[Generic] extra_params not exposed for the authorize request

We are making various requests while working with authz (authorization) and authn (authentication). A common request is to do the initial authorization request with client_id,scope and response_type, redirect_uri etc. This is done in the oauth2.py file by relying on a tornado function that the class has inherited and can be read about here.

https://github.com/jupyterhub/oauthenticator/blob/5b0b395326292d526a4c924c34c6d9d1d06818af/oauthenticator/oauth2.py#L80-L90

As we can see, we use the extra_params in a hardcoded fashion passing only a state, something very important to protect against CSRF to be explained elsewhere. But, we may want to pass additional parameters in this request, for example I’m now required by Okta to pass along one more to work well with them (which sadly is absurd).

Anyhow, we should allow this parameters to be configurable I think. But, also note that since we will make multiple types of request, we must scope the parameters to the associated request. I know the generic.py file defines a extra_params traitlet:

https://github.com/jupyterhub/oauthenticator/blob/5b0b395326292d526a4c924c34c6d9d1d06818af/oauthenticator/generic.py#L52-L54

But this extra_params is only used in the second request associated with OAUTH2_TOKEN_URL, the request of a token which can be used to fetch user information from the userinfo endpoint.

Conclusion

We can now using generic.py’s GenericOAuthenticator configure the extra params passed to the OAUTH2_TOKEN_URL, but we cannot configure the params passed to OAUTH2_USERDATA_URL or the initial request to OAUTH2_AUTHORIZE_URL.

Suggestion

We add traitlets to configure this, and name them related to AUTHORIZE, TOKEN, USERDATA.

NOTE: USERDATA is typically referred to as USERINFO in the Open ID Connect (OIDC) specifications (authorization_endpoint, token_endpoint, userinfo_endpoint)