You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/08/13 23:35:24 UTC
[GitHub] [superset] dusatvoj opened a new issue, #21081: Superset can't connect with Keycloak IdP
dusatvoj opened a new issue, #21081:
URL: https://github.com/apache/superset/issues/21081
I'm using superset `1.4.2` with [this](https://stackoverflow.com/questions/54010314/using-keycloakopenid-connect-with-apache-superset) keycloak integration.
There's a problem while upgrading to superset `1.5.0`+, bcs `flask-oidc==1.4.0` needs another major version of `pyparsing` than SS `1.5.0`+. So I wanted to manage OAuth2 / OIDC login via [official guide](https://superset.apache.org/docs/installation/configuring-superset/#custom-oauth2-configuration) and it's not working.
I've looked even into [appbuilder docs](https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-oauth) for recommended keycloak setup, even tried OIDC setup via your `Note` in your docs but I can't make it works.
There are 2 different issues on which your guide fails:
```
ERROR:flask_appbuilder.security.views:Error returning OAuth user info: 'Response' object has no attribute 'data'
```
or
```
ERROR:flask_appbuilder.security.manager:OAUTH userinfo does not have username or email {}
```
... depends on configuration.
Configuration of `OAUTH_PROVIDERS`:
```
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{ 'name':'keycloak',
'token_key':'access_token', # Name of the token in the response of access_token_url
'icon':'fa-address-card', # Icon for the provider
'remote_app': {
'client_id':'client_id', # Client Id (Identify Superset application)
'client_secret':'client_secret', # Secret for this Client Id (Identify Superset application)
'server_metadata_url': 'https://KC_DOMAIN/realms/REALM/.well-known/openid-configuration'
}
}
]
### OR ###
OAUTH_PROVIDERS = [
{
"name": "keycloak",
"icon": "fa-key",
"token_key": "access_token",
"remote_app": {
"client_id": "client_id",
"client_secret": "client_secret",
"api_base_url": "https://KC_DOMAIN/realms/REALM/protocol/openid-connect",
"client_kwargs": {
"scope": "email profile"
},
"access_token_url": "https://KC_DOMAIN/realms/REALM/protocol/openid-connect/token",
"authorize_url": "https://KC_DOMAIN/realms/REALM/protocol/openid-connect/auth",
"request_token_url": None,
},
}
]
```
_(I've even tried to change a name not to appbuilder keyword, etc.)_
```
import logging
from superset.security import SupersetSecurityManager
class CustomSsoSecurityManager(SupersetSecurityManager):
def oauth_user_info(self, provider, response=None):
logging.debug("Oauth2 provider: {0}.".format(provider))
if provider == 'keycloak':
# As example, this line request a GET to base_url + '/' + userDetails with Bearer Authentication,
# and expects that authorization server checks the token, and response with user details
me = self.appbuilder.sm.oauth_remotes[provider].get('userinfo').data
logging.debug("user_data: {0}".format(me))
return { 'name' : me['name'], 'email' : me['email'], 'id' : me['user_name'], 'username' : me['user_name'], 'first_name':'', 'last_name':''}
...
```
.... I've tried many variations of your override script.
Not working, Don't know why.
#### How to reproduce the bug
Written above
### Expected results
can login
### Actual results
It's broken somehow ; can't login
#### Screenshots
N/A
### Environment
(please complete the following information):
- browser type and version: any
- superset version: `1.4.2`
- python version: `3.8.7`
- node.js version: `14.19.3`
- any feature flags active:
```
FEATURE_FLAGS = {
'ALERT_REPORTS': True,
'DASHBOARD_RBAC': True
}
```
### Checklist
Make sure to follow these steps before submitting your issue - thank you!
- [x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
- [ ] I have reproduced the issue with at least the latest released version of superset. **No - can't upgrade without working OIDC integration -> possible fire up flask-oidc**
- [x] I have checked the issue tracker for the same issue and I haven't found one similar. **Nothing helped to me**
Thank's for any help
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [I] Superset can't connect with Keycloak IdP [superset]
Posted by "rusackas (via GitHub)" <gi...@apache.org>.
rusackas closed issue #21081: Superset can't connect with Keycloak IdP
URL: https://github.com/apache/superset/issues/21081
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [I] Superset can't connect with Keycloak IdP [superset]
Posted by "rusackas (via GitHub)" <gi...@apache.org>.
rusackas commented on issue #21081:
URL: https://github.com/apache/superset/issues/21081#issuecomment-1936456526
This version of Superset is no longer supported. If anyone is still encountering this in current versions (3.x) please open a new Issue or a PR to address the problem.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org