dusatvoj opened a new issue, #21081: URL: https://github.com/apache/superset/issues/21081
I'm using superset `1.4.2` with [this](https://stackoverflow.com/questions/54010314/using-keycloakopenid-connect-with-apache-superset) keycloak integration. There's a problem while upgrading to superset `1.5.0`+, bcs `flask-oidc==1.4.0` needs another major version of `pyparsing` than SS `1.5.0`+. So I wanted to manage OAuth2 / OIDC login via [official guide](https://superset.apache.org/docs/installation/configuring-superset/#custom-oauth2-configuration) and it's not working. I've looked even into [appbuilder docs](https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-oauth) for recommended keycloak setup, even tried OIDC setup via your `Note` in your docs but I can't make it works. There are 2 different issues on which your guide fails: ``` ERROR:flask_appbuilder.security.views:Error returning OAuth user info: 'Response' object has no attribute 'data' ``` or ``` ERROR:flask_appbuilder.security.manager:OAUTH userinfo does not have username or email {} ``` ... depends on configuration. Configuration of `OAUTH_PROVIDERS`: ``` AUTH_TYPE = AUTH_OAUTH OAUTH_PROVIDERS = [ { 'name':'keycloak', 'token_key':'access_token', # Name of the token in the response of access_token_url 'icon':'fa-address-card', # Icon for the provider 'remote_app': { 'client_id':'client_id', # Client Id (Identify Superset application) 'client_secret':'client_secret', # Secret for this Client Id (Identify Superset application) 'server_metadata_url': 'https://KC_DOMAIN/realms/REALM/.well-known/openid-configuration' } } ] ### OR ### OAUTH_PROVIDERS = [ { "name": "keycloak", "icon": "fa-key", "token_key": "access_token", "remote_app": { "client_id": "client_id", "client_secret": "client_secret", "api_base_url": "https://KC_DOMAIN/realms/REALM/protocol/openid-connect";, "client_kwargs": { "scope": "email profile" }, "access_token_url": "https://KC_DOMAIN/realms/REALM/protocol/openid-connect/token";, "authorize_url": "https://KC_DOMAIN/realms/REALM/protocol/openid-connect/auth";, "request_token_url": None, }, } ] ``` _(I've even tried to change a name not to appbuilder keyword, etc.)_ ``` import logging from superset.security import SupersetSecurityManager class CustomSsoSecurityManager(SupersetSecurityManager): def oauth_user_info(self, provider, response=None): logging.debug("Oauth2 provider: {0}.".format(provider)) if provider == 'keycloak': # As example, this line request a GET to base_url + '/' + userDetails with Bearer Authentication, # and expects that authorization server checks the token, and response with user details me = self.appbuilder.sm.oauth_remotes[provider].get('userinfo').data logging.debug("user_data: {0}".format(me)) return { 'name' : me['name'], 'email' : me['email'], 'id' : me['user_name'], 'username' : me['user_name'], 'first_name':'', 'last_name':''} ... ``` .... I've tried many variations of your override script. Not working, Don't know why. #### How to reproduce the bug Written above ### Expected results can login ### Actual results It's broken somehow ; can't login #### Screenshots N/A ### Environment (please complete the following information): - browser type and version: any - superset version: `1.4.2` - python version: `3.8.7` - node.js version: `14.19.3` - any feature flags active: ``` FEATURE_FLAGS = { 'ALERT_REPORTS': True, 'DASHBOARD_RBAC': True } ``` ### Checklist Make sure to follow these steps before submitting your issue - thank you! - [x] I have checked the superset logs for python stacktraces and included it here as text if there are any. - [ ] I have reproduced the issue with at least the latest released version of superset. **No - can't upgrade without working OIDC integration -> possible fire up flask-oidc** - [x] I have checked the issue tracker for the same issue and I haven't found one similar. **Nothing helped to me** Thank's for any help -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
