GitHubOAuthenticator: another way to check org_whitelist

[xuwaters]

Currently the algorithm of checking organization whitelist is to call
api /orgs/%s/members which requires the organization members to be publicly visible.

I think we can call api /user/orgs to get current user's orgs and check whether the login field of each org item is in the configured org_whitelist

Pros and Cons of this method:
Pros:

• only one api call (/user/orgs) to check user's membership instead of call (/orgs/%s/members) for each configured organization
• even organization members is not publicly visible, user's membership of organization can be checked correctly

Cons:

• require permission of user scope instead of read:user scope of the login user

[xuwaters]

Sorry, I don't think user scope is a good idea, which requires read/write access to profile info.

[manics]

You can already get access to private GitHub org memberships by changing .scope. The exact rules are a bit complicated though, for some discussion see:

• Organization-based GitHub authentication not working zero-to-jupyterhub-k8s#741
• Expected behavior with org_whitelist ? zero-to-jupyterhub-k8s#687

[xuwaters]

Thank you @manics
I followed your links and tested read:org scope, it works.

And I find another api GET /orgs/:org/members/:username,
I think this api is more efficient than get all members and check member login one by one.