Piyush-Fury opened a new issue, #31435:
URL: https://github.com/apache/superset/issues/31435
### Bug description
Hello everyone, We are trying to add the OAUTH login using the Authentik
identity server. We have setup the configuration as per the documentation. You
can find the OAUTH configuration below.
postgresql:
postgresqlPassword: superset
configOverrides:
secret: |
import os
SECRET_KEY = '<>'
enable_oauth: |
# Enable proxy fix for correct redirect_uri computation
ENABLE_PROXY_FIX = True
FEATURE_FLAGS = {"DYNAMIC_PLUGINS": True}
# Install required dependencies
import os
os.system('pip install packaging==21.3 psycopg2-binary grpcio authlib
pillow')
from flask_appbuilder.security.manager import AUTH_OAUTH
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{
"name": "authentik",
"icon": "fa-lock",
"token_key": "access_token",
"remote_app": {
"client_id": '0lFhO8Z72zThVO2byPClFaNp0vBz0dVV5cKJ7cw9',
"client_secret": <>',
"api_base_url":
"http://authentik.piyush.today/application/o/";,
"client_kwargs": {"scope": "openid email profile"},
"request_token_url": None,
"access_token_url": "<>",
"authorize_url": "<>",
"jwks_uri": "<>",
"redirect_uri": "<>",
"server_metadata_url": "<>",
"issuer": "<>"
},
}
]
# Map Authlib roles to Superset roles
AUTH_ROLE_ADMIN = 'Admin'
AUTH_ROLE_PUBLIC = 'Public'
# Allow user self-registration
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
# Configure SESSION_PROTECTION
SESSION_PROTECTION = "basic"
###########################
SQLALCHEMY_DATABASE_URI =
f"postgresql+psycopg2://{os.getenv('POSTGRES_USER')}:{os.getenv('POSTGRES_PASSWORD')}@{os.getenv('POSTGRES_HOST')}:{os.getenv('POSTGRES_PORT')}/{os.getenv('POSTGRES_DB')}"
###########################
WTF_CSRF_ENABLED = True
WTF_CSRF_TIME_LIMIT = 60 * 60 * 24 * 365
try:
import psycopg2
except ModuleNotFoundError:
os.system('pip install psycopg2-binary')
# Flask Session Configuration (Highlighted New Additions)
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = False # Since you are on HTTP, not HTTPS
SESSION_COOKIE_SAMESITE = "Lax" # Good default for basic protection
PERMANENT_SESSION_LIFETIME = 3600 # Session expiry time in seconds
bootstrapScript: |
#!/bin/bash
pip install psycopg2==2.9.6 \
sqlalchemy-bigquery==1.6.1 \
elasticsearch-dbapi==0.2.5 &&\
pip install --no-cache-dir packaging==21.0 && \
if [ ! -f ~/bootstrap ]; then echo "Running Superset with uid {{
.Values.runAsUser }}" > ~/bootstrap; fi
extraEnv:
AUTH_DOMAIN: authentik.piyush.today
SESSION_COOKIE_SECURE: "True"
SESSION_COOKIE_HTTPONLY: "True"
SESSION_TIMEOUT: "3600"
SECRET_KEY: "<>"
AUTHENTIK_OAUTH_REDIRECT_URI:
"http://superset.piyush.today/oauth-authorized/authentik";
# Highlighted New Configuration
SESSION_COOKIE_DOMAIN: "superset.piyush.today" # Added domain to cookies
POSTGRES_USER: "superset"
POSTGRES_PASSWORD: "superset"
POSTGRES_DB: "superset"
POSTGRES_HOST: "superset-postgresql"
POSTGRES_PORT: "5432"
extraSecretEnv:
- name: SECRET_KEY
secretName: superset-secret
key: SECRET_KEY
- name: AUTHENTIK_CLIENT_ID
secretName: authentik-client-id-secret
key: AUTHENTIK_CLIENT_ID
- name: AUTHENTIK_CLIENT_SECRET
secretName: authentik-client-secret-secret
key: AUTHENTIK_CLIENT_SECRET
ingress:
enabled: true
annotations:
alb.ingress.kubernetes.io/scheme: "internet-facing"
alb.ingress.kubernetes.io/target-type: "ip"
alb.ingress.kubernetes.io/load-balancer-name: "aws-alb-superset"
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
alb.ingress.kubernetes.io/healthcheck-path: /health
alb.ingress.kubernetes.io/success-codes: "200"
alb.ingress.kubernetes.io/manage-backend-security-group-rules: "true"
alb.ingress.kubernetes.io/security-groups: "sg-0e7244a820c5e03ce"
alb.ingress.kubernetes.io/subnets:
"subnet-0e93acffe7efb7530,subnet-064a10482338a08a4,subnet-010368913ca69b726"
path: /
pathType: Prefix
hosts:
- superset.piyush.today
ingressClassName: alb
After successful login, the user is again redirected to the login page, I
checked the container logs, We are getting this following error
ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token:
mismatching_state: CSRF Warning! State not equal in request and response
I am searching for solutions, most of the github issues from other projects,
didn't seem to help. Any help would be much appreciated. Thank you.
helm vhart : 0.10.9
Superset Version: 3.0.0
### Screenshots/recordings
_No response_
### Superset version
master / latest-dev
### Python version
I don't know
### Node version
I don't know
### Browser
Chrome
### Additional context
_No response_
### Checklist
- [ ] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [ ] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [ ] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
