iali9906 commented on issue #24713: URL: https://github.com/apache/superset/issues/24713#issuecomment-2250209202
> To fully invalidate sessions on logout use this: https://superset.apache.org/docs/security/#switching-to-server-side-sessions Hi @dpgaspar I set the configuration as follows: but nothing changes: ``` AUTH_TYPE = AUTH_OID curr = os.path.abspath(os.getcwd()) OIDC_CLIENT_SECRETS = curr + '/docker/pythonpath_dev/client_secret.json' OIDC_ID_TOKEN_COOKIE_SECURE = True OIDC_OPENID_REALM: 'stest' AUTH_USER_REGISTRATION = True AUTH_USER_REGISTRATION_ROLE = 'Public' OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_post' CUSTOM_SECURITY_MANAGER = OIDCSecurityManager OIDC_TOKEN_TYPE_HINT = 'access_token' OIDC_SCOPES = ["openid","userinfo"] SESSION_SERVER_SIDE = True SESSION_TYPE = 'redis' SESSION_REDIS = redis.from_url('redis://superset-redis-prod-01:6379') SESSION_USE_SIGNER = True SESSION_COOKIE_SECURE = True SESSION_COOKIE_HTTPONLY = True SESSION_COOKIE_SAMESITE = "Lax" SECRET_KEY = os.getenv('SUPERSET_SECRET_KEY', 'Tv********************************************************Rr') def encode_data(data): return data.encode('utf-8') if isinstance(data, str) else data def decode_data(data): return data.decode('utf-8') if isinstance(data, bytes) else data ``` and in my keycloack_security_manager.py file I modified the logout section like this: from: ``` @expose('/logout/', methods=['GET', 'POST']) def logout(self): oidc = self.appbuilder.sm.oid oidc.logout() super(AuthOIDCView, self).logout() redirect_url = request.url_root.strip('/') + self.appbuilder.get_url_for_login return redirect( oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout?redirect_uri=' + quote(redirect_url)) ``` to: ``` @expose('/logout/') def logout(self): oidc = self.appbuilder.sm.oid # Invalidare la sessione di Superset oidc.logout() # Invalidate the session in the current application super(AuthOIDCView, self).logout() # Create a response object redirect_url = 'https://bi.company.it/login' full_redirect_url = oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout?redirect_uri=' + quote(redirect_url) resp = make_response(redirect(full_redirect_url)) resp.set_cookie('session', '', expires=0, secure=True, httponly=True, samesite='Lax') return resp ``` But nothing has changed. By leaving the original logout function, I was being redirected back to the initial dashboard. putting it like this instead, I get redirected to the keycloack that does the logout and shows me the screen to log in again, but if in the address bar I remove bi.company.co.uk/login and put bi.company.co.uk I still get redirected to the dashboard without login. so it logs out the session on keycloack but it doesn't superset. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
