GitHub user iilrgmv created a discussion: OAuth (Keycloak) – No supported way to skip Superset login page and auto-redirect to IdP in 6.0.0
### Description When using Superset 6.0.0 with OAuth authentication (Keycloak), there does not seem to be a supported or documented way to skip the default Superset login page (/login/) and redirect users directly to the external IdP login page (/login/keycloak). This results in an extra, unnecessary intermediate page where the user must click a button to continue to Keycloak, even when: - AUTH_TYPE = AUTH_OAUTH - Only one OAuth provider is configured - Superset is used in a corporate SSO context In previous versions and in other frameworks, it is common to support an “auto-login” or “auto-redirect” behavior when a single OAuth provider is configured. ### Environment Superset version: 6.0.0 Authentication: AUTH_OAUTH OAuth provider: Keycloak (OIDC) Deployment: Kubernetes (Helm chart) Reverse proxy / ingress: Yes (HTTPS) ### Current behavior User accesses https://<superset-host>/ Superset redirects to /login/ Superset displays a login page with a button (e.g. “Login with Keycloak”) User must manually click the button Only then is the user redirected to Keycloak ### Expected behavior When: AUTH_TYPE = AUTH_OAUTH Only one OAuth provider is configured Superset should provide a built-in and supported way to: Automatically redirect users from /login/ to /login/<provider> Or allow configuration to skip the intermediate login page entirely - This is especially important for: - Enterprise SSO setups - Better UX (no unnecessary clicks) - Consistency with other OAuth-enabled platforms **What we tried** - Looked for a configuration option such as AUTH_OAUTH_AUTO_LOGIN or similar (not found / not documented) - Checked Superset and Flask-AppBuilder documentation - Reviewed existing issues and discussions - Implemented a custom AuthOAuthView override to force the redirect (works, but is a workaround and not officially supported) **Why this matters** - The current behavior adds friction to SSO flows - Forces users to see an internal Superset login page even when local login is not used - Requires custom code overrides for a very common OAuth use case - Proposed solution (open to discussion) One of the following: - Add a documented configuration flag to auto-redirect to the sole OAuth provider - Provide an official hook or setting to override /login/ behavior - Document the recommended pattern if overriding the login view is the intended approach **Additional context** This is not a security issue, but a UX and configurability limitation that affects enterprise OAuth deployments. GitHub link: https://github.com/apache/superset/discussions/37394 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
