fail if external oauth service lacks required oauth_redirect_uri config

and log service creation with oauth enabled/disabled
2025-10-17 15:03:02 +00:00 · 2023-09-06 12:41:39 +02:00
parent e52700e950
commit effbef373f
2 changed files with 28 additions and 0 deletions
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -2501,6 +2501,11 @@ class JupyterHub(Application):
        if orm_service.oauth_client is not None:
            service.oauth_client_id = orm_service.oauth_client.identifier
            service.oauth_redirect_uri = orm_service.oauth_client.redirect_uri
+            oauth_msg = f"with ouath_client_id={orm_service.oauth_client.identifier}"
+        else:
+            oauth_msg = "without oauth"
+
+        self.log.info(f"Loaded service {service.name} from database {oauth_msg}.")

        self._service_map[name] = service

@@ -2626,6 +2631,15 @@ class JupyterHub(Application):
            service.orm.server = None

        if service.oauth_available:
+            self.log.info(
+                f"Creating service {service.name} with oauth_client_id={service.oauth_client_id}"
+            )
+            if not service.oauth_redirect_uri:
+                # redirect uri has a default value if a URL is configured,
+                # but must be specified explicitly for external services
+                raise ValueError(
+                    f"Service {service.name} has oauth configured, but is missing required oauth_redirect_uri."
+                )
            allowed_scopes = set()
            if service.oauth_client_allowed_scopes:
                allowed_scopes.update(service.oauth_client_allowed_scopes)
@@ -2655,7 +2669,11 @@ class JupyterHub(Application):
            allowed_scopes.update(scopes.access_scopes(oauth_client))
            oauth_client.allowed_scopes = sorted(allowed_scopes)
        else:
+            self.log.info(f"Creating service {service.name} without oauth.")
            if service.oauth_client:
+                self.log.warning(
+                    f"Deleting unused oauth client for service {service.name} with client_id={service.oauth_client.identifier}"
+                )
                self.db.delete(service.oauth_client)

        self._service_map[name] = service
--- a/jupyterhub/services/service.py
+++ b/jupyterhub/services/service.py
@@ -54,6 +54,7 @@ from traitlets import (
    List,
    Unicode,
    default,
+    observe,
    validate,
 )
 from traitlets.config import LoggingConfigurable
@@ -306,6 +307,7 @@ class Service(LoggingConfigurable):
    cookie_options = Dict()

    oauth_provider = Any()
+    _oauth_specified = List(help="List of oauth config fields specified via config.")

    oauth_client_id = Unicode(
        help="""OAuth client ID for this service.
@@ -342,12 +344,20 @@ class Service(LoggingConfigurable):
            return ''
        return self.host + url_path_join(self.prefix, 'oauth_callback')

+    @observe("oauth_client_id", "oauth_redirect_uri")
+    def _oauth_config_set(self, change):
+        # record that some oauth config is specified
+        self._oauth_specified.append(change.name)
+
    @property
    def oauth_available(self):
        """Is OAuth available for this client?

        Returns True if a server is defined or oauth_redirect_uri is specified manually
        """
+        if self._oauth_specified:
+            # if any oauth config is set, oauth should be available
+            return True
        return bool(self.server is not None or self.oauth_redirect_uri)

    @property