Nandhan007 opened a new issue, #30920:
URL: https://github.com/apache/superset/issues/30920
### Bug description
Hi,
I am facing issue in embedding superset dashboard in react application with
different approach
When embedding an Apache Superset dashboard into a React application with
Keycloak as the IAM tool for authentication and authorization, I encountered
issues with obtaining a response from the Superset API for guest access, which
is intended to allow dashboard access for users with specific roles and
permissions.
In this setup, after retrieving an access token from Keycloak to request
guest access for the dashboard, the API responds with the error "**the
specified alg value is not allowed**" with status code 422(unprocessed entity).
Interestingly, when I log in to Superset locally, the guest token is initially
granted, but after a short period, the same error reoccurs, and Superset
automatically logs out without any further interaction. This issue seems
specific to the single sign-on (SSO) process.
After I have checked the logs for both Superset application and keycloak.
The screenshots are attached below
1) GET /api/v1/me/ HTTP/1.1" 401 (unauthorised) - This is exactly happens
in superset when i login through react to embed dashboard after superset page
will redirect to login page without any interaction parellely react application
will get the guest token response to embed dashboard successfully but again
refreshing this error happens again.
### Screenshots/recordings
### Superset version
master / latest-dev
### Python version
3.11
### Node version
18 or greater
### Browser
Chrome
### Additional context
My Approach:
1) Access Token from Keycloak
2) CSRF Token from superset api response
3) guest token from superset api response
For the Above approach, The first two process will be successfully but the
guest token response to get from the superset by giving neccessary parameters
such as access token get from keycloak and csrf token while doing this process
the error will raised.
JWT Algorithms:
1) Keycloak - RS256
2) Superset - HS256
Even i set the same algorithm for both superset and keycloak. Superset
raises two issues,
1) Invalid JSON web key
2) Signature not verified - This happens when i set the HS256 for common in
both because Keycloak verified signature algo will be RS256
Anyone can you help me to solve this issue?
### Checklist
- [X] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [X] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [X] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
