From effbef373fd64fb0d71a34aacc69286c3560b3c1 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 6 Sep 2023 12:41:39 +0200
Subject: [PATCH] fail if external oauth service lacks required
 oauth_redirect_uri config

and log service creation with oauth enabled/disabled
---
 jupyterhub/app.py              | 18 ++++++++++++++++++
 jupyterhub/services/service.py | 10 ++++++++++
 2 files changed, 28 insertions(+)

diff --git a/jupyterhub/app.py b/jupyterhub/app.py
index 4c59e6c0..80cae88d 100644
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -2501,6 +2501,11 @@ class JupyterHub(Application):
         if orm_service.oauth_client is not None:
             service.oauth_client_id = orm_service.oauth_client.identifier
             service.oauth_redirect_uri = orm_service.oauth_client.redirect_uri
+            oauth_msg = f"with ouath_client_id={orm_service.oauth_client.identifier}"
+        else:
+            oauth_msg = "without oauth"
+
+        self.log.info(f"Loaded service {service.name} from database {oauth_msg}.")
 
         self._service_map[name] = service
 
@@ -2626,6 +2631,15 @@ class JupyterHub(Application):
             service.orm.server = None
 
         if service.oauth_available:
+            self.log.info(
+                f"Creating service {service.name} with oauth_client_id={service.oauth_client_id}"
+            )
+            if not service.oauth_redirect_uri:
+                # redirect uri has a default value if a URL is configured,
+                # but must be specified explicitly for external services
+                raise ValueError(
+                    f"Service {service.name} has oauth configured, but is missing required oauth_redirect_uri."
+                )
             allowed_scopes = set()
             if service.oauth_client_allowed_scopes:
                 allowed_scopes.update(service.oauth_client_allowed_scopes)
@@ -2655,7 +2669,11 @@ class JupyterHub(Application):
             allowed_scopes.update(scopes.access_scopes(oauth_client))
             oauth_client.allowed_scopes = sorted(allowed_scopes)
         else:
+            self.log.info(f"Creating service {service.name} without oauth.")
             if service.oauth_client:
+                self.log.warning(
+                    f"Deleting unused oauth client for service {service.name} with client_id={service.oauth_client.identifier}"
+                )
                 self.db.delete(service.oauth_client)
 
         self._service_map[name] = service
diff --git a/jupyterhub/services/service.py b/jupyterhub/services/service.py
index 77932e90..3e8a332f 100644
--- a/jupyterhub/services/service.py
+++ b/jupyterhub/services/service.py
@@ -54,6 +54,7 @@ from traitlets import (
     List,
     Unicode,
     default,
+    observe,
     validate,
 )
 from traitlets.config import LoggingConfigurable
@@ -306,6 +307,7 @@ class Service(LoggingConfigurable):
     cookie_options = Dict()
 
     oauth_provider = Any()
+    _oauth_specified = List(help="List of oauth config fields specified via config.")
 
     oauth_client_id = Unicode(
         help="""OAuth client ID for this service.
@@ -342,12 +344,20 @@ class Service(LoggingConfigurable):
             return ''
         return self.host + url_path_join(self.prefix, 'oauth_callback')
 
+    @observe("oauth_client_id", "oauth_redirect_uri")
+    def _oauth_config_set(self, change):
+        # record that some oauth config is specified
+        self._oauth_specified.append(change.name)
+
     @property
     def oauth_available(self):
         """Is OAuth available for this client?
 
         Returns True if a server is defined or oauth_redirect_uri is specified manually
         """
+        if self._oauth_specified:
+            # if any oauth config is set, oauth should be available
+            return True
         return bool(self.server is not None or self.oauth_redirect_uri)
 
     @property