Merge with main

RELEASE.md

@@ -10,11 +10,9 @@ These are the instructions on how to make a release.
 
 ## Steps to make a release
 
-1. Create a PR updating `CHANGELOG.md` with [github-activity] and continue when
-   its merged.
-
-   Advice on this procedure can be found in [this team compass
-   issue](https://github.com/jupyterhub/team-compass/issues/563).
+1. Create a PR updating `docs/source/reference/changelog.md` with
+   [github-activity] and continue when its merged. For details about this, see
+   the [team-compass documentation] about it.
 
 2. Checkout main and make sure it is up to date.
 
@@ -54,6 +52,7 @@ These are the instructions on how to make a release.
    part of making this release to PyPI.
 
 [github-activity]: https://github.com/executablebooks/github-activity
+[team-compass documentation]: https://jupyterhub-team-compass.readthedocs.io/en/latest/practices/releases.html
 [pypi]: https://pypi.org/project/oauthenticator/
 [ci system]: https://github.com/jupyterhub/oauthenticator/actions/workflows/release.yaml
 [conda-forge]: https://anaconda.org/conda-forge/oauthenticator

docs/source/reference/changelog.md

@@ -6,6 +6,84 @@ command line for details.
 
 ## [Unreleased]
 
+## 17.1
+
+### [17.1.0] - 2024-10-11
+
+#### New features added
+
+- [All] Add `enable_pkce` config, True by default [#765](https://github.com/jupyterhub/oauthenticator/pull/765) ([@renan-r-santos](https://github.com/renan-r-santos), [@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio), [@manics](https://github.com/manics))
+- [Google] Add `include_nested_groups` config [#763](https://github.com/jupyterhub/oauthenticator/pull/763) ([@jrdnbradford](https://github.com/jrdnbradford), [@consideRatio](https://github.com/consideRatio))
+
+#### Maintenance and upkeep improvements
+
+- [Google] Handle pagination in group API calls [#768](https://github.com/jupyterhub/oauthenticator/pull/768) ([@jrdnbradford](https://github.com/jrdnbradford), [@minrk](https://github.com/minrk))
+- [Google] Make looking up google groups far less blocking [#764](https://github.com/jupyterhub/oauthenticator/pull/764) ([@jrdnbradford](https://github.com/jrdnbradford), [@consideRatio](https://github.com/consideRatio), [@manics](https://github.com/manics))
+
+#### Documentation improvements
+
+- [Google] google groups config docs: properties are dictionaries [#766](https://github.com/jupyterhub/oauthenticator/pull/766) ([@manics](https://github.com/manics), [@consideRatio](https://github.com/consideRatio))
+
+#### Contributors to this release
+
+The following people contributed discussions, new ideas, code and documentation contributions, and review.
+See [our definition of contributors](https://github-activity.readthedocs.io/en/latest/#how-does-this-tool-define-contributions-in-the-reports).
+
+([GitHub contributors page for this release](https://github.com/jupyterhub/oauthenticator/graphs/contributors?from=2024-09-04&to=2024-10-11&type=c))
+
+@consideRatio ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3AconsideRatio+updated%3A2024-09-04..2024-10-11&type=Issues)) | @jrdnbradford ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3Ajrdnbradford+updated%3A2024-09-04..2024-10-11&type=Issues)) | @manics ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3Amanics+updated%3A2024-09-04..2024-10-11&type=Issues)) | @minrk ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3Aminrk+updated%3A2024-09-04..2024-10-11&type=Issues)) | @renan-r-santos ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3Arenan-r-santos+updated%3A2024-09-04..2024-10-11&type=Issues))
+
+## 17.0
+
+### [17.0.0] - 2024-09-04
+
+This release includes minor _breaking changes_, _deprecations_, and the
+following new config options available in all authenticator classes:
+
+- {attr}`.OAuthenticator.allowed_groups`
+- {attr}`.OAuthenticator.admin_groups`
+- {attr}`.OAuthenticator.modify_auth_state_hook`
+
+([full changelog](https://github.com/jupyterhub/oauthenticator/compare/16.3.1...17.0.0))
+
+#### Breaking Changes
+
+- [Generic, OpenShift] {attr}`.OAuthenticator.allowed_groups` and
+  {attr}`.OAuthenticator.admin_groups` now require
+  {attr}`.OAuthenticator.manage_groups` to be set to True, and will otherwise
+  raise an error.
+
+#### Deprecations
+
+- [AzureAd] {attr}`.AzureAdOAuthenticator.user_groups_claim` is deprecated in favor of {attr}`.OAuthenticator.auth_state_groups_key`
+- [Generic] {attr}`.GenericOAuthenticator.claim_groups_key` is deprecated in favor of {attr}`.OAuthenticator.auth_state_groups_key`
