[WIP] migrate LoginHandler config to IdentityProvider

now that we have a configurable class to represent identity, most of the LoginHandler's custom methods belong there

Migrates:

- ServerApp.password, token config
- all LoginHandler class methods

Adds:

- LegacyIdentityProvider, LegacyLoginHandler to preserve old behavior with new API, triggered with ServerApp.login_handler_class is overridden, but not identity_provider_class.

Author: minrk

jupyter_server/auth/identity.py

@@ -12,10 +12,10 @@
 from .security import passwd_check, set_password
 
 
-class LoginHandler(JupyterHandler):
+class LoginFormHandler(JupyterHandler):
     """The basic tornado login handler
 
-    authenticates with a hashed password from the configuration.
+    accepts login form, passed to IdentityProvider.process_login_form.
     """
 
     def _render(self, message=None):
@@ -66,6 +66,26 @@ def get(self):
         else:
             self._render()
 
+    def post(self):
+        user = self.current_user = self.identity_provider.process_login_form(self)
+        if user is None:
+            self.set_status(401)
+            self._render(message={"error": "Invalid credentials"})
+            return
+
+        self.log.info(f"User {user.username} logged in.")
+        self.identity_provider.set_login_cookie(self, user)
+        next_url = self.get_argument("next", default=self.base_url)
+        self._redirect_safe(next_url)
+
+
+class LegacyLoginHandler(LoginFormHandler):
+    """Legacy LoginHandler, implementing most custom auth configuration.
+
+    Deprecated in jupyter-server 2.0.
+    Login configuration has moved to IdentityProvider.
+    """
+
     @property
     def hashed_password(self):
         return self.password_from_settings(self.settings)
@@ -74,6 +94,7 @@ def passwd_check(self, a, b):
         return passwd_check(a, b)
 
     def post(self):
+
         typed_password = self.get_argument("password", default="")
         new_password = self.get_argument("new_password", default="")
 
@@ -130,37 +151,20 @@ def get_token(cls, handler):
 
     @classmethod
     def should_check_origin(cls, handler):
-        """Should the Handler check for CORS origin validation?
-
-        Origin check should be skipped for token-authenticated requests.
-
-        Returns:
-        - True, if Handler must check for valid CORS origin.
-        - False, if Handler should skip origin check since requests are token-authenticated.
-        """
+        """DEPRECATED in 2.0, use IdentityProvider API"""
         return not cls.is_token_authenticated(handler)
 
     @classmethod
     def is_token_authenticated(cls, handler):
-        """Returns True if handler has been token authenticated. Otherwise, False.
-
-        Login with a token is used to signal certain things, such as:
-
-        - permit access to REST API
-        - xsrf protection
-        - skip origin-checks for scripts
-        """
+        """DEPRECATED in 2.0, use IdentityProvider API"""
         if getattr(handler, "_user_id", None) is None:
             # ensure get_user has been called, so we know if we're token-authenticated
             handler.current_user
         return getattr(handler, "_token_authenticated", False)
 
     @classmethod
     def get_user(cls, handler):
-        """Called by handlers.get_current_user for identifying the current user.
-
-        See tornado.web.RequestHandler.get_current_user for details.
-        """
+        """DEPRECATED in 2.0, use IdentityProvider API"""
         # Can't call this get_current_user because it will collide when
         # called on LoginHandler itself.
         if getattr(handler, "_user_id", None):
@@ -197,7 +201,7 @@ def get_user(cls, handler):
 
     @classmethod
     def get_user_cookie(cls, handler):
-        """Get user-id from a cookie"""
+        """DEPRECATED in 2.0, use IdentityProvider API"""
         get_secure_cookie_kwargs = handler.settings.get("get_secure_cookie_kwargs", {})
         user_id = handler.get_secure_cookie(handler.cookie_name, **get_secure_cookie_kwargs)
         if user_id:
@@ -206,12 +210,7 @@ def get_user_cookie(cls, handler):
 
     @classmethod
     def get_user_token(cls, handler):
-        """Identify the user based on a token in the URL or Authorization header
-
-        Returns:
-        - uuid if authenticated
-        - None if not
-        """
+        """DEPRECATED in 2.0, use IdentityProvider API"""
         token = handler.token
         if not token:
             return
@@ -243,10 +242,7 @@ def get_user_token(cls, handler):
 
