User access with GoogleOAuthenticator fails over time unless Hub pod is restarted

[tadeha]

Bug description

When configuring GoogleOAuthenticator in JupyterHub with allow_all = False and providing a list of allowed users, the allowed users are intermittently denied access. After a few hours of uptime, these users receive a 403 Forbidden error when trying to access the hub.

The issue resolves temporarily after restarting the Hub pod. However, after another few hours, the same problem recurs.

Additionally, in the logs prior to restarting the Hub pod, when an affected user tries to access the hub UI, the following message appears:

User 'X' not allowed.

Even though 'X' is on the allowed users list and was previously able to log in after the last restart.

Your personal set up

zero-to-jupyterhub

• Version(s): Chart Version 3.3.7

Configuration

Auth Configs:
set {
name = "hub.config.Authenticator.auto_login"
value = true
}

set {
name = "hub.config.GoogleOAuthenticator.allow_all"
value = false
}

set {
name = "hub.config.GoogleOAuthenticator.allow_existing_users"
value = true
}

set_list {
name = "hub.config.GoogleOAuthenticator.allowed_users"
value = var.allowed_users *
}

set {
name = "hub.config.JupyterHub.authenticator_class"
value = "google"
}

• allowed_users is a list of user emails (without @email.com) that are allowed to login.
• Removed the client ID, secret ID, and callback URL.

[manics]

Please can you enable debug logging, and show us the hub and singleuser logs including surrounding context for the user logging in the first time successfully, and the user being subsequently denied?

[tadeha]

After debug logs are enabled, for a user who exists inside the list:

User: USER-X
Outcome: ❌ Login Failed (User Not Allowed)

---

OAuth Redirect Flow

13:43:54.295 [INFO]  Redirect: / → /hub/
13:43:54.322 [INFO]  Redirect: /hub/ → /hub/login?next=/hub/
13:43:54.374 [INFO]  Redirect: /hub/login → /hub/oauth_login
13:43:54.395 [INFO]  OAuth redirect to: /hub/oauth_callback
13:43:54.398 [DEBUG] Set cookie: oauthenticator-state (httponly, expires in 1 day)
13:43:54.400 [INFO]  Redirect to Google OAuth endpoint

Duplicate Request (Possibly a Retry)

13:43:54.439 [INFO]  Redirect: / → /hub/
13:43:54.466 [INFO]  Redirect: /hub/ → /hub/login?next=/hub/
13:43:54.486 [INFO]  Redirect: /hub/login → /hub/oauth_login
13:43:54.507 [INFO]  OAuth redirect to: /hub/oauth_callback
13:43:54.509 [DEBUG] Set cookie: oauthenticator-state (httponly, expires in 1 day)
13:43:54.512 [INFO]  Redirect to Google OAuth endpoint

Error and Authentication Failure

13:43:55.004 [DEBUG] Reflector: Events watcher timeout
13:43:55.005 [DEBUG] Reflector: Reconnecting events watcher

13:43:55.041 [WARN]  Authentication failed: User 'USER-X' not allowed
13:43:55.041 [WARN]  Login failed for unknown user
13:43:55.042 [WARN]  403 Forbidden: /hub/oauth_callback (state and code parameters omitted)
13:43:55.042 [DEBUG] No template found for 403 error page

---

After restarting the Hub's pod:

User: USER-X
Login Status: ✅ Successful
Activity: Spawn initiated

---

Login and Authentication Flow

13:44:51.888 [DEBUG] Health check: /hub/health (from IP)
13:44:52.078 [DEBUG] Assigned default role to user: USER-X
13:44:52.081 [DEBUG] Set cookie: jupyterhub-hub-login (httponly, path=/hub/)
13:44:52.082 [INFO]  Set new XSRF cookie
13:44:52.082 [INFO]  User logged in: USER-X
13:44:52.083 [INFO]  Redirect: /hub/oauth_callback → /hub/

