Re: [D] Superset 6: Bypass Login page of superset No Longer Working (Worked in v5) [superset]

[via GitHub]

GitHub user dosubot[bot] added a comment to the discussion: Superset 6: Bypass 
Login page of superset No Longer Working (Worked in v5)

<!-- Answer -->
This change is due to breaking changes in Superset 6 and the Flask-AppBuilder 
5.0.0 upgrade, which altered how authentication views are registered and 
handled. Superset 6 now uses its own `SupersetAuthView` for login, and custom 
OAuth bypass logic must be integrated differently than in v5. There’s no 
config-only way to restore the old behavior—you need backend code 
changes[^1][^2].

The recommended approach is to create a custom authentication view (subclassing 
`AuthOAuthView` or `SupersetAuthView`) that checks if the user is already 
authenticated with your OAuth provider and, if so, logs them in and redirects 
to the index page. If not, it should proceed with the standard OAuth flow. You 
then register this view via a custom security manager using the 
`CUSTOM_SECURITY_MANAGER` config in `superset_config.py`[^3][^4].

Here’s a simplified example pattern:

```python
from flask_appbuilder.security.views import AuthOAuthView, expose
from flask_login import login_user
from flask import redirect, request, g
from superset.security import SupersetSecurityManager

class CustomSsoAuthOAuthView(AuthOAuthView):
    @expose("/login/")
    @expose("/login/<provider>")
    def login(self, provider: str = None):
        if g.user is not None and g.user.is_authenticated:
            return redirect(self.appbuilder.get_url_for_index)
        # Insert your logic here to check for OAuth session/cookie/token
        # If already authenticated with OAuth provider, log in and redirect
        # Otherwise, proceed with normal OAuth login
        return super().login(provider)

class CustomSecurityManager(SupersetSecurityManager):
    authoauthview = CustomSsoAuthOAuthView

# In superset_config.py
CUSTOM_SECURITY_MANAGER = CustomSecurityManager
```

You can adapt the logic inside `login()` to check for your specific OAuth 
session or token and perform the login programmatically. This lets you bypass 
the Superset login page for already-authenticated users, while still showing 
the OAuth login button for others[^4][^5].

Be sure to validate any tokens/headers you use for bypass and ensure robust 
session management for security[^4].

References and more patterns:
- [Superset v6 custom login/redirect 
logic](https://github.com/apache/superset/discussions/34532)
- [Custom OAuth view and security manager 
example](https://github.com/apache/superset/discussions/36203)
- [Superset 6 authentication view 
code](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/views/auth.py)

[^1]: https://github.com/apache/superset/discussions/36925
[^2]: https://github.com/apache/superset/issues/36549
[^3]: https://github.com/apache/superset/discussions/32424
[^4]: https://github.com/apache/superset/discussions/34532
[^5]: https://github.com/apache/superset/discussions/36203


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/84f36fd1-f663-415f-9585-3809276fb944?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/84f36fd1-f663-415f-9585-3809276fb944?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/84f36fd1-f663-415f-9585-3809276fb944?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/84f36fd1-f663-415f-9585-3809276fb944?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/84f36fd1-f663-415f-9585-3809276fb944?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/84f36fd1-f663-415f-9585-3809276fb944?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/84f36fd1-f663-415f-9585-3809276fb944?feedback_type=other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20change%20is%20due%20to%20breaking%20changes%20in%20Superset%206%20and%20the%20Flask-AppBuilder%205.0.0%20upgrade%2C%20which%20altered%20how%20authentication%20views%20are%20registered%20and%20handled.%20Superset%206%20now%20uses%20its%20own%20%60SupersetAuthView%60%20for%20login%2C%20and%20custom%20OAuth%20bypass%20logic%20must%20be%20integrated%20differently%20than%20in%20v5.%20There%E2%80%99s%20no%20config-only%20way%20to%20restore%20the%20old%20behavior%E2%80%94you%20need%20backend%20code%20changes%5B%5E1%5D%5B%5E2%5D.%0A%0AThe%20recommended%20approach%20is%20to%20create%20a%20custom%20authentication%20view%20%28subclassing%20%60AuthOAuthView%60%20or%20%60SupersetAuthView%60%29%20that%20checks%20if%20the%20user%20is%20already%20authenticated
 