+
+#### New features added
+
+- [All] Move group management from generic to base oauthenticator (`allowed_groups`, `admin_groups`, `auth_state_groups_key`) [#735](https://github.com/jupyterhub/oauthenticator/pull/735) ([@yuvipanda](https://github.com/yuvipanda), [@manics](https://github.com/manics), [@consideRatio](https://github.com/consideRatio), [@minrk](https://github.com/minrk), [@benjimin](https://github.com/benjimin))
+- [All] add OAuthenticator.modify_auth_state_hook, allow get_user_groups / auth_state_groups_key to be async [#751](https://github.com/jupyterhub/oauthenticator/pull/751) ([@minrk](https://github.com/minrk), [@yuvipanda](https://github.com/yuvipanda))
+- [Google] Add switch to strip domain from username [#748](https://github.com/jupyterhub/oauthenticator/pull/748) ([@0mar](https://github.com/0mar), [@GeorgianaElena](https://github.com/GeorgianaElena), [@manics](https://github.com/manics))
+
+#### Maintenance and upkeep improvements
+
+- Various fixes for allowed_groups and admin_groups [#758](https://github.com/jupyterhub/oauthenticator/pull/758) ([@consideRatio](https://github.com/consideRatio), [@minrk](https://github.com/minrk))
+- Update references from unreleased v16.4 to upcoming v17.0 [#755](https://github.com/jupyterhub/oauthenticator/pull/755) ([@consideRatio](https://github.com/consideRatio), [@minrk](https://github.com/minrk))
+
+#### Documentation improvements
+
+- update docstrings on relationship between `allowed_groups` and `allow_[provider_group_equivalents]` [#757](https://github.com/jupyterhub/oauthenticator/pull/757) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
+- Make headings etc in changelog consistent [#754](https://github.com/jupyterhub/oauthenticator/pull/754) ([@consideRatio](https://github.com/consideRatio), [@minrk](https://github.com/minrk))
+- Add changelog for v16.3.1 [#744](https://github.com/jupyterhub/oauthenticator/pull/744) ([@yuvipanda](https://github.com/yuvipanda), [@minrk](https://github.com/minrk))
+
+#### Contributors to this release
+
+The following people contributed discussions, new ideas, code and documentation contributions, and review.
+See [our definition of contributors](https://github-activity.readthedocs.io/en/latest/#how-does-this-tool-define-contributions-in-the-reports).
+
+([GitHub contributors page for this release](https://github.com/jupyterhub/oauthenticator/graphs/contributors?from=2024-06-11&to=2024-09-04&type=c))
+
+@0mar ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3A0mar+updated%3A2024-06-11..2024-09-04&type=Issues)) | @benjimin ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3Abenjimin+updated%3A2024-06-11..2024-09-04&type=Issues)) | @consideRatio ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3AconsideRatio+updated%3A2024-06-11..2024-09-04&type=Issues)) | @GeorgianaElena ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3AGeorgianaElena+updated%3A2024-06-11..2024-09-04&type=Issues)) | @manics ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3Amanics+updated%3A2024-06-11..2024-09-04&type=Issues)) | @minrk ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3Aminrk+updated%3A2024-06-11..2024-09-04&type=Issues)) | @yuvipanda ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Foauthenticator+involves%3Ayuvipanda+updated%3A2024-06-11..2024-09-04&type=Issues))
+
 ## 16.3
 
 ### [16.3.1] - 2024-06-11
@@ -906,7 +984,9 @@ It fixes handling of `gitlab_group_whitelist` when using GitLabOAuthenticator.
 
 - First release
 
-[unreleased]: https://github.com/jupyterhub/oauthenticator/compare/16.3.1...HEAD
+[unreleased]: https://github.com/jupyterhub/oauthenticator/compare/17.1.0...HEAD
+[17.1.0]: https://github.com/jupyterhub/oauthenticator/compare/17.0.0...17.1.0
+[17.0.0]: https://github.com/jupyterhub/oauthenticator/compare/16.3.1...17.0.0
 [16.3.1]: https://github.com/jupyterhub/oauthenticator/compare/16.3.0...16.3.1
 [16.3.0]: https://github.com/jupyterhub/oauthenticator/compare/16.2.1...16.3.0
 [16.2.1]: https://github.com/jupyterhub/oauthenticator/compare/16.2.0...16.2.1

docs/source/tutorials/general-setup.md

@@ -60,7 +60,9 @@ projects' authenticator classes.
    - {attr}`.OAuthenticator.allow_all`
    - {attr}`.OAuthenticator.allow_existing_users`
    - {attr}`.OAuthenticator.allowed_users`
+   - {attr}`.OAuthenticator.allowed_groups`
    - {attr}`.OAuthenticator.admin_users`
+   - {attr}`.OAuthenticator.admin_groups`
 
