You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2021/06/10 07:56:33 UTC

[GitHub] [superset] br4in1 opened a new issue #15081: Use PKCE to secure the authorization code flow

br4in1 opened a new issue #15081:
URL: https://github.com/apache/superset/issues/15081


   Hello, 
   
   I have an in-house-implemented Authorization server in NodeJS and I would like to use it to authenticate users to Superset. By reading the documentation, the only way to secure the authorization code flow is by using a **client_secret**. In my case, I would like to use the [Proof Key for Code Exchange](https://oauth.net/2/pkce/) mechanism. It is also important to mention that Authlib, the library that Superset uses to do OAuth, implements **PKCE** out of the box. May anyone guide me through the process of intergrating it to Superset ? 
   
   Any help will be appreciated. Thank you.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] Ceridan commented on issue #15081: Use PKCE to secure the authorization code flow

Posted by GitBox <gi...@apache.org>.

Ceridan commented on issue #15081:
URL: https://github.com/apache/superset/issues/15081#issuecomment-858597271


   You may set up PKCE by passing the `code_challange_method` in the `client_kwargs`. Here is an example of the custom OAUTH provider setup. Be sure, that your server-side is supports PKCE too.
   
   ```python
   CUSTOM_OAUTH_PROVIDER = {
       "name": "myAUTH",
       "icon": "fa-empire",
       "token_key": "access_token",
       "remote_app": {
           "client_id": os.environ["AUTH_KEY"],
           "client_secret": os.environ["AUTH_SECRET"],
           "api_base_url": "https://example.com",
           "client_kwargs": {
               "scope": "profile email",
               "code_challenge_method": "S256",
           },
           "request_token_url": None,
           "access_token_url": "https://example.com/token",
           "authorize_url": "https://example.com/authorize",
       },
   }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] Ceridan edited a comment on issue #15081: Use PKCE to secure the authorization code flow

Posted by GitBox <gi...@apache.org>.

Ceridan edited a comment on issue #15081:
URL: https://github.com/apache/superset/issues/15081#issuecomment-858597271


   You may set up PKCE by passing the `code_challange_method` in the `client_kwargs`. Here is an example of the custom OAUTH provider setup. Be sure, that your server-side support PKCE too.
   
   ```python
   CUSTOM_OAUTH_PROVIDER = {
       "name": "myAUTH",
       "icon": "fa-empire",
       "token_key": "access_token",
       "remote_app": {
           "client_id": os.environ["AUTH_KEY"],
           "client_secret": os.environ["AUTH_SECRET"],
           "api_base_url": "https://example.com",
           "client_kwargs": {
               "scope": "profile email",
               "code_challenge_method": "S256",
           },
           "request_token_url": None,
           "access_token_url": "https://example.com/token",
           "authorize_url": "https://example.com/authorize",
       },
   }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] Ceridan edited a comment on issue #15081: Use PKCE to secure the authorization code flow

Posted by GitBox <gi...@apache.org>.

Ceridan edited a comment on issue #15081:
URL: https://github.com/apache/superset/issues/15081#issuecomment-858597271


   You may set up PKCE by passing the `code_challange_method` in the `client_kwargs`. Here is an example of the custom OAUTH provider setup. Be sure that your server-side support PKCE too.
   
   ```python
   CUSTOM_OAUTH_PROVIDER = {
       "name": "myAUTH",
       "icon": "fa-empire",
       "token_key": "access_token",
       "remote_app": {
           "client_id": os.environ["AUTH_KEY"],
           "client_secret": os.environ["AUTH_SECRET"],
           "api_base_url": "https://example.com",
           "client_kwargs": {
               "scope": "profile email",
               "code_challenge_method": "S256",
           },
           "request_token_url": None,
           "access_token_url": "https://example.com/token",
           "authorize_url": "https://example.com/authorize",
       },
   }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org