dosubot[bot] commented on issue #32023: URL: https://github.com/apache/superset/issues/32023#issuecomment-2621162131
<!-- Answer --> To ensure that the correct Keycloak user roles are assigned in Superset after integrating Single Sign-On with Keycloak, you need to map the roles from Keycloak to Superset roles using the `AUTH_ROLES_MAPPING` configuration. It seems like you have already set up the `AUTH_ROLES_MAPPING` in your `superset_config.py`, but the issue might be with how the roles are being extracted and used. Here are a few things to check and adjust: 1. **Role Extraction**: In your `CustomSsoSecurityManager`, ensure that the roles are being correctly extracted from the Keycloak response. The `oauth_user_info` method should extract the roles from the correct field in the Keycloak response. It seems like you are using `role_keys`, but you should verify that this is the correct field in the Keycloak response. 2. **Role Mapping**: Make sure that the roles you are mapping in `AUTH_ROLES_MAPPING` match exactly with the roles being sent by Keycloak. Any mismatch in role names will result in the default role being assigned. 3. **Debugging**: Add logging to verify what roles are being received from Keycloak and how they are being processed. This can help identify if the roles are being correctly extracted and mapped. 4. **Sync at Login**: Since you have `AUTH_ROLES_SYNC_AT_LOGIN` set to `True`, roles should be synced at every login. Ensure that this setting is being respected by checking the logs for any errors during the login process. If these steps do not resolve the issue, you might want to review similar discussions for additional insights. For instance, there is an open discussion on [Assigning Superset roles to Keycloak authenticated users using the AUTH_ROLES_MAPPING](https://github.com/apache/superset/discussions/27902) that might provide more context or solutions <sup>[[1]](https://github.com/apache/superset/discussions/27902)</sup>. <!-- Dosu Comment Footer --> *To continue talking to [Dosu](https://dosu.dev), mention @dosu.* --- <sup>Help Dosu learn! Give it feedback: [Great Response](https://app.dosu.dev/response-feedback/7ca6fb7b-d051-4d26-a079-5366cd6adf50?feedback_type=great_response) | [Irrelevant Answer](https://app.dosu.dev/response-feedback/7ca6fb7b-d051-4d26-a079-5366cd6adf50?feedback_type=irrelevant_answer) | [Incorrect Sources](https://app.dosu.dev/response-feedback/7ca6fb7b-d051-4d26-a079-5366cd6adf50?feedback_type=incorrect_sources) | [Too Verbose](https://app.dosu.dev/response-feedback/7ca6fb7b-d051-4d26-a079-5366cd6adf50?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/7ca6fb7b-d051-4d26-a079-5366cd6adf50?feedback_type=hallucination) | [Other](https://app.dosu.dev/response-feedback/7ca6fb7b-d051-4d26-a079-5366cd6adf50?feedback_type=other)</sup> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
