alisharifi2000 opened a new issue, #32287:
URL: https://github.com/apache/superset/issues/32287
### Bug description
**# Integrating Keycloak with Superset (v4.1.1) - Issue with OAuth Login**
Hi everyone,
I'm trying to integrate Superset 4.1.1 with Keycloak 26.1.1, both running in
Docker.
superset -> localhost:8088
keycloak -> localhost:8080
I've configured Superset with the following security manager in
**superset_config.py**
```
from superset.security import SupersetSecurityManager
from flask_appbuilder.security.manager import AUTH_OAUTH
class KeycloakSecurity(SupersetSecurityManager):
"""
Custom Security Manager for handling Keycloak authentication.
"""
def __init__(self, appbuilder):
super().__init__(appbuilder)
app = self.appbuilder.get_app
app.config.setdefault("AUTH_ROLES_MAPPING", {})
app.config.setdefault("AUTH_TYPE", AUTH_OAUTH)
def oauth_user_info(self, provider, resp=None):
if provider == "keycloak":
log.debug("Keycloak response received: %s", resp)
log.debug("ID Token: %s", resp.get("id_token"))
me = self.appbuilder.sm.oauth_remotes[provider].get(
f'http://{keycloak_address}/auth/realms/{keycloak_realm}/protocol/openid-connect/userinfo'
)
me.raise_for_status()
data = me.json()
log.debug("User info from Keycloak: %s", data)
return {
"name": data["name"],
"email": data["email"],
"first_name": data["given_name"],
"last_name": data["family_name"],
"id": data["preferred_username"],
"username": data["preferred_username"],
}
CUSTOM_SECURITY_MANAGER = KeycloakSecurity
AUTH_USER_REGISTRATION = True # Allow user self-registration
AUTH_USER_REGISTRATION_ROLE = "Public"
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{
"name": "keycloak",
"icon": "fa-key",
"token_key": "access_token",
"remote_app": {
"client_id": "superset",
"client_secret": client_secret,
"client_kwargs": {"scope": "openid email"},
"api_base_url":
f"https://{keycloak_address}/realms/{keycloak_realm}/protocol/openid-connect";,
"authorize_url":
f"https://{keycloak_address}/realms/{keycloak_realm}/protocol/openid-connect/auth";,
"access_token_url":
f"https://{keycloak_address}/realms/{keycloak_realm}/protocol/openid-connect/token";,
"jwks_uri":
f"https://{keycloak_address}/realms/{keycloak_realm}/protocol/openid-connect/certs";,
"request_token_url": None,
"access_token_method": "POST",
}
}
]
```
Steps Taken:
1. Created a realm (superset) and client (superset) in Keycloak.
2. Created a user (test) with password (test) in Keycloak.
3. In Superset, clicked "Login with Keycloak" → redirected to Keycloak.
4. Entered username (test) and password (test) → redirected back to the
Superset login page instead of being logged in with error **The request to sign
in was denied.**
Issue:
Checking the Superset logs, I found this error:
```
ERROR: flask_appbuilder.security.views: Error authorizing OAuth access
token:
HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with
URL: /realms/superset/protocol/openid-connect/token
```
### Screenshots/recordings
KeyCloak Configuration for my client it named superset
superset login page after redirect from keycloak
error in docker logs
### Superset version
4.1.1
### Python version
3.10
### Node version
18 or greater
### Browser
Firefox
### Additional context
_No response_
### Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [ ] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [ ] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