Spawn Process Initiation

13:44:52.111 [DEBUG] Recorded first activity for user
13:44:52.121 [DEBUG] Created spawner: KubeSpawner for user
13:44:52.128 [INFO]  Redirect: /hub/ → /hub/spawn
13:44:52.156 [DEBUG] Access check to /hub/spawn via scope: servers
13:44:52.179 [DEBUG] Served spawn options form for user
13:44:52.220 [INFO]  200 OK: /hub/spawn served successfully

System Activity & Health Checks

13:44:53.866 [DEBUG] Health check: /hub/health
13:44:55.866 [DEBUG] Health check: /hub/health
13:44:56.419 [INFO]  Redirect: / → /hub/ (from ::ffff:IP)
13:44:56.652 [DEBUG] Pods watcher timeout → reconnecting
13:44:59.866 [DEBUG] Health check: /hub/health
13:45:00.061 [INFO]  Redirect: / → /hub/ (from ::ffff:IP)
13:45:00.959 [DEBUG] Access check to /hub/spawn via scope: servers

[consideRatio]

I recall a fix related to this in the oauthenticator project, are you able to upgrade the helm chart to get the most recent version of oauthenticator?

Helm chart 3.3.7 has oauthenticator 16.3 (

zero-to-jupyterhub-k8s/images/hub/requirements.txt

Line 108 in 71ecf69

oauthenticator==16.3.0

)

[tadeha]

Thanks. I will try upgrading and let you know if it fixes it.

[tadeha]

Updating looks like fixing the issue. Will re-open if we see the error again. Thank you.

[tadeha]

Unfortunately, the issue stays there after the upgrade, also.

One observation I had, which I think is related:
I enabled admin user for myself on Friday, there were 3 active users: me, and 2 others. We have a total of 20 users in JH. When I was checking the Admin page, 20 users were showing, but after some time passed, and I refreshed the page, the users page from Admin UI was showing only those 3. I thought it was a UI bug, I restarted the pod, and then it started showing those 20.
So, one assumption I am starting to have is that suddenly it stops loading the inactive users from the DB and shows them 403. Since two of the active users from Friday, including me, tried to access it today and we were seeing this 403 page.

[tadeha]

I can confirm my theory. I wrote a small script that would show the users from the DB connecting to the JH Hub Pod:

import asyncio
from sqlalchemy.orm import load_only, raiseload

from jupyterhub.app import JupyterHub
from jupyterhub import orm

def connect_db():
    """Connect to the JupyterHub database"""
    hub = JupyterHub()
    hub.load_config_file(hub.config_file)
    db_url = hub.db_url
    print(f"Connecting to {db_url}")
    db = orm.new_session_factory(db_url, **hub.db_kwargs)()
    return db

async def main():
    db = connect_db()
    db.get_bind().echo = True

    users = db.query(orm.User).options(load_only(orm.User.name, orm.User.admin)).options(raiseload('*')).all()
    for user in users:
        print(f"Username: {user.name}, Admin: {user.admin}")


if __name__ == "__main__":
    asyncio.run(main())

The results with the problematic pod:

Connecting to sqlite:///jupyterhub.sqlite
2025-05-18 08:41:33,352 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-05-18 08:41:33,352 INFO sqlalchemy.engine.Engine SELECT 1
2025-05-18 08:41:33,352 INFO sqlalchemy.engine.Engine [cached since 0.05473s ago] ()
2025-05-18 08:41:33,353 INFO sqlalchemy.engine.Engine COMMIT
2025-05-18 08:41:33,353 INFO sqlalchemy.engine.Engine BEGIN (implicit)
2025-05-18 08:41:33,355 INFO sqlalchemy.engine.Engine SELECT users.id AS users_id, users.name AS users_name, users.admin AS users_admin
FROM users
2025-05-18 08:41:33,355 INFO sqlalchemy.engine.Engine [generated in 0.00011s] ()

After restarting the pod:

I also confirmed it directly via connecting to the jupyterhub.sqlite DB inside the pod and querying via the CLI.