GitHub user dosubot[bot] added a comment to the discussion: Title: OAuth/OIDC Access Token (RS256) Rejected by /api/v1/security/csrf_token/ with "The specified alg value is not allowed
<!-- Answer --> The root cause is that Superset's API authentication for endpoints like `/api/v1/security/csrf_token/` only accepts HS256-signed JWTs for Bearer tokens, and this is hardcoded in the validation logic. This is separate from the OIDC/OAuth UI login flow, which does support RS256. Configuration flags such as `JWT_ALGORITHMS`, `JWT_DECODE_ALGORITHMS`, or `GUEST_TOKEN_JWT_ALGORITHM` in `superset_config.py` do not affect this API JWT validationâonly HS256 is allowed, and this cannot be changed via config. Accepting RS256-signed JWTs for API Bearer authentication would require code changes or a custom security manager implementation. This separation is why RS256 tokens work for UI login but are rejected by the API with "The specified alg value is not allowed" [source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/536cbd07-0a59-4309-9dd8-df351d546985?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/536cbd07-0a59-4309-9dd8-df351d546985?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/536cbd07-0a59-4309-9dd8-df351d546985?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/536cbd07-0a59-4309-9dd8-df351d546985?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/536cbd07-0a59-4309-9dd8-df351d546985?feedback_type=hallucination) | [Report đ](https://app.dosu.dev/response-feedback/536cbd07-0a59-4309-9dd8-df351d546985?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/536cbd07-0a59-4309-9dd8-df351d546985?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35281) GitHub link: https://github.com/apache/superset/discussions/35281#discussioncomment-14506817 ---- This is an automatically sent email for notifications@superset.apache.org. To unsubscribe, please send an email to: notifications-unsubscr...@superset.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
