Re: [D] Superset 6: Bypass Login page of superset No Longer Working (Worked in v5) [superset]

via GitHub Fri, 16 Jan 2026 03:07:42 -0800


GitHub user dosubot[bot] added a comment to the discussion: Superset 6: Bypass 
Login page of superset No Longer Working (Worked in v5)


<!-- Answer -->
SSO in Superset 6 lets users authenticate with an external OAuth provider (like 
Okta, Azure AD, Keycloak, etc.) and access Superset without creating a separate 
password. If the user already has a session with the OAuth provider, Superset 
will not prompt for credentials again—when they click the "Sign in with 
{provider}" button, they're logged in automatically. However, Superset 6 always 
shows the login page with the OAuth button; it does not natively auto-redirect 
to the provider or fully hide the login UI with configuration alone. This is 
due to architectural changes: the login UI is now a React frontend, and the 
backend authentication flow is decoupled from Flask-AppBuilder's view 
registration, so you can't override this with just superset_config.py settings 
or a custom security manager—backend code changes are required for full bypass 
behavior[^1][^2][^3].

You can configure SSO (and partial SLO) in superset_config.py like this:

```python
from flask_appbuilder.security.manager import AUTH_OAUTH

AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
    {
        'name': 'myoauth',
        'token_key': 'access_token',
        'icon': 'fa-address-card',
        'remote_app': {
            'client_id': 'your-client-id',
            'client_secret': 'your-client-secret',
            'client_kwargs': {'scope': 'openid email profile'},
            'api_base_url': 'https://your-oauth-server/',
            'access_token_url': 'https://your-oauth-server/token',
            'authorize_url': 'https://your-oauth-server/authorize',
            'jwks_uri': 'https://your-oauth-server/.well-known/jwks.json',
            # 'server_metadata_url': 
'https://your-oauth-server/.well-known/openid-configuration', # for OIDC
        }
    }
]
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"
ENABLE_PROXY_FIX = True  # If behind a proxy/load balancer
```

For advanced SSO (custom user info, group mapping, etc.), create a custom 
security manager:

```python
from superset.security import SupersetSecurityManager

class CustomSsoSecurityManager(SupersetSecurityManager):
    def oauth_user_info(self, provider, response=None):
        if provider == 'myoauth':
            me = 
self.appbuilder.sm.oauth_remotes[provider].get('userinfo').json()
            return {
                'name': me['name'],
                'email': me['email'],
                'username': me['preferred_username'],
                'first_name': me.get('given_name', ''),
                'last_name': me.get('family_name', ''),
            }
        return super().oauth_user_info(provider, response)

CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
```

For SLO (Single Logout), you need to implement a custom logout handler in a 
custom security manager or authentication view, which is not possible with 
configuration alone. You'd typically redirect to your IdP's logout endpoint and 
clear the session—see [this example for 
Keycloak](https://github.com/apache/superset/discussions/36203#discussioncomment-15024802).

Bottom line: seamless SSO (no login screen at all) and robust SLO require 
backend code changes, not just superset_config.py. With only configuration, 
users will see the Superset login page with a single OAuth button, and if 
already authenticated with your provider, clicking it will log them in without 
a password prompt[^1][^2][^3][^4].

[^1]: 
https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/configuration/configuring-superset.mdx#L257-L531
  
[^2]: 
https://github.com/apache/superset/discussions/32424#discussioncomment-12349960 
 
[^3]: https://github.com/apache/superset/discussions/34532  
[^4]: 
https://github.com/apache/superset/discussions/36203#discussioncomment-15024802


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/105e9923-84b2-424b-b889-9bd678372469?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/105e9923-84b2-424b-b889-9bd678372469?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/105e9923-84b2-424b-b889-9bd678372469?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/105e9923-84b2-424b-b889-9bd678372469?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/105e9923-84b2-424b-b889-9bd678372469?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/105e9923-84b2-424b-b889-9bd678372469?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/105e9923-84b2-424b-b889-9bd678372469?feedback_type=other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=SSO%20in%20Superset%206%20lets%20users%20authenticate%20with%20an%20external%20OAuth%20provider%20%28like%20Okta%2C%20Azure%20AD%2C%20Keycloak%2C%20etc.%29%20and%20access%20Superset%20without%20creating%20a%20separate%20password.%20If%20the%20user%20already%20has%20a%20session%20with%20the%20OAuth%20provider%2C%20Superset%20will%20not%20prompt%20for%20credentials%20again%E2%80%94when%20they%20click%20the%20%22Sign%20in%20with%20%7Bprovider%7D%22%20button%2C%20they%27re%20logged%20in%20automatically.%20However%2C%20Superset%206%20always%20shows%20the%20login%20page%20with%20the%20OAuth%20button%3B%20it%20does%20not%20natively%20auto-redirect%20to%20the%20provider%20or%20fully%20hide%20the%20login%20UI%20with%20configuration%20alone.%20This%20is%20due%2
 
