GitHub user dosubot[bot] added a comment to the discussion: How to authenticate with Superset with service account
<!-- Answer --> Superset doesn't natively support authenticating API requests with external OIDC/JWT tokens like those from Zitadel. To enable this, you'll need to implement a custom SecurityManager and possibly middleware. Here’s a high-level outline of what you need to do: 1. **Create a custom SecurityManager** that extracts and validates the Bearer token from the Authorization header, verifies it using Zitadel's public keys, and maps it to a Superset user. You can do this by subclassing `SupersetSecurityManager` and overriding methods like `request_loader` or `is_user_authenticated`. See [this discussion for a similar approach](https://github.com/apache/superset/discussions/33131). Example (simplified for illustration): ```python # custom_security_manager.py from superset.security import SupersetSecurityManager from flask import request import jwt # Use python-jose or PyJWT for JWT validation class CustomSecurityManager(SupersetSecurityManager): def request_loader(self, request): auth_header = request.headers.get("Authorization") if auth_header and auth_header.startswith("Bearer "): token = auth_header.split(" ", 1)[1] # Validate the JWT using Zitadel's public keys try: payload = jwt.decode(token, zitadel_public_key, algorithms=["RS256"], audience="your-audience") user = self.find_user(username=payload["preferred_username"]) return user except Exception: return None return None ``` 2. **Configure Superset to use your custom SecurityManager** by setting `CUSTOM_SECURITY_MANAGER = CustomSecurityManager` in your `superset_config.py` file. If you need to preprocess headers or environment variables, you can also add custom middleware via the `ADDITIONAL_MIDDLEWARE` config option. See [middleware example](https://github.com/apache/superset/discussions/33131). 3. **Apply your changes**: Place your custom SecurityManager code in a Python file accessible to Superset (e.g., in your project directory), and update `superset_config.py` to import and use it. There are no official plugins for Zitadel or generic OIDC/JWT API authentication in Superset, so this custom approach is required. For more details and community examples, see [this discussion](https://github.com/apache/superset/discussions/32038) and the [SupersetSecurityManager code](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/4576260d-f1be-4170-bdc3-1bd69099ce51?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/4576260d-f1be-4170-bdc3-1bd69099ce51?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/4576260d-f1be-4170-bdc3-1bd69099ce51?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/4576260d-f1be-4170-bdc3-1bd69099ce51?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/4576260d-f1be-4170-bdc3-1bd69099ce51?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/4576260d-f1be-4170-bdc3-1bd69099ce51?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/4576260d-f1be-4170-bdc3-1bd69099ce51?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34278) GitHub link: https://github.com/apache/superset/discussions/34278#discussioncomment-13863861 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
