Re: [D] ### Bug: SSO Logout Not Working with Keycloak + Iframe Embedded Superset [superset]

Sun, 27 Jul 2025 23:58:18 -0700 


GitHub user aditya269 added a comment to the discussion: ### Bug: SSO Logout 
Not Working with Keycloak + Iframe Embedded Superset

**Fix**: Keycloak Logout Session Handling in Superset

**Problem**
In a setup where Superset is integrated with a main application using Keycloak 
SSO, logging out from the main app does not automatically log the user out of 
Superset.

This results in:

Users still being logged into Superset even after they log out of the main 
application.

Security inconsistencies, especially when switching accounts or using shared 
devices.

**Solution**
We implemented token introspection on every Superset request to detect when the 
user has logged out from the main application (i.e., their token is no longer 
active).

If the access token is missing or inactive (as reported by Keycloak's 
/token/introspect), Superset will:
- Clear the session
- Log out the user
- Redirect them to the login screen

**Technical Implementation**
**These changes should be added to your superset_config.py file.**
1. Added a method to check token status using Keycloak's introspection endpoint:
`def is_token_active(self, token: str) -> bool:
    # Calls /protocol/openid-connect/token/introspect`
    
 2. Hooked a global before_request handler into the Flask app:
 `def check_keycloak_token_validity():
    if current_user.is_authenticated:
        token = session.get("access_token")
        security_manager = current_app.appbuilder.sm
        if not token or not security_manager.is_token_active(token):
            logout_user()
            session.clear()
            return redirect("/login")

def FLASK_APP_MUTATOR(app: Flask) -> None:
    app.before_request_funcs.setdefault(None, []).append(
        check_keycloak_token_validity
    )
`

**Result**
Whenever the user logs out of the main app and their Keycloak token becomes 
invalid:
Superset detects this via backend introspection
Superset performs a full logout automatically
No stale sessions remain in Superset
This keeps Superset and the main app secure and synchronized under a unified 
SSO session.



GitHub link: 
https://github.com/apache/superset/discussions/33685#discussioncomment-13906516

----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to: 
notifications-unsubscr...@superset.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org

Reply via email to