rusackas commented on code in PR #38092:
URL: https://github.com/apache/superset/pull/38092#discussion_r2879858718
##########
docs/admin_docs/installation/kubernetes.mdx:
##########
@@ -308,6 +308,161 @@ configOverrides:
AUTH_USER_REGISTRATION_ROLE = "Admin"
```
+:::note
+
+Here another example with groups mapping, logout from Keycloak and PKCE flow.
+
+You need to create a Secret that contains CLIENT_ID, CLIENT_SECRET and
OIDC_ISSUER.
+
+Your oauth provider must be configured to support PKCE flow.
+
+For keycloak for example, you need to set 'Proof Key for Code Exchange Code
Challenge Method' to value S256 under:
+`Clients -> your-client-id -> Advanced -> Advanced settings`
+
+This code correctly handles the case where a user successfully authenticates
with Keycloak but does not belong to any of the mapped groups.
+
+In that situation, the user is simply redirected back to the login page.
+
+:::
+
+```yaml
+extraSecretEnv:
+ CLIENT_ID: my_superset_clientid
+ CLIENT_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ OIDC_ISSUER: https://myoauthprovider.youpi.fr/auth/realms/MYREALM
+
+configOverrides:
+ enable_oauth: |
+ from flask import redirect, request, session
+ from flask_appbuilder import expose
+ from flask_appbuilder.security.manager import AUTH_OAUTH
+ from flask_appbuilder.security.views import AuthOAuthView
+ from flask_login import login_user
+ from superset.security import SupersetSecurityManager
+ import logging
+ import os
+
+ log = logging.getLogger(__name__)
+
+ AUTH_TYPE = AUTH_OAUTH
+ AUTH_USER_REGISTRATION = True
+ AUTH_ROLES_SYNC_AT_LOGIN = True
+ AUTH_USER_REGISTRATION_ROLE = None
+
+ PROVIDER_NAME = 'keycloak'
+ CLIENT_ID = os.getenv('CLIENT_ID')
+ CLIENT_SECRET = os.getenv('CLIENT_SECRET')
+ OIDC_ISSUER = os.getenv('OIDC_ISSUER')
+ OIDC_BASE_URL = f'{OIDC_ISSUER}/protocol/openid-connect'
+ OIDC_AUTH_URL = f'{OIDC_BASE_URL}/auth'
+ OIDC_METADATA_URL = f'{OIDC_ISSUER}/.well-known/openid-configuration'
+ OIDC_TOKEN_URL = f'{OIDC_BASE_URL}/token'
+ OIDC_USERINFO_URL = f'{OIDC_BASE_URL}/userinfo'
+ OAUTH_PROVIDERS = [
+ {
+ 'name': PROVIDER_NAME,
+ 'token_key': 'access_token',
+ 'icon': 'fa-circle-o',
+ 'remote_app': {
+ 'api_base_url': OIDC_BASE_URL,
+ 'access_token_url': OIDC_TOKEN_URL,
+ 'authorize_url': OIDC_AUTH_URL,
+ 'request_token_url': None,
+ 'server_metadata_url': OIDC_METADATA_URL,
+ 'client_id': CLIENT_ID,
+ 'client_secret': CLIENT_SECRET,
+ 'client_kwargs': {
+ 'scope': 'openid email profile',
+ 'code_challenge_method': 'S256',
+ 'response_type': 'code',
+ },
+ },
+ }
+ ]
+
+ # Make sure you create these groups on Keycloak
+ AUTH_ROLES_MAPPING = {
+ f'{CLIENT_ID}_admin': ['Admin'],
+ f'{CLIENT_ID}_alpha': ['Alpha'],
+ f'{CLIENT_ID}_gamma': ['Gamma'],
+ f'{CLIENT_ID}_public': ['Public'],
+ }
+
+
+ class CustomOAuthView(AuthOAuthView):
+ # Override the logout method to also log out from the OIDC provider
+ @expose('/logout/', methods=['GET', 'POST'])
+ def logout(self):
+ session.clear()
+ return redirect(
+
f'{OIDC_ISSUER}/protocol/openid-connect/logout?post_logout_redirect_uri={request.url_root.strip("/")}&client_id={CLIENT_ID}'
+ )
+
Review Comment:
Curious what you think of this feedback.
I'm also not sure about a more meta-question here: how deep we want to get
into code examples in the docs? It's walking a fine line between something that
should be documented here in the docs and something that could be contributed
as an actual code file / implementation example, if I'm understanding
correctly.
But then... if we have multiple implementation examples in the code, I'm not
sure what can be abstracted away as configuration vs logic... I wouldn't want
to maintain "dead code" for the sake of one possible example.
Maybe @villebro or @michael-s-molina have some ideas here... maybe I'm
overthinking all this and should just stamp it, especially if it closes two
issues :D My concern is only to find the way forward with the least maintenance
overhead.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
