4.1.4: Admin access to another user's server results in '403: Forbidden' on the first attempt; works on subsequent attempts
benz0li opened this issue · comments
Bug description
When accessing another user's server as admin, the first attempt results in
How to reproduce
A multi-user JupyterHub + admin user + JupyterLab image with JupyterHub 4.1.4 installed.
(The user with admin access is already logged in and does not have any own server running)
Expected behaviour
Admin access to another user's server also works on the first attempt.
Actual behaviour
Admin access to another user's server results in '403: Forbidden' on the first attempt.
Logs of a JupyterLab container:
first attempt
[I 2024-04-01 09:03:11.541 ServerApp] 302 GET /user/[redacted]/ -> /user/[redacted]/lab? (@[redacted]) 1.92ms
[I 2024-04-01 09:03:11.583 ServerApp] 302 GET /user/[redacted]/lab -> /hub/api/oauth2/authorize?client_id=jupyterhub-user-[redacted]&redirect_uri=%2Fuser%2F[redacted]%2Foauth_callback&response_type=code&state=[secret] (@[redacted]) 3.40ms
second attempt
[I 2024-04-01 09:05:14.693 ServerApp] 302 GET /user/[redacted]/ -> /user/[redacted]/lab? (@[redacted]) 1.62ms
[W 2024-04-01 09:05:14.843 ServerApp] Detected unused OAuth state cookies
[I 2024-04-01 09:05:14.845 ServerApp] 302 GET /user/[redacted]/lab -> /hub/api/oauth2/authorize?client_id=jupyterhub-user-[redacted]&redirect_uri=%2Fuser%2F[redacted]%2Foauth_callback&response_type=code&state=[secret] (@[redacted]) 3.35ms
[I 2024-04-01 09:05:16.824 ServerApp] Logged-in user {'name': 'benz0li', 'kind': 'user', 'admin': True, 'groups': [], 'session_id': '3a2692192f7845f29bc5d0cc45493f02', 'scopes': ['access:servers!server=[redacted]/', 'read:users:groups!user=benz0li', 'read:users:name!user=benz0li']}
[I 2024-04-01 09:05:16.824 ServerApp] Setting new xsrf cookie for b'3a2692192f7845f29bc5d0cc45493f02:d9d013534c58576197eb2353d6be3360bcaa52192f4a8c7ba0bb0a2ecc4cd46e' {'path': '/user/[redacted]/'}
[I 2024-04-01 09:05:16.827 ServerApp] 302 GET /user/[redacted]/oauth_callback?code=[secret]&state=[secret] -> /user/[redacted]/lab (benz0li@[redacted]) 46.82ms
Your personal set up
JupyterHub: glcr.b-data.ch/jupyterhub/jupyterhub:4.1.4-oauth-docker
JupyterLab:
- JupyterLab QGIS docker stack
- JupyterLab Python docker stack
- JupyterLab Julia docker stack
- JupyterLab R docker stack
ℹ️ Images built with JUPYTERHUB_VERSION=4.1.4
.
Ping @minrk
Thanks for reporting! Can you test with a private browsing session to make sure it's starting with no cookies? It's possible there was some stale cookie state from the previous session that got cleared after success.
Can you test with a private browsing session to make sure it's starting with no cookies?
Done.
It's possible there was some stale cookie state from the previous session that got cleared after success.
Seems to have been the case.
Still probably something not quite right in terms of setting the value in the first place, but lower priority if trying again fixes the problem. Thanks for testing!