test coverage for Authenticator.managed_groups

- tests
- docs
- ensure all group APIs are rejected when auth is in control
- use 'groups' field in return value of authenticate/refresh_user, instead of defining new method
- log group changes in sync_groups

jupyterhub/handlers/base.py

@@ -622,9 +622,6 @@ class BaseHandler(RequestHandler):
     def authenticate(self, data):
         return maybe_future(self.authenticator.get_authenticated_user(self, data))
 
-    def load_user_groups(self, user, auth_info):
-        return maybe_future(self.authenticator.load_user_groups(user, auth_info))
-
     def get_next_url(self, user=None, default=None):
         """Get the next_url for login redirect
 
@@ -776,6 +773,13 @@ class BaseHandler(RequestHandler):
         # always ensure default roles ('user', 'admin' if admin) are assigned
         # after a successful login
         roles.assign_default_roles(self.db, entity=user)
+
+        # apply authenticator-managed groups
+        if self.authenticator.manage_groups:
+            group_names = authenticated.get("groups")
+            if group_names is not None:
+                user.sync_groups(group_names)
+
         # always set auth_state and commit,
         # because there could be key-rotation or clearing of previous values
         # going on.
@@ -783,12 +787,6 @@ class BaseHandler(RequestHandler):
             # auth_state is not enabled. Force None.
             auth_state = None
 
-        if self.authenticator.manage_groups:
-            # Run authenticator user-group reload hook
-            user_groups = await self.load_user_groups(user, authenticated)
-            if user_groups is not None:
-                user.sync_groups(user_groups)
-
         await user.save_auth_state(auth_state)
 
         return user