You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by "daniilvohromeev (via GitHub)" <gi...@apache.org> on 2023/11/07 18:06:47 UTC
[I] To many redirects OIDC [superset]
daniilvohromeev opened a new issue, #25895:
URL: https://github.com/apache/superset/issues/25895
I encountered an issue with redirecting to the login page when attempting to implement custom user fields and integrate OpenID support in Superset. It may seem like a trivial issue, but I have limited experience, and I'm not sure how to resolve this problem. Below is the code of my implementation:
`
from flask import redirect, request, flash
from flask_appbuilder import expose
from flask_appbuilder.security.manager import AUTH_OID
from sqlalchemy import Column, String
from werkzeug.security import generate_password_hash
from superset.security import SupersetSecurityManager
from flask_oidc import OpenIDConnect
from flask_appbuilder.security.views import AuthOIDView
from flask_login import login_user, logout_user
from flask_appbuilder.security.sqla.models import User
from urllib.parse import quote
import logging
from sqlalchemy.exc import SQLAlchemyError
logger = logging.getLogger()
# Custom User class
class CustomUser(User):
__tablename__ = 'ab_user'
main_inn = Column(String(12))
head_inn = Column(String(12))
# OIDC Security Manager
class OIDCSecurityManager(SupersetSecurityManager):
user_model = CustomUser
def __init__(self, appbuilder):
super(OIDCSecurityManager, self).__init__(appbuilder)
if self.auth_type == AUTH_OID:
self.oid = OpenIDConnect(self.appbuilder.get_app)
self.authoidview = AuthOIDCView
def add_user(self, username, first_name, last_name, email, role, password='',
main_inn="", head_inn=""):
user = self.find_user(username=username)
if user:
logger.error(f"User with username {username} already exists.")
return user
user = self.user_model()
user.first_name = first_name
user.last_name = last_name
user.username = username
user.email = email
user.password = generate_password_hash(password)
user.main_inn = main_inn
user.head_inn = head_inn
user.roles = role if isinstance(role, list) else [role]
try:
self.get_session.add(user)
self.get_session.commit()
except SQLAlchemyError as e:
self.get_session.rollback()
logger.error(f"Error adding user: {e}")
raise
return user
# AuthOIDCView
class AuthOIDCView(AuthOIDView):
@expose('/login/', methods=['GET', 'POST'])
def login(self):
sm = self.appbuilder.sm
oidc = sm.oid
@oidc.require_login
def handle_login():
try:
info = oidc.user_getinfo([
'preferred_username', 'given_name', 'family_name', 'email',
'roles', 'inn', 'headINNName'
])
user = sm.find_user(info.get('email'))
if user is None:
# Query roles from Superset and filter based on OIDC roles
superset_roles = sm.get_all_roles()
user_roles = [role for role in superset_roles if
role.name in info.get('roles', [])]
# If no roles are found, assign a default role
if not user_roles:
default_role = sm.find_role(sm.auth_user_registration_role)
user_roles = [default_role] if default_role else []
# Create the user with the roles
user = sm.add_user(
username=info.get('preferred_username'),
first_name=info.get('given_name'),
last_name=info.get('family_name'),
email=info.get('email'),
role=user_roles,
main_inn=info.get('inn'),
head_inn=info.get('headINNName')
)
# Check if the user exists and is active
if user and user.is_active:
login_user(user, remember=False)
return redirect('/welcome/superset')
else:
flash('Your account is not active', 'warning')
return redirect('/login/')
except Exception as e:
logger.error(f'OIDC login failed: {e}')
flash('Authentication failed', 'danger')
return redirect('/login/')
return handle_login()
@expose('/logout/', methods=['GET', 'POST'])
def logout(self):
logout_user()
oidc = self.appbuilder.sm.oid
oidc.logout()
redirect_url = request.url_root.strip('/')
issuer = oidc.client_secrets.get('issuer')
if issuer:
return redirect(
f"{issuer}/protocol/openid-connect/logout?redirect_uri={quote(redirect_url)}")
flash('Failed to log out', 'warning')
return redirect('/')
`
And here are some logs:
`superset_app | Loaded your LOCAL configuration at [/app/docker/pythonpath_dev/superset_config.py]
superset_app | 127.0.0.1 - - [07/Nov/2023:17:39:24 +0000] "GET /health HTTP/1.1" 200 2 "-" "curl/7.88.1"
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:27 +0000] "GET / HTTP/1.1" 302 223 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:27,943:WARNING:root:Class 'werkzeug.local.LocalProxy' is not mapped
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:27 +0000] "GET /superset/welcome/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:27 +0000] "GET /login/ HTTP/1.1" 302 1283 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:28 +0000] "GET / HTTP/1.1" 302 223 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:28,802:WARNING:root:Class 'werkzeug.local.LocalProxy' is not mapped
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:28 +0000] "GET /superset/welcome/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:28 +0000] "GET /login/ HTTP/1.1" 302 1283 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,136:INFO:oauth2client.client:Successfully retrieved access token
