Re: [D] HOW TO INTEGRATE ZITADEL WITH SUPERSET for OAUTH [superset]

via GitHub Tue, 12 Aug 2025 02:28:02 -0700


GitHub user dosubot[bot] added a comment to the discussion: HOW TO INTEGRATE 
ZITADEL WITH SUPERSET for OAUTH


<!-- Answer -->
To integrate Zitadel with Superset for OAuth login, you need to configure 
everything directly in `superset_config.py` (Superset 5.x and above no longer 
support loading OIDC settings from a JSON file) 
[reference](https://github.com/apache/superset/discussions/34336).

**Step-by-step setup:**

1. **Create a Zitadel app** in the Zitadel console with type "Web" and 
authentication method "Code". Note the client ID and secret. Set the redirect 
URI to `https://<your-superset-domain>/oauth-authorized/zitadel` 
[reference](https://github.com/apache/superset/discussions/27898).

2. **Install Authlib** in your Superset environment if it’s not already present.

3. **Add this to your `superset_config.py`:**
   ```python
   from flask_appbuilder.security.manager import AUTH_OAUTH
   from custom_sso_security_manager import CustomSsoSecurityManager

   AUTH_TYPE = AUTH_OAUTH
   OAUTH_PROVIDERS = [
       {
           "name": "zitadel",
           "token_key": "access_token",
           "icon": "fa-key",
           "remote_app": {
               "client_id": "<your-zitadel-client-id>",
               "client_secret": "<your-zitadel-client-secret>",
               "client_kwargs": {
                   "scope": "openid profile email",
               },
               "api_base_url": "https://<your-zitadel-domain>",
               "server_metadata_url": 
"https://<your-zitadel-domain>/.well-known/openid-configuration",
           },
       }
   ]
   CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
   AUTH_USER_REGISTRATION = True
   AUTH_USER_REGISTRATION_ROLE = "Public"
   ```

4. **Create `custom_sso_security_manager.py`** in the same directory as your 
config:
   ```python
   import logging
   from superset.security import SupersetSecurityManager

   class CustomSsoSecurityManager(SupersetSecurityManager):
       def oauth_user_info(self, provider, response=None):
           logging.debug("Oauth2 provider: {0}.".format(provider))
           if provider == 'zitadel':
               me = 
self.appbuilder.sm.oauth_remotes[provider].get('oidc/v1/userinfo').json()
               logging.debug("user_data: {0}".format(me))
               return {
                   'name': me.get('name'),
                   'email': me.get('email'),
                   'id': me.get('preferred_username'),
                   'username': me.get('preferred_username'),
                   'first_name': me.get('given_name'),
                   'last_name': me.get('family_name'),
               }
   ```
   This maps Zitadel user info to Superset user fields 
[reference](https://github.com/apache/superset/discussions/27898).

**Troubleshooting tips:**
- Make sure your redirect URI matches what you set in Zitadel.
- If you upgraded from Superset 4.x, migrate all OIDC config from JSON files 
into Python variables in `superset_config.py` 
[reference](https://github.com/apache/superset/discussions/34336).
- If the login page doesn’t show, check for frontend asset issues or 
misconfigured reverse proxy/static asset paths 
[reference](https://github.com/apache/superset/issues/34333).

For more details, see the [Superset OAuth config 
docs](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/configuration/configuring-superset.mdx)
 and Zitadel’s [OIDC integration 
guide](https://zitadel.com/docs/guides/integrate/login/oidc).


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/c812248c-ce9a-4f42-b91f-2e185dc376ba?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/c812248c-ce9a-4f42-b91f-2e185dc376ba?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/c812248c-ce9a-4f42-b91f-2e185dc376ba?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/c812248c-ce9a-4f42-b91f-2e185dc376ba?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/c812248c-ce9a-4f42-b91f-2e185dc376ba?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/c812248c-ce9a-4f42-b91f-2e185dc376ba?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/c812248c-ce9a-4f42-b91f-2e185dc376ba?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat
 with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&
 nbsp;[![Join 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34652)

GitHub link: 
https://github.com/apache/superset/discussions/34652#discussioncomment-14080654

----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to: 
notifications-unsubscr...@superset.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org

Re: [D] HOW TO INTEGRATE ZITADEL WITH SUPERSET for OAUTH [superset]

Reply via email to