aurokk opened a new pull request, #31993: URL: https://github.com/apache/superset/pull/31993
fix(trino): compare only error code for oauth2 auth ### SUMMARY I guess this message is specific for google oauth2 server, there is a ([link](https://www.cubebackup.com/docs/faq/invalid-credential-error/#:~:text=This%20error%20usually%20happens%20when,Domain%20and%20Domain%20administrator%20correctly.)) I found that makes me think so. With the change applied it started to work good with [identity server 4](https://identityserver4.readthedocs.io/), and I guess this problem makes it impossible to use oauth2 right now, for example [here](https://github.com/apache/superset/issues/20300#issuecomment-2239175914). ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF This is how it looks with the change applied. <img width="1505" alt="Screenshot 2025-01-27 at 05 43 52" src="https://github.com/user-attachments/assets/613fbcad-9ed6-440e-971c-7b076e10ecfe"; /> ### TESTING INSTRUCTIONS There is an example of how I configured oauth2 for trino. P.S.: I didn't copy other configuration except for the part need to make oauth work. ``` configOverrides: enable_oauth: | DATABASE_OAUTH2_REDIRECT_URI = "https://{hostname}/api/v1/database/oauth2/"; DATABASE_OAUTH2_CLIENTS = { "Trino": { "id": "trino", "secret": os.getenv("SUPERSET_OAUTH_CLIENT_SECRET"), "scope": "openid email profile offline_access trino", "redirect_uri": "https://{hostname}/api/v1/database/oauth2/";, "authorization_request_uri": "https://{hostname}/connect/authorize";, "token_request_uri": "https://{hostname}/connect/token"; } } extraSecrets: custom_sso_security_manager.py: | import jwt import logging from superset.security import SupersetSecurityManager class CustomSsoSecurityManager(SupersetSecurityManager): def oauth_user_info(self, provider, response=None): logging.debug("Oauth2 provider: {0}.".format(provider)) if provider == 'data-mesh-auth-server': # As example, this line request a GET to base_url + '/' + userDetails with Bearer Authentication, # and expects that authorization server checks the token, and response with user details # user_info = self.appbuilder.sm.oauth_remotes[provider].get('userinfo') # me = user_info.json() id_token = response.get('id_token') decoded_token = jwt.decode(id_token, options={"verify_signature": False}) user_email = decoded_token.get('email') user_id = decoded_token.get('sub') # 'sub' is commonly used for user ID in JWTs username = decoded_token.get('email').split("@")[0] return { "id": user_id, "username": username, "email": user_email, "first_name": "FIRST", "last_name": "LAST" } ``` ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [x] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in https://github.com/apache/superset/issues/13351) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API - [x] Fixes #30081 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