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /oidc_callback?state=eyJjc3JmX3Rva2VuIjogIlpTZEZnelhJUHdUXzZGOTVqaVE0eG1zWUhYZkpqOS1hIiwgImRlc3RpbmF0aW9uIjogImV5SmhiR2NpT2lKSVV6VXhNaUo5LkltaDBkSEE2THk5c2IyTmhiR2h2YzNRNk9EQTRPQzlzYjJkcGJpOGkuckVPcjVLSVcteGZQWnZSVWZNRzVzOTQ4NHBiaWtlTXFOYWhNbVB5dlZaMjhnb3VuT1J5TmR0MXJoM2NzRTRCUGlKNXByY04yOHZJbDViYngxNkx2elEifQ%3D%3D&session_state=5c15a0ad-d504-4386-bbb9-d60b17d49a18&code=c55bf75b-bdec-4683-afb8-055d2d4bffe8.5c15a0ad-d504-4386-bbb9-d60b17d49a18.9296707e-863b-4b70-92f5-b397b38e1db1 HTTP/1.1" 302 243 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,146:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,153:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,159:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,165:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,172:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,179:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,186:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,193:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,199:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,205:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,212:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,218:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,224:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,230:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,237:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,243:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,250:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:31,256:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:31 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:32,304:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:32 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:32,310:ERROR:root:User with username testinn already exists.
superset_app | 172.18.0.1 - - [07/Nov/2023:17:39:32 +0000] "GET /login/ HTTP/1.1" 302 201 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
superset_app | 2023-11-07 17:39:32,316:ERROR:root:User with username testinn already exists.
`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [I] To many redirects OIDC [superset]
Posted by "daniilvohromeev (via GitHub)" <gi...@apache.org>.
daniilvohromeev commented on issue #25895:
URL: https://github.com/apache/superset/issues/25895#issuecomment-1819365355
> @daniilvohromeev Hi, I've encountered the same problem, have you managed to solve it?
Hi. Yes, now this problem seems to be my own foolishness. It was about the
user attribute 'active'. I made some edits in the logging and found out
that this value is not being set for the user. Because of this and the
recursive structure of the solution, there were infinite calls to the
endpoint /login. Essentially, the user is authenticated and the session
information is stored in cookies, but the logic in Superset wasn't handling
the 'active' parameter
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [I] To many redirects OIDC [superset]
Posted by "daniilvohromeev (via GitHub)" <gi...@apache.org>.
daniilvohromeev closed issue #25895: To many redirects OIDC
URL: https://github.com/apache/superset/issues/25895
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [I] To many redirects OIDC [superset]
Posted by "NexZhu (via GitHub)" <gi...@apache.org>.
NexZhu commented on issue #25895:
URL: https://github.com/apache/superset/issues/25895#issuecomment-1818258985
@daniilvohromeev Hi, I've encountered the same problem, have you managed to solve it?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [I] To many redirects OIDC [superset]
Posted by "daniilvohromeev (via GitHub)" <gi...@apache.org>.
daniilvohromeev commented on issue #25895:
URL: https://github.com/apache/superset/issues/25895#issuecomment-1819338623
Hi. Yes, now this problem seems to be my own foolishness. It was about the
user attribute 'active'. I made some edits in the logging and found out
that this value is not being set for the user. Because of this and the
recursive structure of the solution, there were infinite calls to the
endpoint /login. Essentially, the user is authenticated and the session
information is stored in cookies, but the logic in Superset wasn't handling
the 'active' parameter
пн, 20 нояб. 2023 г. в 08:35, Nex Zhu ***@***.***>:
> @daniilvohromeev <https://github.com/daniilvohromeev> Hi, I've
> encountered the same problem, have you managed to solve it?
>
> —
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/superset/issues/25895#issuecomment-1818258985>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AO3VCPXPH5B5OQEKGYJOVQTYFLT3JAVCNFSM6AAAAAA7BTSZOCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJYGI2TQOJYGU>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [I] To many redirects OIDC [superset]
Posted by "NexZhu (via GitHub)" <gi...@apache.org>.
NexZhu commented on issue #25895:
URL: https://github.com/apache/superset/issues/25895#issuecomment-1820472830
@daniilvohromeev I think my case is different but thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org