    Your authenticator class may have unique config, so in the end it can look
    something like this:

docs/source/tutorials/provider-specific-setup/providers/azuread.md

@@ -35,16 +35,14 @@ be relevant to read more about in the configuration reference:
 ## Loading user groups
 
 The `AzureAdOAuthenticator` can load the group-membership of users from the access token.
-This is done by setting the `AzureAdOAuthenticator.groups_claim` to the name of the claim that contains the
-group-membership.
 
 ```python
 c.JupyterHub.authenticator_class = "azuread"
 
 # {...} other settings (see above)
 
 c.AzureAdOAuthenticator.manage_groups = True
-c.AzureAdOAuthenticator.user_groups_claim = 'groups'  # this is the default
+c.AzureAdOAuthenticator.auth_state_groups_key = "user.groups"  # this is the default
 ```
 
 This requires Azure AD to be configured to include the group-membership in the access token.

docs/source/tutorials/provider-specific-setup/providers/generic.md

@@ -35,7 +35,7 @@ c.GenericOAuthenticator.userdata_url = "https://accounts.example.com/auth/realms
 #
 c.GenericOAuthenticator.scope = ["openid", "email", "groups"]
 c.GenericOAuthenticator.username_claim = "email"
-c.GenericOAuthenticator.claim_groups_key = "groups"
+c.GenericOAuthenticator.auth_state_groups_key = "oauth_user.groups"
 
 # Authorization
 # -------------

oauthenticator/_version.py

@@ -1,7 +1,7 @@
 # __version__ should be updated using tbump, based on configuration in
 # pyproject.toml, according to instructions in RELEASE.md.
 #
-__version__ = "16.3.2.dev"
+__version__ = "17.1.1.dev"
 
 # version_info looks like (1, 2, 3, "dev") if __version__ is 1.2.3.dev
 version_info = tuple(int(p) if p.isdigit() else p for p in __version__.split("."))

oauthenticator/azuread.py

@@ -23,15 +23,26 @@ def _username_claim_default(self):
         return "name"
 
     user_groups_claim = Unicode(
-        "groups",
+        "",
         config=True,
         help="""
-        Name of claim containing user group memberships.
+        .. deprecated:: 17.0
 
-        Will populate JupyterHub groups if Authenticator.manage_groups is True.
+            Use :attr:`auth_state_groups_key` instead.
         """,
     )
 
+    @default('auth_state_groups_key')
+    def _auth_state_groups_key_default(self):
+        key = "user.groups"
+        if self.user_groups_claim:
+            key = f"{self.user_auth_state_key}.{self.user_groups_claim}"
+            cls = self.__class__.__name__
+            self.log.warning(
+                f"{cls}.user_groups_claim is deprecated in OAuthenticator 17. Use {cls}.auth_state_groups_key = {key!r}"
+            )
+        return key
+
     tenant_id = Unicode(
         config=True,
         help="""
@@ -55,15 +66,6 @@ def _authorize_url_default(self):
     def _token_url_default(self):
         return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/token"
 
-    async def update_auth_model(self, auth_model, **kwargs):
-        auth_model = await super().update_auth_model(auth_model, **kwargs)
-
-        if getattr(self, "manage_groups", False):
-            user_info = auth_model["auth_state"][self.user_auth_state_key]
-            auth_model["groups"] = user_info[self.user_groups_claim]
-
-        return auth_model
-
     async def token_to_user(self, token_info):
         id_token = token_info['id_token']
         decoded = jwt.decode(

oauthenticator/globus.py

@@ -342,7 +342,7 @@ async def update_auth_model(self, auth_model):
         to False makes it be revoked.
         """
         user_groups = set()
-        if self.allowed_globus_groups or self.admin_globus_groups:
+        if self.allowed_globus_groups or self.admin_globus_groups or self.manage_groups:
             tokens = self.get_globus_tokens(auth_model["auth_state"]["token_response"])
             user_groups = await self._fetch_users_groups(tokens)
         # sets are not JSONable, cast to list for auth_state