mandeeplohan opened a new issue #17862:
URL: https://github.com/apache/superset/issues/17862
We configured the Superset_config.py as suggested on the documentation page
and a custom sso as suggested in documentation . It is getting authenticated
using OIDC and returning with a valid code. However it is not proceding after
that. Error is
authlib.integrations.base_client.errors.OAuthError: invalid_client: The
client MUST NOT use more than one authentication method in each request.
superset_app | 2021-12-23
14:19:50,024:ERROR:superset.views.base:invalid_client: The client MUST NOT use
more than one authentication method in each request.
superset_app | Traceback (most recent call last):
Changes in Superset_cofig.py file*****
from custom_sso_security_manager import CustomSsoSecurityManager
from flask_appbuilder.security.manager import AUTH_OAUTH,AUTH_OID
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{ 'name':'PING',
'token_key':'access_token', # Name of the token in the response of
access_token_url
'icon':'fa-address-card', # Icon for the provider
'remote_app': {
'client_id':'client_id', # Client Id (Identify Superset application)
'client_secret':'client_secret', # Secret for this Client Id (Identify
Superset application)
'client_kwargs':{
'scope': 'openid profile address email phone', # Scope for the Authorization
},
'access_token_method':'POST', # HTTP Method to call access_token_url
'access_token_params':{ # Additional parameters for calls to access_token_url
'client_id':'client_id',
'grant_type' : 'authorization_code',
'client_secret' :'client_secret',
'redirect_uri' : 'http://url-blaa-bla:8088/'
},
'access_token_headers':{ # Additional headers for calls to access_token_url
'Authorization': 'Basic Base64EncodedClientIdAndSecret',
'Content-Type': 'application/x-www-form-urlencoded'
},
'api_base_url':'api_base_url',
'access_token_url':'access_token_url',
'authorize_url':'authorize_url'
}
}
]
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"
#***********
Actual results
Authentication happening with Get call and returing with a valid code and
state on the browser.
what actually happens.
http://url-bla-bla:8088/
Eneter MS ID and password
Auth success
in browser it comes with a valid code:
https://url-bla-bla:8088/oauth-authorized/PING?code=aaaaaaaaaaaaaaaaa&state=bbbbbbbbbbb.cccccccccc.ddddddd-ffffff-gggggggg-Y
Error on browser is "invalid redirect uri
LOGS:
superset_app | 2021-09-20
14:45:19,097:DEBUG:authlib.integrations.base_client.base_app:Saving authorize
data: {'redirect_uri': 'http://localhost:8088/oauth-authorized/PING', 'nonce':
'S6JvBApadi4z3wOIyMWE', 'url':
'https://url/as/authorization.oauth2?response_type=code&client_id=client_id&redirect_uri=http%3A%2F%2Flocalhost%3A8088%2Foauth-authorized%2FPING&scope=openid+profile+address+email+phone&state=aaaaaaa.bbbbbbb.cccccc-ddddd-eeeee-Y&nonce=S6JvBApadi4z3wOIyKVU',
'state': 'eyL0eEAiOiMNS1QiLCJhbGciOiJIUzI1NiJ9.eeeeeee.bbbbbb-vvvvv-vvvvvv-Y'}
superset_app | 172.18.0.1 - - [20/Sep/2021:14:45:19 +0000] "GET
/login/PING?next= HTTP/1.1" 302 951 "http://localhost:8088/login/"; "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/93.0.4577.82 Safari/537.36"
superset_app | 127.0.0.1 - - [20/Sep/2021:14:45:22 +0000] "GET /health
HTTP/1.1" 200 2 "-" "curl/7.64.0"
How to reproduce the bug
Git clone: https://github.com/apache/superset.git
configure superset_config.py with Oauth changes
add a custum sso file as defined in documention
build docker image : docker build -t superset-dev:latest .
docker-compose -f docker-compose-non-dev.yml up
http://localhost:8088/
enter MS id and password
Auth success
in browser it comes with a valid code:
https://localhost:8088/oauth-authorized/PING?code=aaaaaaaaaaaaaaaaa&state=bbbbbbbbbbb.cccccccccc.ddddddd-ffffff-gggggggg-Y
Error on browser is "This site can’t be reached"
Environment
Local : https://localhost:8088/
(please complete the following information):
File
"/usr/local/lib/python3.8/site-packages/authlib/integrations/requests_client/oauth2_session.py",
line 117, in handle_error
superset_app | raise OAuthError(error_type, error_description)
superset_app |
authlib.integrations.base_client.errors.OAuthError: invalid_client: The client
MUST NOT use more than one authentication method in each request.
superset_app | 2021-12-23
14:19:50,024:ERROR:superset.views.base:invalid_client: The client MUST NOT use
more than one authentication method in each request.
superset_app | Traceback (most recent call last):
superset_app | File
"/usr/local/lib/python3.8/site-packages/flask/app.py", line 1950, in
full_dispatch_request
superset_app | rv = self.dispatch_request()
superset_app | File
"/usr/local/lib/python3.8/site-packages/flask/app.py", line 1936, in
dispatch_request
superset_app | return
self.view_functions[rule.endpoint](**req.view_args)
superset_app | File
"/usr/local/lib/python3.8/site-packages/flask_appbuilder/security/views.py",
line 659, in oauth_authorized
superset_app | resp =
self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
superset_app | File
"/usr/local/lib/python3.8/site-packages/authlib/integrations/flask_client/remote_app.py",
line 76, in authorize_access_token
superset_app | token = self.fetch_access_token(**params)
superset_app | File
"/usr/local/lib/python3.8/site-packages/authlib/integrations/base_client/remote_app.py",
line 112, in fetch_access_token
superset_app | token = client.fetch_token(token_endpoint,
**kwargs)
superset_app | File
"/usr/local/lib/python3.8/site-packages/authlib/oauth2/client.py", line 203, in
fetch_token
superset_app | return self._fetch_token(
superset_app | File
"/usr/local/lib/python3.8/site-packages/authlib/oauth2/client.py", line 226, in
_fetch_token
superset_app | return self.parse_response_token(resp.json())
superset_app | File
"/usr/local/lib/python3.8/site-packages/authlib/oauth2/client.py", line 380, in
parse_response_token
superset_app | self.handle_error(error, description)
superset_app | File
"/usr/local/lib/python3.8/site-packages/authlib/integrations/requests_client/oauth2_session.py",
line 117, in handle_error
superset_app | raise OAuthError(error_type, error_description)
superset_app |
authlib.integrations.base_client.errors.OAuthError: invalid_client: The client
MUST NOT use more than one authentication method in each request.
superset_app | 10.175.238.7 - - [23/Dec/2021:14:19:50 +0000] "GET
/oauth-authorized/PING?code=GYAb-14DB_65NwWzDSQiw4AUzeGpvc04Oasasasasas&state=eyJ0eXAiOiJKV1QiLCJhbGciqwqwwweeUzI1NiJ9.eyJuZXh0IjpbIiJdfQ.fdfto7RZFzoca-sdsdsdsd-jsGjhSPMH_ltWoj85-Y
HTTP/1.1" 500 0 "https://hats-superset.mandeep.com/"; "Mozilla/5.0 (Macintosh;
Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/96.0.4664.110 Safari/537.36"
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