     @classmethod
     def validate_security(cls, app, ssl_options=None):
-        """Check the application's security.
-
-        Show messages, or abort if necessary, based on the security configuration.
-        """
+        """DEPRECATED in 2.0, use IdentityProvider API"""
         if not app.ip:
             warning = "WARNING: The Jupyter server is listening on all IP addresses"
             if ssl_options is None:
@@ -265,13 +261,15 @@ def validate_security(cls, app, ssl_options=None):
 
     @classmethod
     def password_from_settings(cls, settings):
-        """Return the hashed password from the tornado settings.
-
-        If there is no configured password, an empty string will be returned.
-        """
+        """DEPRECATED in 2.0, use IdentityProvider API"""
         return settings.get("password", "")
 
     @classmethod
     def get_login_available(cls, settings):
-        """Whether this LoginHandler is needed - and therefore whether the login page should be displayed."""
+        """DEPRECATED in 2.0, use IdentityProvider API"""
+
         return bool(cls.password_from_settings(settings) or settings.get("token"))
+
+
+# deprecated import, so deprecated implementations get the Legacy class instead
+LoginHandler = LegacyLoginHandler

jupyter_server/auth/login.py

@@ -160,16 +160,12 @@ def skip_check_origin(self):
         if self.request.method == "OPTIONS":
             # no origin-check on options requests, which are used to check origins!
             return True
-        if self.login_handler is None or not hasattr(self.login_handler, "should_check_origin"):
-            return False
-        return not self.login_handler.should_check_origin(self)
+        return not self.identity_provider.should_check_origin(self)
 
     @property
     def token_authenticated(self):
         """Have I been authenticated with a token?"""
-        if self.login_handler is None or not hasattr(self.login_handler, "is_token_authenticated"):
-            return False
-        return self.login_handler.is_token_authenticated(self)
+        return self.identity_provider.is_token_authenticated(self)
 
     @property
     def cookie_name(self):
@@ -185,12 +181,19 @@ def logged_in(self):
     @property
     def login_handler(self):
         """Return the login handler for this application, if any."""
-        return self.settings.get("login_handler_class", None)
+        warnings.warn(
+            """JupyterHandler.login_handler is deprecated in 2.0,
+            use JupyterHandler.identity_provider.
+            """,
+            DeprecationWarning,
+            stacklevel=2,
+        )
+        return self.identity_provider.login_handler_class
 
     @property
     def token(self):
         """Return the login token for this application, if any."""
-        return self.settings.get("token", None)
+        return self.identity_provider.token
 
     @property
     def login_available(self):
@@ -200,9 +203,7 @@ def login_available(self):
         whether the user is already logged in or not.
 
         """
-        if self.login_handler is None:
-            return False
-        return bool(self.login_handler.get_login_available(self.settings))
+        return self.identity_provider.login_available
 
     @property
     def authorizer(self):
@@ -628,8 +629,9 @@ def template_namespace(self):
             default_url=self.default_url,
             ws_url=self.ws_url,
             logged_in=self.logged_in,
-            allow_password_change=self.settings.get("allow_password_change"),
-            login_available=self.login_available,
+            allow_password_change=getattr(self.identity_provider, "allow_password_change", False),
+            auth_enabled=self.identity_provider.auth_enabled,
+            login_available=self.identity_provider.login_available,
             token_available=bool(self.token),
             static_url=self.static_url,
             sys_info=json_sys_info(),

jupyter_server/base/handlers.py

@@ -251,6 +251,7 @@ def _configurable_serverapp(
         c = Config(config)
         c.NotebookNotary.db_file = ":memory:"
         token = hexlify(os.urandom(4)).decode("ascii")
+        c.IdentityProvider.token = token
 
         # Allow tests to configure root_dir via a file, argv, or its
         # default (cwd) by specifying a value of None.
@@ -266,7 +267,6 @@ def _configurable_serverapp(
             base_url=base_url,
             config=c,
             allow_root=True,
-            token=token,
             **kwargs,
         )
 
@@ -329,7 +329,7 @@ def jp_web_app(jp_serverapp):
 @pytest.fixture
 def jp_auth_header(jp_serverapp):
     """Configures an authorization header using the token from the serverapp fixture."""
-    return {"Authorization": f"token {jp_serverapp.token}"}
+    return {"Authorization": f"token {jp_serverapp.identity_provider.token}"}
 
 
 @pytest.fixture