%20with%20your%20OAuth%20provider%20and%2C%20if%20so%2C%20logs%20them%20in%20and%20redirects%20to%20the%20index%20page.%20If%20not%2C%20it%20should%20proceed%20with%20the%20standard%20OAuth%20flow.%20You%20then%20register%20this%20view%20via%20a%20custom%20security%20manager%20using%20the%20%60CUSTOM_SECURITY_MANAGER%60%20config%20in%20%60superset_config.py%60%5B%5E3%5D%5B%5E4%5D.%0A%0AHere%E2%80%99s%20a%20simplified%20example%20pattern%3A%0A%0A%60%60%60python%0Afrom%20flask_appbuilder.security.views%20import%20AuthOAuthView%2C%20expose%0Afrom%20flask_login%20import%20login_user%0Afrom%20flask%20import%20redirect%2C%20request%2C%20g%0Afrom%20superset.security%20import%20SupersetSecurityManager%0A%0Aclass%20CustomSsoAuthOAuthView%28AuthOAuthView%29%3A%0A%20%20%20%20%40expose%28%22/login/%22%29%0A%20%20%20%20%40expose%28%22/login/%3Cprovider%3E%22%29%0A%20%20%20%20def%20login%28self%2C%20provider%3A%20str%20%3D%20None%29%3A%0A%20%20%20%20%20%20%20%20if%20g.user%20is%20not%20None%20and
 
%20g.user.is_authenticated%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20redirect%28self.appbuilder.get_url_for_index%29%0A%20%20%20%20%20%20%20%20%23%20Insert%20your%20logic%20here%20to%20check%20for%20OAuth%20session/cookie/token%0A%20%20%20%20%20%20%20%20%23%20If%20already%20authenticated%20with%20OAuth%20provider%2C%20log%20in%20and%20redirect%0A%20%20%20%20%20%20%20%20%23%20Otherwise%2C%20proceed%20with%20normal%20OAuth%20login%0A%20%20%20%20%20%20%20%20return%20super%28%29.login%28provider%29%0A%0Aclass%20CustomSecurityManager%28SupersetSecurityManager%29%3A%0A%20%20%20%20authoauthview%20%3D%20CustomSsoAuthOAuthView%0A%0A%23%20In%20superset_config.py%0ACUSTOM_SECURITY_MANAGER%20%3D%20CustomSecurityManager%0A%60%60%60%0A%0AYou%20can%20adapt%20the%20logic%20inside%20%60login%28%29%60%20to%20check%20for%20your%20specific%20OAuth%20session%20or%20token%20and%20perform%20the%20login%20programmatically.%20This%20lets%20you%20bypass%20the%20Superset%20login%20page%20for%20already
 
-authenticated%20users%2C%20while%20still%20showing%20the%20OAuth%20login%20button%20for%20others%5B%5E4%5D%5B%5E5%5D.%0A%0ABe%20sure%20to%20validate%20any%20tokens/headers%20you%20use%20for%20bypass%20and%20ensure%20robust%20session%20management%20for%20security%5B%5E4%5D.%0A%0AReferences%20and%20more%20patterns%3A%0A-%20%5BSuperset%20v6%20custom%20login/redirect%20logic%5D%28https%3A//github.com/apache/superset/discussions/34532%29%0A-%20%5BCustom%20OAuth%20view%20and%20security%20manager%20example%5D%28https%3A//github.com/apache/superset/discussions/36203%29%0A-%20%5BSuperset%206%20authentication%20view%20code%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/views/auth.py%29%0A%0A%5B%5E1%5D%3A%20https%3A//github.com/apache/superset/discussions/36925%0A%5B%5E2%5D%3A%20https%3A//github.com/apache/superset/issues/36549%0A%5B%5E3%5D%3A%20https%3A//github.com/apache/superset/discussions/32424%0A%5B%5E4%5D%3A%20https%3A//github.com/apach
 
e/superset/discussions/34532%0A%5B%5E5%5D%3A%20https%3A//github.com/apache/superset/discussions/36203)&nbsp;[![Join
 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/37057)

GitHub link: 
https://github.com/apache/superset/discussions/37057#discussioncomment-15474121

----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to: 
notifications-unsubscr...@superset.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org