0to%20architectural%20changes%3A%20the%20login%20UI%20is%20now%20a%20React%20frontend%2C%20and%20the%20backend%20authentication%20flow%20is%20decoupled%20from%20Flask-AppBuilder%27s%20view%20registration%2C%20so%20you%20can%27t%20override%20this%20with%20just%20superset_config.py%20settings%20or%20a%20custom%20security%20manager%E2%80%94backend%20code%20changes%20are%20required%20for%20full%20bypass%20behavior%5B%5E1%5D%5B%5E2%5D%5B%5E3%5D.%0A%0AYou%20can%20configure%20SSO%20%28and%20partial%20SLO%29%20in%20superset_config.py%20like%20this%3A%0A%0A%60%60%60python%0Afrom%20flask_appbuilder.security.manager%20import%20AUTH_OAUTH%0A%0AAUTH_TYPE%20%3D%20AUTH_OAUTH%0AOAUTH_PROVIDERS%20%3D%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%27name%27%3A%20%27myoauth%27%2C%0A%20%20%20%20%20%20%20%20%27token_key%27%3A%20%27access_token%27%2C%0A%20%20%20%20%20%20%20%20%27icon%27%3A%20%27fa-address-card%27%2C%0A%20%20%20%20%20%20%20%20%27remote_app%27%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%
 
20%20%27client_id%27%3A%20%27your-client-id%27%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%27client_secret%27%3A%20%27your-client-secret%27%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%27client_kwargs%27%3A%20%7B%27scope%27%3A%20%27openid%20email%20profile%27%7D%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%27api_base_url%27%3A%20%27https%3A//your-oauth-server/%27%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%27access_token_url%27%3A%20%27https%3A//your-oauth-server/token%27%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%27authorize_url%27%3A%20%27https%3A//your-oauth-server/authorize%27%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%27jwks_uri%27%3A%20%27https%3A//your-oauth-server/.well-known/jwks.json%27%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%23%20%27server_metadata_url%27%3A%20%27https%3A//your-oauth-server/.well-known/openid-configuration%27%2C%20%23%20for%20OIDC%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%5D%0AAUTH_USER_REGISTRATION%20%3D%20True%0AAUTH_USER_REGISTRATION_ROLE%20%3D%20%22Pub
 
lic%22%0AENABLE_PROXY_FIX%20%3D%20True%20%20%23%20If%20behind%20a%20proxy/load%20balancer%0A%60%60%60%0A%0AFor%20advanced%20SSO%20%28custom%20user%20info%2C%20group%20mapping%2C%20etc.%29%2C%20create%20a%20custom%20security%20manager%3A%0A%0A%60%60%60python%0Afrom%20superset.security%20import%20SupersetSecurityManager%0A%0Aclass%20CustomSsoSecurityManager%28SupersetSecurityManager%29%3A%0A%20%20%20%20def%20oauth_user_info%28self%2C%20provider%2C%20response%3DNone%29%3A%0A%20%20%20%20%20%20%20%20if%20provider%20%3D%3D%20%27myoauth%27%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20me%20%3D%20self.appbuilder.sm.oauth_remotes%5Bprovider%5D.get%28%27userinfo%27%29.json%28%29%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%27name%27%3A%20me%5B%27name%27%5D%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%27email%27%3A%20me%5B%27email%27%5D%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%27username%27%3A%20me%5B%27preferred_usernam
 
e%27%5D%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%27first_name%27%3A%20me.get%28%27given_name%27%2C%20%27%27%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%27last_name%27%3A%20me.get%28%27family_name%27%2C%20%27%27%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20return%20super%28%29.oauth_user_info%28provider%2C%20response%29%0A%0ACUSTOM_SECURITY_MANAGER%20%3D%20CustomSsoSecurityManager%0A%60%60%60%0A%0AFor%20SLO%20%28Single%20Logout%29%2C%20you%20need%20to%20implement%20a%20custom%20logout%20handler%20in%20a%20custom%20security%20manager%20or%20authentication%20view%2C%20which%20is%20not%20possible%20with%20configuration%20alone.%20You%27d%20typically%20redirect%20to%20your%20IdP%27s%20logout%20endpoint%20and%20clear%20the%20session%E2%80%94see%20%5Bthis%20example%20for%20Keycloak%5D%28https%3A//github.com/apache/superset/discussions/36203%23discussioncomment-15024802%29.%0A%0ABottom%20line%3A%20seamless%20SSO%20%28no%20login%20screen
 
%20at%20all%29%20and%20robust%20SLO%20require%20backend%20code%20changes%2C%20not%20just%20superset_config.py.%20With%20only%20configuration%2C%20users%20will%20see%20the%20Superset%20login%20page%20with%20a%20single%20OAuth%20button%2C%20and%20if%20already%20authenticated%20with%20your%20provider%2C%20clicking%20it%20will%20log%20them%20in%20without%20a%20password%20prompt%5B%5E1%5D%5B%5E2%5D%5B%5E3%5D%5B%5E4%5D.%0A%0A%5B%5E1%5D%3A%20https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/configuration/configuring-superset.mdx%23L257-L531%20%20%0A%5B%5E2%5D%3A%20https%3A//github.com/apache/superset/discussions/32424%23discussioncomment-12349960%20%20%0A%5B%5E3%5D%3A%20https%3A//github.com/apache/superset/discussions/34532%20%20%0A%5B%5E4%5D%3A%20https%3A//github.com/apache/superset/discussions/36203%23discussioncomment-15024802)&nbsp;[![Join
 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.d
 ev/discord-bot)&nbsp;[![Share on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/37057)

GitHub link: 
https://github.com/apache/superset/discussions/37057#discussioncomment-15516594

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [D] Superset 6: Bypass Login page of superset No Longer Working (Worked in v5) [superset]

Reply via email to