUPYTERHUB_CLIENT_SECRET by default.
-        """
-    ).tag(config=True)
-    @default('oauth_client_secret')
-    def _client_secret(self):
-        return os.getenv('JUPYTERHUB_CLIENT_SECRET', '')
-
-    @validate('oauth_client_id', 'oauth_client_secret')
+    @validate('oauth_client_id', 'api_token')
     def _ensure_not_empty(self, proposal):
         if not proposal.value:
             raise ValueError("%s cannot be empty." % proposal.trait.name)
@@ -472,7 +462,7 @@ class HubOAuth(HubAuth):
         # GitHub specifies a POST request yet requires URL parameters
         params = dict(
             client_id=self.oauth_client_id,
-            client_secret=self.oauth_client_secret,
+            client_secret=self.api_token,
             grant_type='authorization_code',
             code=code,
             redirect_uri=self.oauth_redirect_uri,

jupyterhub/services/service.py

@@ -211,17 +211,6 @@ class Service(LoggingConfigurable):
     def _default_client_id(self):
         return 'service-%s' % self.name
 
-    oauth_client_secret = Unicode(
-        help="""OAuth client secret for this service.
-        
-        Default: Generated on each launch.
-        """
-    ).tag(input=True)
-    @default('oauth_client_secret')
-    def _default_client_secret(self):
-        self.log.debug("Generating new OAuth secret for service %s", self.name)
-        return new_token()
-
     @property
     def server(self):
         return self.orm.server
@@ -267,7 +256,6 @@ class Service(LoggingConfigurable):
             environment=env,
             api_token=self.api_token,
             oauth_client_id=self.oauth_client_id,
-            oauth_client_secret=self.oauth_client_secret,
             cwd=self.cwd,
             user=_MockUser(
                 name=self.user,

jupyterhub/spawner.py

@@ -53,7 +53,6 @@ class Spawner(LoggingConfigurable):
     admin_access = Bool(False)
     api_token = Unicode()
     oauth_client_id = Unicode()
-    oauth_client_secret = Unicode()
 
     will_resume = Bool(False,
         help="""Whether the Spawner will resume on next start
@@ -394,7 +393,6 @@ class Spawner(LoggingConfigurable):
         Subclasses should call super, to ensure that state is properly cleared.
         """
         self.api_token = ''
-        self.oauth_client_secret = ''
 
     def get_env(self):
         """Return the environment dict to use for the Spawner.
@@ -433,7 +431,6 @@ class Spawner(LoggingConfigurable):
             env['JUPYTERHUB_ADMIN_ACCESS'] = '1'
         # OAuth settings
         env['JUPYTERHUB_CLIENT_ID'] = self.oauth_client_id
-        env['JUPYTERHUB_CLIENT_SECRET'] = self.oauth_client_secret
 
         # Put in limit and guarantee info if they exist.
         # Note that this is for use by the humans / notebook extensions in the

jupyterhub/tests/mocking.py

@@ -255,7 +255,7 @@ class StubSingleUserSpawner(MockSpawner):
                 app = self._app = MockSingleUserServer()
                 app.initialize(args)
                 assert app.hub_auth.oauth_client_id
-                assert app.hub_auth.oauth_client_secret
+                assert app.hub_auth.api_token
                 app.start()
         
         self._thread = threading.Thread(target=_run)

jupyterhub/user.py

@@ -256,8 +256,7 @@ class User(HasTraits):
             # create a new OAuth client + secret on every launch,
             # except for resuming containers.
             if oauth_client is None or not spawner.will_resume:
-                spawner.oauth_client_secret = client_secret = new_token()
-                client_store.add_client(client_id, client_secret,
+                client_store.add_client(client_id, api_token,
                                         url_path_join(server.base_url, 'oauth_callback'),
                                         )
                 db.commit()