Add how-to doc on refresh tokens #778
Conversation
| Users do not have permission to read their own auth state by default, | ||
| but `auth_state` is where the `access_token` is stored. | ||
| We need to grant the `admin:auth_state!user` scope to both the `user` and `server` roles, | ||
| so that requests with `$JUPYTERHUB_API_TOKEN` will have permission to read the access token: |
There was a problem hiding this comment.
Is there likely to be anything in auth_state that an admin wouldn't want a user to see?
There was a problem hiding this comment.
It's worth mentioning this, because it is possible in theory and there are not currently more fine-grained controls. I don't believe so with the current OAuthenticators, at least, which have the userinfo and token responses. Essentially, all the information OAuthenticator puts in auth state is retrievable with the access token we are after, so if you are doing this to pass the access token, access to auth state isn't giving access to any more info than you are already meaning to give by relaying the access token itself.
There was a problem hiding this comment.
Added a caveat to the top of this section
Co-authored-by: Simon Li <[email protected]>
Co-authored-by: Simon Li <[email protected]>
|
Thanks! |
docs for #579
it would be nice to do a 17.2 with this, I think