use API token for oauth client secret

rather than a separate single-purpose secret since we need the token anyway, use it for the secret handshake as well
2025-10-17 23:13:00 +00:00 · 2017-04-04 17:12:02 +02:00
parent d11c7ba4db
commit 6d647b5387
6 changed files with 6 additions and 32 deletions
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -1086,7 +1086,7 @@ class JupyterHub(Application):

                client_store.add_client(
                    client_id=service.oauth_client_id,
-                    client_secret=service.oauth_client_secret,
+                    client_secret=service.api_token,
                    redirect_uri=host + url_path_join(service.prefix, 'oauth_callback'),
                )
            else:
--- a/jupyterhub/services/auth.py
+++ b/jupyterhub/services/auth.py
@@ -417,18 +417,8 @@ class HubOAuth(HubAuth):
    @default('oauth_client_id')
    def _client_id(self):
        return os.getenv('JUPYTERHUB_CLIENT_ID', '')
-
-    oauth_client_secret = Unicode(
-        help="""The OAuth client secret for this application.
-        
-        Use JUPYTERHUB_CLIENT_SECRET by default.
-        """
-    ).tag(config=True)
-    @default('oauth_client_secret')
-    def _client_secret(self):
-        return os.getenv('JUPYTERHUB_CLIENT_SECRET', '')
-
-    @validate('oauth_client_id', 'oauth_client_secret')
+    
+    @validate('oauth_client_id', 'api_token')
    def _ensure_not_empty(self, proposal):
        if not proposal.value:
            raise ValueError("%s cannot be empty." % proposal.trait.name)
@@ -472,7 +462,7 @@ class HubOAuth(HubAuth):
        # GitHub specifies a POST request yet requires URL parameters
        params = dict(
            client_id=self.oauth_client_id,
-            client_secret=self.oauth_client_secret,
+            client_secret=self.api_token,
            grant_type='authorization_code',
            code=code,
            redirect_uri=self.oauth_redirect_uri,
--- a/jupyterhub/services/service.py
+++ b/jupyterhub/services/service.py
@@ -211,17 +211,6 @@ class Service(LoggingConfigurable):
    def _default_client_id(self):
        return 'service-%s' % self.name

-    oauth_client_secret = Unicode(
-        help="""OAuth client secret for this service.
-        
-        Default: Generated on each launch.
-        """
-    ).tag(input=True)
-    @default('oauth_client_secret')
-    def _default_client_secret(self):
-        self.log.debug("Generating new OAuth secret for service %s", self.name)
-        return new_token()
-
    @property
    def server(self):
        return self.orm.server
@@ -267,7 +256,6 @@ class Service(LoggingConfigurable):
            environment=env,
            api_token=self.api_token,
            oauth_client_id=self.oauth_client_id,
-            oauth_client_secret=self.oauth_client_secret,
            cwd=self.cwd,
            user=_MockUser(
                name=self.user,
--- a/jupyterhub/spawner.py
+++ b/jupyterhub/spawner.py
@@ -53,7 +53,6 @@ class Spawner(LoggingConfigurable):
    admin_access = Bool(False)
    api_token = Unicode()
    oauth_client_id = Unicode()
-    oauth_client_secret = Unicode()

    will_resume = Bool(False,
        help="""Whether the Spawner will resume on next start
@@ -394,7 +393,6 @@ class Spawner(LoggingConfigurable):
        Subclasses should call super, to ensure that state is properly cleared.
        """
        self.api_token = ''
-        self.oauth_client_secret = ''

    def get_env(self):
        """Return the environment dict to use for the Spawner.
@@ -433,7 +431,6 @@ class Spawner(LoggingConfigurable):
            env['JUPYTERHUB_ADMIN_ACCESS'] = '1'
        # OAuth settings
        env['JUPYTERHUB_CLIENT_ID'] = self.oauth_client_id
-        env['JUPYTERHUB_CLIENT_SECRET'] = self.oauth_client_secret

        # Put in limit and guarantee info if they exist.
        # Note that this is for use by the humans / notebook extensions in the
--- a/jupyterhub/tests/mocking.py
+++ b/jupyterhub/tests/mocking.py
@@ -255,7 +255,7 @@ class StubSingleUserSpawner(MockSpawner):
                app = self._app = MockSingleUserServer()
                app.initialize(args)
                assert app.hub_auth.oauth_client_id
-                assert app.hub_auth.oauth_client_secret
+                assert app.hub_auth.api_token
                app.start()
        
        self._thread = threading.Thread(target=_run)
--- a/jupyterhub/user.py
+++ b/jupyterhub/user.py
@@ -256,8 +256,7 @@ class User(HasTraits):
            # create a new OAuth client + secret on every launch,
            # except for resuming containers.
            if oauth_client is None or not spawner.will_resume:
-                spawner.oauth_client_secret = client_secret = new_token()
-                client_store.add_client(client_id, client_secret,
+                client_store.add_client(client_id, api_token,
                                        url_path_join(server.base_url, 'oauth_callback'),
                                        )
                db.commit()